Researchers in Germany say they’ve been able to reveal passwords stored in a locked iPhone in just six minutes and they did it without cracking the phone’s passcode.
The attack, which requires possession of the phone, targets keychain, Apple Inc.’s password management system. Passwords for networks and corporate information systems can be revealed if an iPhone or iPad is lost or stolen, said the researchers at the state-sponsored Fraunhofer Institute Secure Information Technology (Fraunhofer SIT).
It is based on existing exploits that provide access to large parts of the iOS file system even if a device is locked.
In a video that demonstrates the attack, the researchers first jailbreak the phone using existing software tools. They then install an SSH server on the iPhone that allows software to be run on the phone.
The third step is to copy a keychain access script to the phone. The script uses system functions already in the phone to access the keychain entries and, as a final step, outputs the account details it discovers to the attacker.
The attack works because the cryptographic key on current iOS devices is based on material available within the device and is independent of the passcode, the researchers said. This means attackers with access to the phone can create the key from the phone in their possession without having to hack the encrypted and secret passcode.
Using the attack, researchers were able to access and decrypt passwords in the keychain, but not passwords in other protection classes.
Among passwords that could be revealed were those for Google Mail as an MS Exchange account, other MS Exchange accounts, LDAP accounts, voicemail, VPN passwords, WiFi passwords and some App passwords. Researchers published a paper with full details of the attack’s results.
“As soon as attackers are in the possession of an iPhone or iPad and have removed the device’s SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well,” said the researchers in a statement. “Control of an e-mail account allows the attacker to acquire even more additional passwords: For many web services such as social networks the attacker only has to request a password reset.”
The attack has particular significance for companies that allow employees to use iPhones on corporate networks, because it can reveal network access passwords.
“Owner’s of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords,” said Fraunhofer SIT. “Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts.”
Researchers at Fraunhofer SIT have previously revealed security problems with other operating systems. In late 2009 they published multiple attack scenarios criminals could use to access files protected by Microsoft’s BitLocker disk-encryption technology. Last year the institute began selling a Java phone application for securely storing passwords.