Pure Hacking chief technology officer Ty Miller has posted a demonstration video showing how SMS-based two-factor authentication tokens can be stolen from Apple iPhones and possibly Android devices.
The demonstration can be launched after a jailbroken iPhone is compromised by a number of non-specific attack vectors initiated by users opening malicious websites or email attachments.
Once an attacker has compromised the phone, they can view SMS tokens, popular as a means of authentication by Australian banks, stored in a SQLite3 database on the phone.
The demonstration also shows how usernames and passwords stored in the phones' auto-complete feature can be stolen.
A separate attack on a jailbroken iPhone by a researcher from Sense of Security demonstrated that a modded iPhone can create a bridge between the public internet and a "secure" internal network.