German researchers say that they have found a way to steal passwords stored on a locked Apple iPhone in just six minutes.
And they can do it it without cracking the iPhone’s passcode.
Researchers from the Fraunhofer Institute Secure Information Technology (Fraunhofer SIT) say that the attack targets Apple’s password management system – known as the keychain.
Here’s a YouTube video where the German researchers demonstrate their attack in action:
The only hint of a consolation is that the attack can not be done remotely – the attackers need physical access to your iPhone to steal information.
But if the attacker only needs to have his hands on your iPhone for six minutes, how much of a comfort is this really? Don’t forget, it’s not unusual for people to lose their mobile phones or leave them unattended on their desk while they pop off to the coffee machine.
According to material published by Fraunhover Insitute SIT, sensitive password information can be extracted from a user’s iPhone without needing to know the passcode.
The researchers claim that all iPhone and iPad devices containing the latest firmware are vulnerable. At a time when Apple and its fans are pushing hard for more companies to bring iPhones into the enterprise there will undoubtedly be concerns if these vulnerability claims are found to be true.
All eyes must now turn to Cupertino to see what Apple has to say about this.
17 comments on “VIDEO: How to steal passwords from a locked iPhone”
I am still in shock on this finding. After the passcode problem revealing contacts I thought we had seen the worse. Any clue on how certain this is?
Does this also apply for phones that are already Jailbroken?
It's much better to be jailbroken and change the default password on root access via SSH. It's always better to be jailbroken and modify.
Well, this just gives Apple another excuse to rush out another crappy iOS update that further ruins our devices.
And this is why I’m sticking with Android.
I love me some “Droid, but do you actually think Android can’r be cracked? I mean, really?
I have an Android and I'm fully aware that as soon as someone so much as plugs a USB cord into it, my data is as good as gone. I just don't let people plug a USB cord in 😉
If its a polular platform it doesn’t matter what it is. Hackers (or whatever you like to call black hats) will try their best to exploit whatever is a popular platform because that is what will give them the most results for the least amount of work.
That doesn’t give Microsoft/Apple/Google/insert popular company here an excuse to write bad code but until these companies take more time to thoroughly test their updates and actually try to break them I don’t these kinds of issues going away anytime soon.
What if your device is already jailbroken and you have changed the passwords?
Right. Well, it's always more fun if you get to control everything about an experiment, isn't it?
For all we know, this is could be video editing tricks. Please do note that after enabling the password on this device we do not see the password unlock the phone to prove it has taken hold. The phone is shut off, and the scene changes. They never even enter the password before begging to the 'hack' to prove there is a password. Because of the scene change we simply do not know what took place in that time, nor precisely how long that time even was!
For that matter, because of the editing of the video we simply have no way of proving this is even the same phone. Were the serial number, wi-fi address Bluetooth address or IMEI and ICCID ever shown on screen to prove these phones are one and the same, before and after? No. We have no way of knowing for sure because we do not have access to this 'hack' under controlled conditions. All we have is a heavily edited video that truly doesn't 'prove' anything except exactly the illusion the 'hackers' wanted 'proven', or more appropriately – shown.
Independent third-party testing under controlled conditions or it didn't happen.
Pat: Don't be so dense. Fraunhofer SIT isn't trying to prove anything with this video. It is simply intended to draw attention to a security exploit that they discovered. All your talk of what was or was not in the video is completely useless, because no video can ever prove that this security exploit exists. The proof is in the published and reproducible results of their tests.
If you had taken 2 minutes to look (rather than ranting about video editing), you would have discovered the following:
You are correct that there is NOTHING wrong with being skeptical.
But be aware that well-regarded individuals and organizations have been duped in the past into posting well-regarded falsehoods. It wouldn’t exactly be the first time if the video exaggerated the danger.
The New York Times enjoyed a stellar journalistic reputation… until Jayson Blair. There are first times for everything, including bad judgment.
Don’t you find it the least bit odd Fraunhofer didn’t supply proof in at least some of the ways I mentioned? If they do enjoy the sterling reputation you imply, wouldn’t Fraunhofer want to be fastidious rather than sloppy? And if they were sloppy, doesn’t that alone degrade some of their reputation? I, for one and possibly the only one, find the whole inside/outside thing utterly mental. Were I out to supply proof, I would have made it iron-clad : one take, no cut-scenes, one continuous, seemless shot. This was not something to take to Cannes, for crying out loud.
Has anyone besides Fraunhofer duplicated this? The proof of the matter is right there. If the answer is no then everyone, *especially Sophos*, should be very skeptical of video-only ‘evidence’. If there is no independent proof then it didn’t happen. There simply is no room for ‘gentlemen’s courtesy’ in science. It is, or it is not.
Let’s analyze what they’ve done:
Step 1: Tethered Jailbreak.
Is this accepted as doable? Yes.
Step 2: SSH into device.
Is this accepted as doable? Only if the device’s passwords are known (e.g. haven’t been changed from the default)
So, for a jailbroken device where the password has been changed (after the famous rickroll, that’s ALL jailbroken devices… right?) the attack stops here. If the device hasn’t been jailbroken, or the password hasn’t been changed, we’re on to step 3.
Step 3: Upload script to device
Definitely doable, if we’ve overcome the previous hurdle.
Step 4: Run script
If we’ve already got root access, we can run a script. Doable.
Step 5: Use step 4 to reveal data.
Now, step 4 appears to use root credentials to access your keychain, the same way you’d do it on your Mac (open keychain access.app, enter your admin password when prompted to decrypt the keys). Since we know the root and mobile passwords on the device, this means that we can unlock any keychain that uses these credentials. Beyond this, we need further proof of a new attack vector that can compromise the keychain system.
Since the key used to access the keychain has to be tied to some credentials on the device, it would have to depend on root, mobile, hidden key on the “non-public” portion of the filesystem, or the login password.
I’ll leave it up to people who have studied the Keychain implementation Apple used on iOS 4.2 more than I have to decide what’s possible and what isn’t.
I would guess that any further details would make it trivial for anyone to compromise an iOS device if given 6 minutes with it… which is why the other details have not yet been revealed to the general public.
I think someone missed a point here regardless. In 6 minutes they could take over your world 😀
Or put it like this. This was done in 6 minutes. Imagine if someone had more time and greater access to more 🙂
Does anyone have a link to some basic statistics? ie: Identity theft, financial accounts etc…
What these kind folk did was show something about an expensive piece of hardware, and its noteable security …there is minimal in capable hands. If it means anything, keep it close to you or in a secure location.
What these means for most people in their "carefree" lives u-n-t-i-l it happens? Minimal, if any …nothing. Except, wooow!
You have missed every point, because you saw exactly what you wanted to see rather than what was on the video. In other words, you are assuming facts not in evidence :
1. Did you see the password in operation during the video?
2. Did you see any serial number proof the phone is the same phone used throughout?
3. Did you see the phone completely untampered with before the video was shot?
No, you assumed a great deal. I will admit I could be completely wrong about this whole thing; but that is exactly why I have been asking if anyone else has verified that what we saw on the video was the complete, unvarnished truth. So far, not a peep.
So until there is a verification from an independent third-party, it did not happen.
Yep, if you can't hear the tree crack as it fell, it made no sound.