Lost iPhone? Lost Passwords?

New research claims iPhone encryption by itself does not provide protection – companies must use ‘Find My iPhone’ and erase data on lost devices, apparently.

“Passwords are not secure on iPhones that are lost. This is the result of tests carried out at Fraunhofer Institute SIT in Darmstadt. Within six minutes the institute’s staff was able to render the iPhone’s encryption void and decipher many passwords stored on it. If the iPhone is used for business purposes then the company’s network security may be at risk as well. The flawed security design affects all iPhone and iPad devices containing the latest firmware. Written documentation and a video about the attack are available below. Only companies prepared for such an attack will be able to reduce their risk.”

This seems quite scary: Any device using the iOS operating system can be attacked in such a way, irrespective of the user’s password. As soon as attackers are in the possession of an iPhone or iPad and have removed the device’s SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well. Control of an e-mail account allows the attacker to acquire even more additional passwords: For many web services such as social networks the attacker only has to request a password reset. Once the respective service returns the new password to the user’s e-mail account, the attacker has it as well.

“In current versions of iOS, the keychain contains user accounts including pass- words such as email, groupware, VPN, WiFi, websites and often also passwords and certificates used in 3rd party apps. As these secrets are stored encrypted in the keychain, the questions is: Which key is used for the encryption and which practical barrier does it create for an attacker with access to the device.”

Read the white paper on the findings here. I’m not certain this is a flash in the pan, but do think it likely we’ll see a plethora of Apple-security bashing reports. Please bear in mind: for this exploit to work you need physical access to the device. Let’s face it, you can pretty much get the data out of any device, if you have access to it. Most of Android’s data is stored in unencrypted SQLite3 data-stores — Just plug it in via USB and use ADB shell from the SDK to do all your damage.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.