German sercurity firm Fraunhofer has found a way to gain access to passwords held on iPhones and iPads in about the same length of time it takes to make a proper cup of coffee.
Fraunhofer tech experts were able to gain access to a pin-locked iPhone and download password information from the device’s apps and browsers. Accessing the information involved jail-breaking the phone which allowed the security experts to install any applications they wished. The download the information Fraunhofer experts wrote a script that searched for and displayed user login information once installed.
While potential hackers need direct access to the phone the experts warned that “the overall approach only takes six minutes, which might provide an [ideal] opportunity for an attacker to return the device to the owner to cover the revealing of passwords.”
Many people think that the Smartphone device encryption will provide sufficient security. “This opinion we encountered even in companies’ security departments”, says Jens Heider, technical manager of the Fraunhofer SIT security test lab. “Our demonstration proves that this is a false assumption. We were able to crack devices with high security settings within a very short time.” The testers did not have to break the 256 bit encryption to get to the passwords stored in the devices’ keychain. A weakness in the security design was used: The underlying secret the attacked password’s encryption is based on is stored in the device’s operating system. This means that the encryption is independent from the personal password, which is actually supposed to protect the access to the device.
The test was carried out on with an iPhone running iOS 4.2.1
