Researchers demo iPhone passwords hack

Researchers demo iPhone passwords hack

Summary: A German research firm has demonstrated how passwords stored on an iPhone can be retrieved in less than six minutes without needing to know the passcode.Researchers from German engineering and research firm Fraunhofer tested the hack on an iPhone 4 and iPad 3G running iOS 4.

SHARE:
TOPICS: Mobility
1

A German research firm has demonstrated how passwords stored on an iPhone can be retrieved in less than six minutes without needing to know the passcode.

Researchers from German engineering and research firm Fraunhofer tested the hack on an iPhone 4 and iPad 3G running iOS 4.2.1 and found that it was possible to access a range of passwords stored on the device, including: MobileMe, Google Mail as a Microsoft Exchange account, Microsoft Exchange email accounts, VPN logins and Wi-Fi network credentials.

The researchers said that the hack was relatively easy to perform and used freely available tools. However, they did have to jailbreak the device and install an SSH server in order to access the phone and copy the keychain access script that allows access to the stored information.

"After using a jailbreaking tool, to get access to a command shell, we run a small script to access and decrypt the passwords found in the keychain. The decryption is done with help of functions provided by the operating system itself," the researchers wrote in the paper. "An attacker would not need to know the user's passcode nor does he need to exploit new vulnerabilities to reveal these secrets."

Other sensitive information such as credentials saved by the Safari web browser were not revealed in the tests.

http://www.youtube.com/watch?v=uVGiNAs-QbY

Topic: Mobility

Ben Woods

About Ben Woods

With several years' experience covering everything in the world of telecoms and mobility, Ben's your man if it involves a smartphone, tablet, laptop, or any other piece of tech small enough to carry around with you.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • If you use "Keeper Password & Data Vault" app on your iPhone, you are safe. Keeper (by Callpod) is a secure password and data vault that does not use the Keychain. It uses it's own internal encryption and decryption that makes it safe for all storage. Just search the app store for Keeper.
    craiglurey