VIDEO: How to steal passwords from a locked iPhone

Filed Under: Apple, Data loss, Privacy, Vulnerability

iPhoneGerman researchers say that they have found a way to steal passwords stored on a locked Apple iPhone in just six minutes.

And they can do it it without cracking the iPhone's passcode.

Researchers from the Fraunhofer Institute Secure Information Technology (Fraunhofer SIT) say that the attack targets Apple's password management system - known as the keychain.

Here's a YouTube video where the German researchers demonstrate their attack in action:

The only hint of a consolation is that the attack can not be done remotely - the attackers need physical access to your iPhone to steal information.

But if the attacker only needs to have his hands on your iPhone for six minutes, how much of a comfort is this really? Don't forget, it's not unusual for people to lose their mobile phones or leave them unattended on their desk while they pop off to the coffee machine.

Attack on iPhone revealing passwords

According to material published by Fraunhover Insitute SIT, sensitive password information can be extracted from a user's iPhone without needing to know the passcode.

Passwords accessible through iPhone attack

The researchers claim that all iPhone and iPad devices containing the latest firmware are vulnerable. At a time when Apple and its fans are pushing hard for more companies to bring iPhones into the enterprise there will undoubtedly be concerns if these vulnerability claims are found to be true.

All eyes must now turn to Cupertino to see what Apple has to say about this.

, , , , , ,

You might like

17 Responses to VIDEO: How to steal passwords from a locked iPhone

  1. Magnus Trouw · 1168 days ago

    I am still in shock on this finding. After the passcode problem revealing contacts I thought we had seen the worse. Any clue on how certain this is?

  2. Lee Cronin ✯ · 1168 days ago

    Does this also apply for phones that are already Jailbroken?

    • bailoutMoreBanks · 348 days ago

      It's much better to be jailbroken and change the default password on root access via SSH. It's always better to be jailbroken and modify.

  3. Anon E. Mous · 1168 days ago

    Well, this just gives Apple another excuse to rush out another crappy iOS update that further ruins our devices.

  4. Dennis Mahon · 1168 days ago

    And this is why I'm sticking with Android.

    • spookie · 1168 days ago

      I love me some "Droid, but do you actually think Android can'r be cracked? I mean, really?

    • I have an Android and I'm fully aware that as soon as someone so much as plugs a USB cord into it, my data is as good as gone. I just don't let people plug a USB cord in ;)

    • Techieguy1979 · 1164 days ago

      If its a polular platform it doesn't matter what it is. Hackers (or whatever you like to call black hats) will try their best to exploit whatever is a popular platform because that is what will give them the most results for the least amount of work.

      That doesn't give Microsoft/Apple/Google/insert popular company here an excuse to write bad code but until these companies take more time to thoroughly test their updates and actually try to break them I don't these kinds of issues going away anytime soon.

  5. Nick Pike · 1168 days ago

    What if your device is already jailbroken and you have changed the passwords?

  6. Pat Dissent · 1168 days ago

    Right. Well, it's always more fun if you get to control everything about an experiment, isn't it?

    For all we know, this is could be video editing tricks. Please do note that after enabling the password on this device we do not see the password unlock the phone to prove it has taken hold. The phone is shut off, and the scene changes. They never even enter the password before begging to the 'hack' to prove there is a password. Because of the scene change we simply do not know what took place in that time, nor precisely how long that time even was!

    For that matter, because of the editing of the video we simply have no way of proving this is even the same phone. Were the serial number, wi-fi address Bluetooth address or IMEI and ICCID ever shown on screen to prove these phones are one and the same, before and after? No. We have no way of knowing for sure because we do not have access to this 'hack' under controlled conditions. All we have is a heavily edited video that truly doesn't 'prove' anything except exactly the illusion the 'hackers' wanted 'proven', or more appropriately - shown.

    Independent third-party testing under controlled conditions or it didn't happen.

    • J.. · 873 days ago

      Pat: Don't be so dense. Fraunhofer SIT isn't trying to prove anything with this video. It is simply intended to draw attention to a security exploit that they discovered. All your talk of what was or was not in the video is completely useless, because no video can ever prove that this security exploit exists. The proof is in the published and reproducible results of their tests.

      If you had taken 2 minutes to look (rather than ranting about video editing), you would have discovered the following:
      http://sit.sit.fraunhofer.de/studies/en/sc-iphone... http://sit.sit.fraunhofer.de/studies/en/sc-iphone...

  7. spookie · 1168 days ago

    You are correct that there is NOTHING wrong with being skeptical.

    But be aware that well-regarded individuals and organizations have been duped in the past into posting well-regarded falsehoods. It wouldn't exactly be the first time if the video exaggerated the danger.

  8. Pat Dissent · 1167 days ago

    The New York Times enjoyed a stellar journalistic reputation... until Jayson Blair. There are first times for everything, including bad judgment.

    Don't you find it the least bit odd Fraunhofer didn't supply proof in at least some of the ways I mentioned? If they do enjoy the sterling reputation you imply, wouldn't Fraunhofer want to be fastidious rather than sloppy? And if they were sloppy, doesn't that alone degrade some of their reputation? I, for one and possibly the only one, find the whole inside/outside thing utterly mental. Were I out to supply proof, I would have made it iron-clad : one take, no cut-scenes, one continuous, seemless shot. This was not something to take to Cannes, for crying out loud.

    Has anyone besides Fraunhofer duplicated this? The proof of the matter is right there. If the answer is no then everyone, *especially Sophos*, should be very skeptical of video-only 'evidence'. If there is no independent proof then it didn't happen. There simply is no room for 'gentlemen's courtesy' in science. It is, or it is not.

  9. Andrew Ludgate · 1167 days ago

    Let's analyze what they've done:

    Step 1: Tethered Jailbreak.
    Is this accepted as doable? Yes.

    Step 2: SSH into device.
    Is this accepted as doable? Only if the device's passwords are known (e.g. haven't been changed from the default)

    So, for a jailbroken device where the password has been changed (after the famous rickroll, that's ALL jailbroken devices... right?) the attack stops here. If the device hasn't been jailbroken, or the password hasn't been changed, we're on to step 3.

    Step 3: Upload script to device
    Definitely doable, if we've overcome the previous hurdle.

    Step 4: Run script
    If we've already got root access, we can run a script. Doable.

    Step 5: Use step 4 to reveal data.

    Now, step 4 appears to use root credentials to access your keychain, the same way you'd do it on your Mac (open keychain access.app, enter your admin password when prompted to decrypt the keys). Since we know the root and mobile passwords on the device, this means that we can unlock any keychain that uses these credentials. Beyond this, we need further proof of a new attack vector that can compromise the keychain system.

    Since the key used to access the keychain has to be tied to some credentials on the device, it would have to depend on root, mobile, hidden key on the "non-public" portion of the filesystem, or the login password.

    I'll leave it up to people who have studied the Keychain implementation Apple used on iOS 4.2 more than I have to decide what's possible and what isn't.

    I would guess that any further details would make it trivial for anyone to compromise an iOS device if given 6 minutes with it... which is why the other details have not yet been revealed to the general public.

  10. TMZ · 1163 days ago

    I think someone missed a point here regardless. In 6 minutes they could take over your world :D

    Or put it like this. This was done in 6 minutes. Imagine if someone had more time and greater access to more :)

    Does anyone have a link to some basic statistics? ie: Identity theft, financial accounts etc...

    What these kind folk did was show something about an expensive piece of hardware, and its noteable security ...there is minimal in capable hands. If it means anything, keep it close to you or in a secure location.

    What these means for most people in their "carefree" lives u-n-t-i-l it happens? Minimal, if any ...nothing. Except, wooow!

    • Pat Dissent · 1163 days ago

      You have missed every point, because you saw exactly what you wanted to see rather than what was on the video. In other words, you are assuming facts not in evidence :

      1. Did you see the password in operation during the video?
      2. Did you see any serial number proof the phone is the same phone used throughout?
      3. Did you see the phone completely untampered with before the video was shot?

      No, you assumed a great deal. I will admit I could be completely wrong about this whole thing; but that is exactly why I have been asking if anyone else has verified that what we saw on the video was the complete, unvarnished truth. So far, not a peep.

      So until there is a verification from an independent third-party, it did not happen.

      • PhilCat · 1155 days ago

        Yep, if you can't hear the tree crack as it fell, it made no sound.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.