Is our iPhone data safe? This is the ultimate question to be answered when an iPhone or iPad or for that matter any smartphones or tablets are lost, especially when it contains our critical data like passwords.
A recent piece of research has shown that passwords are not secure on lost iOS devices, where in under six minutes an attacker can render the device’s encryption void and decipher many passwords stored on it.
iOS devices such as iPhone or iPad with device encryption may keep users in false believe that these devices have in general a strong password protection in place, says Fraunhofer Institute for Secure Information Technology in Darmstadt. Our demonstration proves that this is a false assumption, says Jens Heider of Fraunhofer Institute.
In the first step, the researchers jailbroke the phone using software tools and then installed an SSH server on the iPhone without overwriting user data. That allows software to be run on the phone. The software can access all files including the keychain database.
The second step is to copy a keychain access script to the phone via the SSH connection. The script uses system functions to access the keychain entries.
The final step executes the script to reveal stored accounts and secrets with help of system functions.
Within six minutes the institute’s staff was able to render the iPhone’s encryption void and decipher many passwords stored on it.
The researchers used a weakness in the security design to get to the passwords stored in the devices’ keychain. This is done by tricking the operating system to decrypt the file system on behalf of the attacker. This decryption is possible, since on current iOS devices the required cryptographic key does not depend on the user’s secret passcode. In current versions of iOS, the keychain contains user accounts including passwords such as email, groupware, VPN, WiFi, websites and often also passwords and certificates used in 3rd party apps.
Instead the required key material is completely created from data available within the device and therefore is also in the possession of a possible attacker. The underlying secret the attacked password’s encryption is based on is stored in the device’s operating system.
This means that the encryption is independent from the personal password, which is actually supposed to protect the access to the device, according to the researchers.
As soon as attackers are in the possession of an iPhone or iPad and have removed the device’s SIM card, they can get a hold of e-mail passwords and access codes to VPNs, WLANs and company network accesses as well, researchers say.
Control of an e-mail account allows the attacker to acquire even more passwords: For many web services such as social networks the attacker only has to request a password reset. Once the respective service returns the new password to the user’s e-mail account the attacker has it as well, they said.
Reserachers say owners of a lost or stolen iPhone to change all their stored passwords. This should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts.
Fraunhofer SIT also urges companies to change the respective network identifications as quickly as possible. Especially the change of group passwords like sometimes used for VPN and WiFi may require an additional effort but should be taken seriously.