backtop


Print


Lose your iPhone? If the person who took it happens to know a little programming, you've probably now lost all your passwords, thanks, in part, to Apple's poor OS design.  (Source: technabob)

"I prefer to be called a hacker!"
The state of iPhone (in)security is yet again apparent

Apple's iPhone has been the brunt of much ridicule from security professionals/hackers.  It was shown to be far easier to hack than its Android and RIM competitors.  

Now, researchers Jens Heider [profile] and Matthias Boll at Germany's Fraunhofer Institute Secure Information Technology (Fraunhofer SIT) have shown how the iPhone will literally give away its password via a process that takes less than six minutes and requires no password cracking.

To snatch the password, you first need to perform a fast jailbreak.  Then you need to install an SSH server (not usually allowed by Apple).  From there the only remaining step is to run a short keychain access script that uses Apple's own system functions to output all of the user's screen-names and passwords.

Among the items lost may include passwords to Google Mail as an MS Exchange account, other MS Exchange accounts, LDAP accounts, voicemail, VPN passwords, Wi-Fi passwords, and some app passwords

The researchers write:

As soon as attackers are in the possession of an iPhone or iPad and have removed the device's SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well. Control of an e-mail account allows the attacker to acquire even more additional passwords: For many web services such as social networks the attacker only has to request a password reset.

...

Owner's of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords. Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts.

Fraunhofer has opted for full-disclosure, publishing a paper [PDF] explaining how to execute the attack.  It has also posted a tutorial video on how it did the attack.

Again this attack requires about four things -- possession of your target's iPhone, moderate coding/computer expertise, the ability to download existing exploit tools (the jailbreak utility and SSH server app), and about 6 minutes of free time.

Now, Fraunhofer might have a tad bit of self-interest in publishing these details in all its glory.  It sells a Java app to securely store passwords, which offers competition to the built in functionality of the iPhone.

We could not reach Apple for comment on this story as of press time.





"Well, we didn't have anyone in line that got shot waiting for our system." -- Nintendo of America Vice President Perrin Kaplan



Latest Headlines
Are You in the Market for Earphones?
March 24, 2017, 7:35 AM
Samsung Galaxy S8, Rumored Launch Date!
March 18, 2017, 6:45 AM
How about Leica Cameras
March 13, 2017, 6:30 AM
A Baseball Cap With Camera
March 3, 2017, 7:00 AM
Nokia 3310 with longer battery life
February 28, 2017, 7:05 AM




Latest Blog Posts
What else to worry about?
Saimin Nidarson - Mar 17, 2017, 6:45 AM
Todays’ Life
Saimin Nidarson - Mar 14, 2017, 7:30 AM
News and Tips
Saimin Nidarson - Mar 13, 2017, 6:30 AM
Some News
Saimin Nidarson - Mar 8, 2017, 7:09 AM
News
Saimin Nidarson - Mar 7, 2017, 8:45 AM
World news 3-6
Saimin Nidarson - Mar 6, 2017, 5:40 AM
Mixed News
Saimin Nidarson - Mar 4, 2017, 7:40 AM
Mixed News of the Day
Saimin Nidarson - Mar 4, 2017, 6:32 AM
Mixed News of The World:
Saimin Nidarson - Mar 2, 2017, 7:02 AM
World New 3-1
Saimin Nidarson - Mar 1, 2017, 6:30 AM
Gaming News of The Day
Saimin Nidarson - Feb 28, 2017, 6:56 AM






botimage
Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki