backtop


Print 29 comment(s) - last by erple2.. on Feb 15 at 1:29 PM


Lose your iPhone? If the person who took it happens to know a little programming, you've probably now lost all your passwords, thanks, in part, to Apple's poor OS design.  (Source: technabob)

"I prefer to be called a hacker!"
The state of iPhone (in)security is yet again apparent

Apple's iPhone has been the brunt of much ridicule from security professionals/hackers.  It was shown to be far easier to hack than its Android and RIM competitors.  

Now, researchers Jens Heider [profile] and Matthias Boll at Germany's Fraunhofer Institute Secure Information Technology (Fraunhofer SIT) have shown how the iPhone will literally give away its password via a process that takes less than six minutes and requires no password cracking.

To snatch the password, you first need to perform a fast jailbreak.  Then you need to install an SSH server (not usually allowed by Apple).  From there the only remaining step is to run a short keychain access script that uses Apple's own system functions to output all of the user's screen-names and passwords.

Among the items lost may include passwords to Google Mail as an MS Exchange account, other MS Exchange accounts, LDAP accounts, voicemail, VPN passwords, Wi-Fi passwords, and some app passwords

The researchers write:

As soon as attackers are in the possession of an iPhone or iPad and have removed the device's SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well. Control of an e-mail account allows the attacker to acquire even more additional passwords: For many web services such as social networks the attacker only has to request a password reset.

...

Owner's of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords. Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts.

Fraunhofer has opted for full-disclosure, publishing a paper [PDF] explaining how to execute the attack.  It has also posted a tutorial video on how it did the attack.

Again this attack requires about four things -- possession of your target's iPhone, moderate coding/computer expertise, the ability to download existing exploit tools (the jailbreak utility and SSH server app), and about 6 minutes of free time.

Now, Fraunhofer might have a tad bit of self-interest in publishing these details in all its glory.  It sells a Java app to securely store passwords, which offers competition to the built in functionality of the iPhone.

We could not reach Apple for comment on this story as of press time.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Other Phones
By AlphaVirus on 2/10/2011 10:51:46 AM , Rating: 3
It would be nice to have an independent study like this for all popular smartphones (EVO, N900, Focus, etc) to see if they also fall to the same security issues. As it stands the iPhone is very popular and Apple is known for security issues, amongst the tech world, so I think they are being targeted.

My company currently uses iPhones regardless of the security issues plagued by the device, but this is something I plan to bring up in the next IT meeting. I've seen previous attempts to bypass the login lock but normally they wipe the entire device, but with this you gain access to all available passwords which can be quite dangerous.

The suggestion to change all your passwords if you lose your phone is ludicrous because most people forget what they had on the device. Luckily the older people never download any applications so its only email and WiFi.




RE: Other Phones
By theapparition on 2/10/2011 12:45:44 PM , Rating: 2
quote:
As it stands the iPhone is very popular and Apple is known for security issues, amongst the tech world, so I think they are being targeted.

And do you think that Burger King didn't have the same unhealthy menu and "supersize" options that McDonalds did? Of course so, but the Supersize Me movie only targeted McDonalds. Sometimes there's a drawback to being number 1.

iPhone is probably the most widely used single smartphone. With only a few models that all use the same OS and security model. So why not target for the biggest user base? That's long been Windows issue, as 90+% of computers use an MS OS. Now it's Apples turn to deal with the issues.

While some complain about Android fragmentation, it is issues like this that remind everyone why fragmentation is not such a bad thing.


RE: Other Phones
By bah12 on 2/10/2011 12:52:26 PM , Rating: 3
The really scary part is that not only do they have your email password for exchange, but in most exchange deployments that is the same user and pass to the domain. They could now access anything allowed to that domain user.


"This week I got an iPhone. This weekend I got four chargers so I can keep it charged everywhere I go and a land line so I can actually make phone calls." -- Facebook CEO Mark Zuckerberg














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki