iPhone Hacked and Passwords Stolen in just 6 Minutes

Apparently iPhone passwords may not be as secure as one might believe. According to German security researchers from the Fraunhofer Institute Secure Information Technology (Fraunhofer SIT), if you have physical access to the phone, passwords can be recovered from a locked Apple iPhone in six minutes.

But how is this possible? According to documentation on Fraunhofer’s site

When an iOS device with hardware encryption capabilities is lost or stolen, many users believe that there is no way for a new owner to access the stored data — at least if a strong passcode1 is in place. This estimation is comprehensible, since in theory the cryptographic strength of the AES256 algorithm used for iOS device encryption should prevent even well equipped attackers. However, it was already shown2 that it is possible to access great portions of the stored data without knowing the passcode.

Tools are available for this tasks that require only small effort. This is done by tricking the operating system to decrypt the file system on behalf of the attacker. This decryption is possible, since on current3 iOS devices the required cryptographic key does not depend on the user’s secret passcode. Instead the required key material is completely created from data available within the device and therefore is also in the possession of a possible attacker.

From the video above you can see the jailbreaking tool and script that Fraunhofer uses in action to access the secrets stored on the iPhone.  

Big deal, one might say, they can read my text messages. Well, with smart phones becoming a standard enterprise network client, theoretically one could retrieve the passwords used to access corporate networks with this utility.

According to the researchers site, all current iPhones and iPads are vulnerable to this attack.

It would seem that the dangers of leaving your laptop lying around now pertain to your smart phone too.


One thought on “iPhone Hacked and Passwords Stolen in just 6 Minutes”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.