backtop


Print 29 comment(s) - last by erple2.. on Feb 15 at 1:29 PM


Lose your iPhone? If the person who took it happens to know a little programming, you've probably now lost all your passwords, thanks, in part, to Apple's poor OS design.  (Source: technabob)

"I prefer to be called a hacker!"
The state of iPhone (in)security is yet again apparent

Apple's iPhone has been the brunt of much ridicule from security professionals/hackers.  It was shown to be far easier to hack than its Android and RIM competitors.  

Now, researchers Jens Heider [profile] and Matthias Boll at Germany's Fraunhofer Institute Secure Information Technology (Fraunhofer SIT) have shown how the iPhone will literally give away its password via a process that takes less than six minutes and requires no password cracking.

To snatch the password, you first need to perform a fast jailbreak.  Then you need to install an SSH server (not usually allowed by Apple).  From there the only remaining step is to run a short keychain access script that uses Apple's own system functions to output all of the user's screen-names and passwords.

Among the items lost may include passwords to Google Mail as an MS Exchange account, other MS Exchange accounts, LDAP accounts, voicemail, VPN passwords, Wi-Fi passwords, and some app passwords

The researchers write:

As soon as attackers are in the possession of an iPhone or iPad and have removed the device's SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well. Control of an e-mail account allows the attacker to acquire even more additional passwords: For many web services such as social networks the attacker only has to request a password reset.

...

Owner's of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords. Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts.

Fraunhofer has opted for full-disclosure, publishing a paper [PDF] explaining how to execute the attack.  It has also posted a tutorial video on how it did the attack.

Again this attack requires about four things -- possession of your target's iPhone, moderate coding/computer expertise, the ability to download existing exploit tools (the jailbreak utility and SSH server app), and about 6 minutes of free time.

Now, Fraunhofer might have a tad bit of self-interest in publishing these details in all its glory.  It sells a Java app to securely store passwords, which offers competition to the built in functionality of the iPhone.

We could not reach Apple for comment on this story as of press time.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By Brandon Hill (blog) on 2/10/2011 10:17:21 AM , Rating: 2
Well, there is currently an untethered jailbreak for the latest AT&T iPhone firmware (4.2.1) and one for the Verizon iPhone 4 (4.2.6).

The iPhone Dev Team (I believe) also has a jailbreak waiting in the wings for 4.3 when it's released.


RE: Jailbreak for latest firmware required?
By karstmobile on 2/10/2011 10:33:38 AM , Rating: 2
I'm looking forward to the 4.3 jailbreak. Not sure I'll bother with the latest untethered since 4.3 is right around the corner.

Still... there is a little more to think about besides 6 minutes of ease. Hopefully some security improvements from Apple will come from the publication.


RE: Jailbreak for latest firmware required?
By chick0n on 2/10/2011 10:57:15 AM , Rating: 4
Apple will tell you that you lost your phone wrong.

Also Apple will just remain silent, what security issue are you talking about? our products are magical & revolutionary & it changes everything, again ! no issue !


By DJ Brandon on 2/10/2011 11:30:15 AM , Rating: 2
lol well said.


"This is from the DailyTech.com. It's a science website." -- Rush Limbaugh














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki