Print 29 comment(s) - last by erple2.. on Feb 15 at 1:29 PM

Lose your iPhone? If the person who took it happens to know a little programming, you've probably now lost all your passwords, thanks, in part, to Apple's poor OS design.  (Source: technabob)

"I prefer to be called a hacker!"
The state of iPhone (in)security is yet again apparent

Apple's iPhone has been the brunt of much ridicule from security professionals/hackers.  It was shown to be far easier to hack than its Android and RIM competitors.  

Now, researchers Jens Heider [profile] and Matthias Boll at Germany's Fraunhofer Institute Secure Information Technology (Fraunhofer SIT) have shown how the iPhone will literally give away its password via a process that takes less than six minutes and requires no password cracking.

To snatch the password, you first need to perform a fast jailbreak.  Then you need to install an SSH server (not usually allowed by Apple).  From there the only remaining step is to run a short keychain access script that uses Apple's own system functions to output all of the user's screen-names and passwords.

Among the items lost may include passwords to Google Mail as an MS Exchange account, other MS Exchange accounts, LDAP accounts, voicemail, VPN passwords, Wi-Fi passwords, and some app passwords

The researchers write:

As soon as attackers are in the possession of an iPhone or iPad and have removed the device's SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well. Control of an e-mail account allows the attacker to acquire even more additional passwords: For many web services such as social networks the attacker only has to request a password reset.


Owner's of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords. Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts.

Fraunhofer has opted for full-disclosure, publishing a paper [PDF] explaining how to execute the attack.  It has also posted a tutorial video on how it did the attack.

Again this attack requires about four things -- possession of your target's iPhone, moderate coding/computer expertise, the ability to download existing exploit tools (the jailbreak utility and SSH server app), and about 6 minutes of free time.

Now, Fraunhofer might have a tad bit of self-interest in publishing these details in all its glory.  It sells a Java app to securely store passwords, which offers competition to the built in functionality of the iPhone.

We could not reach Apple for comment on this story as of press time.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Rofl Falafels
By Brandon Hill on 2/10/2011 10:06:31 AM , Rating: 3
Have you never seen Jurassic Park? ;)

RE: Rofl Falafels
By Souka on 2/10/2011 11:25:22 AM , Rating: 1
If you take out the JP reference, the expression of the girl in the middle makes me wonder what's going on...

RE: Rofl Falafels
By HomerTNachoCheese on 2/10/2011 4:35:02 PM , Rating: 4
I think she was watching 2 girls 1 cup, and Spielberg was recording it for her.

RE: Rofl Falafels
By 2uantuM on 2/11/11, Rating: 0
RE: Rofl Falafels
By DJ Brandon on 2/10/2011 11:29:32 AM , Rating: 2
ya... still random and doesn't really fit.

RE: Rofl Falafels
By davmat787 on 2/10/2011 12:12:41 PM , Rating: 2
You don't think showing a little girl "hacker" pic in an article about how easy and quick it is to hack an iPhone? That is how I saw it at least...

RE: Rofl Falafels
By quiksilvr on 2/10/2011 1:17:51 PM , Rating: 3
But she wasn't hacking. She was just trying to find the locks. Now if it was a picture of Newman on the screen going "Ah ah ah! You forgot the magic word!" that would have been more fitting (and hilarious)

RE: Rofl Falafels
By ElderTech on 2/10/2011 1:31:47 PM , Rating: 4
The impact this issue will probably have on the general consumer is likely rather insignificant. The probability of a single lost or stolen iPhone falling into the hands of a thief with 1] the requisite computer hacking skills, and 2] the knowledge of the process and the required tools (i.e. Apple server access) to perform the hack, has to be very low.

In addition, from reading the original Fraunhofer PDF, the ability to access specific applications within the keychain is limited for the general public, with many, including most general emails like AOL, Gmail and Yahoo, as well as many "apps", still being protected. It really all depends on the extent to which you utilize the mail server for access to applications like MS Exchange, and therefore the impact on business use is much more an issue.

If there were an option to simply turn off the automatic saving of access information, particularly passwords, and require manual entry of them each time it was necessary to access the application, all this would be moot. But convenience is KING, and with today's technology, what the public wants is what the public gets, whether they really want it or not, as they are usually ignorant of the potential risks and downsides to each new innovation.

In any event, the public vetting of this information will hopefully foster an Apple initiative to properly protect such personal information in the next iOS release, presumably iOS 4.3.x.

RE: Rofl Falafels
By JakLee on 2/10/2011 1:45:14 PM , Rating: 2
<snip>If there were an option to simply turn off the automatic saving of access information, particularly passwords, and require manual entry of them each time it was necessary to access the application, all this would be moot.</snip>

I would have +1'd you for the correct usage of MOOT (instead of the oft used incorrect MUTE) save I had already used all my +'s - so instead you get a nice comment!

RE: Rofl Falafels
By transamdude95 on 2/10/2011 3:29:20 PM , Rating: 2
I would have +1'd you for the correct usage of MOOT (instead of the oft used incorrect MUTE) save I had already used all my +'s - so instead you get a nice comment!

...which in turn removed all of your likely tasteful and appropriate +'s. I, too, like seeing the correct spelling of 'moot', almost as much as I like seeing the correct usage of 'to' and 'too'.

RE: Rofl Falafels
By erple2 on 2/15/2011 1:29:03 PM , Rating: 2
Hrm. In that case, both words work, albeit loosely in the mute sense.

RE: Rofl Falafels
By Samus on 2/10/2011 2:45:55 PM , Rating: 1

You have us all wrong. If I found an iPhone, I'd feel personally responsible to jailbreak it and collect all of the douchbags passwords and continue to completely fuck with them. Why? Because the asshole bought an iPhone.

RE: Rofl Falafels
By Topweasel on 2/10/2011 12:53:54 PM , Rating: 3
So your saying the scene where a 12-14 year old girl hacks a Unix operating system with a Proprietary gui, is completely random about someone hacking into a an Iphone to download email.

Would you rather they hold onto this article so that someone can make a movie that one of the characters picks up someone else's Iphone and hacks it to steal the passwords. Because that is about the only way to get less random if you ask me.

RE: Rofl Falafels
By xthetenth on 2/13/2011 8:15:25 PM , Rating: 2
Especially considering that this approach seems about as trivial as what you'd expect to see in a movie. Seriously? Hacking is generally actually work.

"My sex life is pretty good" -- Steve Jobs' random musings during the 2010 D8 conference

Latest Headlines
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
The Samsung Galaxy S7
September 14, 2016, 6:00 AM
Apple Watch 2 – Coming September 7th
September 3, 2016, 6:30 AM
Apple says “See you on the 7th.”
September 1, 2016, 6:30 AM

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
Snapchat’s New Sunglasses are a Spectacle – No Pun Intended
September 24, 2016, 9:02 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki