backtop


Print 29 comment(s) - last by erple2.. on Feb 15 at 1:29 PM


Lose your iPhone? If the person who took it happens to know a little programming, you've probably now lost all your passwords, thanks, in part, to Apple's poor OS design.  (Source: technabob)

"I prefer to be called a hacker!"
The state of iPhone (in)security is yet again apparent

Apple's iPhone has been the brunt of much ridicule from security professionals/hackers.  It was shown to be far easier to hack than its Android and RIM competitors.  

Now, researchers Jens Heider [profile] and Matthias Boll at Germany's Fraunhofer Institute Secure Information Technology (Fraunhofer SIT) have shown how the iPhone will literally give away its password via a process that takes less than six minutes and requires no password cracking.

To snatch the password, you first need to perform a fast jailbreak.  Then you need to install an SSH server (not usually allowed by Apple).  From there the only remaining step is to run a short keychain access script that uses Apple's own system functions to output all of the user's screen-names and passwords.

Among the items lost may include passwords to Google Mail as an MS Exchange account, other MS Exchange accounts, LDAP accounts, voicemail, VPN passwords, Wi-Fi passwords, and some app passwords

The researchers write:

As soon as attackers are in the possession of an iPhone or iPad and have removed the device's SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well. Control of an e-mail account allows the attacker to acquire even more additional passwords: For many web services such as social networks the attacker only has to request a password reset.

...

Owner's of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords. Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts.

Fraunhofer has opted for full-disclosure, publishing a paper [PDF] explaining how to execute the attack.  It has also posted a tutorial video on how it did the attack.

Again this attack requires about four things -- possession of your target's iPhone, moderate coding/computer expertise, the ability to download existing exploit tools (the jailbreak utility and SSH server app), and about 6 minutes of free time.

Now, Fraunhofer might have a tad bit of self-interest in publishing these details in all its glory.  It sells a Java app to securely store passwords, which offers competition to the built in functionality of the iPhone.

We could not reach Apple for comment on this story as of press time.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Rofl Falafels
By quiksilvr on 2/10/2011 10:04:31 AM , Rating: 1
That's a pretty random image to put in the article.




RE: Rofl Falafels
By Brandon Hill (blog) on 2/10/2011 10:06:31 AM , Rating: 3
Have you never seen Jurassic Park? ;)


RE: Rofl Falafels
By Souka on 2/10/2011 11:25:22 AM , Rating: 1
If you take out the JP reference, the expression of the girl in the middle makes me wonder what's going on...


RE: Rofl Falafels
By HomerTNachoCheese on 2/10/2011 4:35:02 PM , Rating: 4
I think she was watching 2 girls 1 cup, and Spielberg was recording it for her.


RE: Rofl Falafels
By 2uantuM on 2/11/11, Rating: 0
RE: Rofl Falafels
By DJ Brandon on 2/10/2011 11:29:32 AM , Rating: 2
ya... still random and doesn't really fit.


RE: Rofl Falafels
By davmat787 on 2/10/2011 12:12:41 PM , Rating: 2
You don't think showing a little girl "hacker" pic in an article about how easy and quick it is to hack an iPhone? That is how I saw it at least...


RE: Rofl Falafels
By quiksilvr on 2/10/2011 1:17:51 PM , Rating: 3
But she wasn't hacking. She was just trying to find the locks. Now if it was a picture of Newman on the screen going "Ah ah ah! You forgot the magic word!" that would have been more fitting (and hilarious)


RE: Rofl Falafels
By ElderTech on 2/10/2011 1:31:47 PM , Rating: 4
The impact this issue will probably have on the general consumer is likely rather insignificant. The probability of a single lost or stolen iPhone falling into the hands of a thief with 1] the requisite computer hacking skills, and 2] the knowledge of the process and the required tools (i.e. Apple server access) to perform the hack, has to be very low.

In addition, from reading the original Fraunhofer PDF, the ability to access specific applications within the keychain is limited for the general public, with many, including most general emails like AOL, Gmail and Yahoo, as well as many "apps", still being protected. It really all depends on the extent to which you utilize the mail server for access to applications like MS Exchange, and therefore the impact on business use is much more an issue.

If there were an option to simply turn off the automatic saving of access information, particularly passwords, and require manual entry of them each time it was necessary to access the application, all this would be moot. But convenience is KING, and with today's technology, what the public wants is what the public gets, whether they really want it or not, as they are usually ignorant of the potential risks and downsides to each new innovation.

In any event, the public vetting of this information will hopefully foster an Apple initiative to properly protect such personal information in the next iOS release, presumably iOS 4.3.x.


RE: Rofl Falafels
By JakLee on 2/10/2011 1:45:14 PM , Rating: 2
quote:
<snip>If there were an option to simply turn off the automatic saving of access information, particularly passwords, and require manual entry of them each time it was necessary to access the application, all this would be moot.</snip>


I would have +1'd you for the correct usage of MOOT (instead of the oft used incorrect MUTE) save I had already used all my +'s - so instead you get a nice comment!


RE: Rofl Falafels
By transamdude95 on 2/10/2011 3:29:20 PM , Rating: 2
quote:
I would have +1'd you for the correct usage of MOOT (instead of the oft used incorrect MUTE) save I had already used all my +'s - so instead you get a nice comment!


...which in turn removed all of your likely tasteful and appropriate +'s. I, too, like seeing the correct spelling of 'moot', almost as much as I like seeing the correct usage of 'to' and 'too'.


RE: Rofl Falafels
By erple2 on 2/15/2011 1:29:03 PM , Rating: 2
Hrm. In that case, both words work, albeit loosely in the mute sense.


RE: Rofl Falafels
By Samus on 2/10/2011 2:45:55 PM , Rating: 1
ElderTech,

You have us all wrong. If I found an iPhone, I'd feel personally responsible to jailbreak it and collect all of the douchbags passwords and continue to completely fuck with them. Why? Because the asshole bought an iPhone.


RE: Rofl Falafels
By Topweasel on 2/10/2011 12:53:54 PM , Rating: 3
So your saying the scene where a 12-14 year old girl hacks a Unix operating system with a Proprietary gui, is completely random about someone hacking into a an Iphone to download email.

Would you rather they hold onto this article so that someone can make a movie that one of the characters picks up someone else's Iphone and hacks it to steal the passwords. Because that is about the only way to get less random if you ask me.


RE: Rofl Falafels
By xthetenth on 2/13/2011 8:15:25 PM , Rating: 2
Especially considering that this approach seems about as trivial as what you'd expect to see in a movie. Seriously? Hacking is generally actually work.


Jailbreak for latest firmware required?
By karstmobile on 2/10/2011 10:15:57 AM , Rating: 1
So this would require that you are able to jailbreak the current firmware on the device. No jailbreak for the latest firmware, no worries?




By Brandon Hill (blog) on 2/10/2011 10:17:21 AM , Rating: 2
Well, there is currently an untethered jailbreak for the latest AT&T iPhone firmware (4.2.1) and one for the Verizon iPhone 4 (4.2.6).

The iPhone Dev Team (I believe) also has a jailbreak waiting in the wings for 4.3 when it's released.


RE: Jailbreak for latest firmware required?
By karstmobile on 2/10/2011 10:33:38 AM , Rating: 2
I'm looking forward to the 4.3 jailbreak. Not sure I'll bother with the latest untethered since 4.3 is right around the corner.

Still... there is a little more to think about besides 6 minutes of ease. Hopefully some security improvements from Apple will come from the publication.


RE: Jailbreak for latest firmware required?
By chick0n on 2/10/2011 10:57:15 AM , Rating: 4
Apple will tell you that you lost your phone wrong.

Also Apple will just remain silent, what security issue are you talking about? our products are magical & revolutionary & it changes everything, again ! no issue !


By DJ Brandon on 2/10/2011 11:30:15 AM , Rating: 2
lol well said.


Other Phones
By AlphaVirus on 2/10/2011 10:51:46 AM , Rating: 3
It would be nice to have an independent study like this for all popular smartphones (EVO, N900, Focus, etc) to see if they also fall to the same security issues. As it stands the iPhone is very popular and Apple is known for security issues, amongst the tech world, so I think they are being targeted.

My company currently uses iPhones regardless of the security issues plagued by the device, but this is something I plan to bring up in the next IT meeting. I've seen previous attempts to bypass the login lock but normally they wipe the entire device, but with this you gain access to all available passwords which can be quite dangerous.

The suggestion to change all your passwords if you lose your phone is ludicrous because most people forget what they had on the device. Luckily the older people never download any applications so its only email and WiFi.




RE: Other Phones
By theapparition on 2/10/2011 12:45:44 PM , Rating: 2
quote:
As it stands the iPhone is very popular and Apple is known for security issues, amongst the tech world, so I think they are being targeted.

And do you think that Burger King didn't have the same unhealthy menu and "supersize" options that McDonalds did? Of course so, but the Supersize Me movie only targeted McDonalds. Sometimes there's a drawback to being number 1.

iPhone is probably the most widely used single smartphone. With only a few models that all use the same OS and security model. So why not target for the biggest user base? That's long been Windows issue, as 90+% of computers use an MS OS. Now it's Apples turn to deal with the issues.

While some complain about Android fragmentation, it is issues like this that remind everyone why fragmentation is not such a bad thing.


RE: Other Phones
By bah12 on 2/10/2011 12:52:26 PM , Rating: 3
The really scary part is that not only do they have your email password for exchange, but in most exchange deployments that is the same user and pass to the domain. They could now access anything allowed to that domain user.


I wonder if this will shut up the Mactards
By Lerianis on 2/12/2011 7:28:41 AM , Rating: 2
I wonder if this will shut up the people who I derogatively refer to as Mactards, who keep on saying "Our systems are SOOOOOO secure, they cannot be pwn'd like Windoze!"

The fact is that ANY OS has problems and security researchers have been pointing out for years that OSX and Linux might not be as secure as people think they are.




By macthemechanic on 2/12/2011 10:15:13 AM , Rating: 2
A one hit show does not spell out a series.


nuh huh
By thejerk on 2/10/2011 1:13:43 PM , Rating: 2
Conspiracy Theory:

Law Enforcement "Backdoor"




metal back iPhone4?
By Belard on 2/10/2011 4:06:47 PM , Rating: 2
I thought iPhone4 had a glass back, to match its breakable glass front.

I looks very nice... is it a euro or updated version?




Meh...
By chagrinnin on 2/10/2011 5:48:16 PM , Rating: 2
...I've hacked about 6 iPhones and all I got was access to about 30 fart apps. :P




Silly people
By macthemechanic on 2/12/2011 10:02:40 AM , Rating: 2
Just put a a policy on it that wipes it if a SSHd is found.




"There is a single light of science, and to brighten it anywhere is to brighten it everywhere." -- Isaac Asimov














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki