Jump to content

Categories:    Windows      Software      Hardware      Security      Mobile      Internet      Guides
Sponsored Links
Recent Forum Topics
Community Zone
MSFN Guides
Mobile News

MSFN Recommend
AskVG.com Bink Filehorse FreewareFiles Where unprofessional journalism looks better OSNN The Windows Club WinBeta lunarsoft
MSFN Statistics
1.1K
115.5K
129.5K
832.1K
Online
Members
Topics
Replies


Windows News
iPhone attack reveals passwords in six minutes
Posted on Feb 10 2011 08:52 AM by xper in Security

Researchers in Germany say they've been able to reveal passwords stored in a locked iPhone in just six minutes and they did it without cracking the phone's passcode. The attack, which requires possession of the phone, targets keychain, Apple's password management system. Passwords for networks and corporate information systems can be revealed if an iPhone or iPad is lost or stolen, said the researchers at the state-sponsored Fraunhofer Institute Secure Information Technology (Fraunhofer SIT).

It is based on existing exploits that provide access to large parts of the iOS file system even if a device is locked. In a video that demonstrates the attack, the researchers first jailbreak the phone using existing software tools. They then install an SSH server on the iPhone that allows software to be run on the phone.

The third step is to copy a keychain access script to the phone. The script uses system functions already in the phone to access the keychain entries and, as a final step, outputs the account details it discovers to the attacker. The attack works because the cryptographic key on current iOS devices is based on material available within the device and is independent of the passcode, the researchers said.

This means attackers with access to the phone can create the key from the phone in their possession without having to hack the encrypted and secret passcode. Using the attack, researchers were able to access and decrypt passwords in the keychain, but not passwords in other protection classes.

Among passwords that could be revealed were those for Google Mail as an MS Exchange account, other MS Exchange accounts, LDAP accounts, voicemail, VPN passwords, WiFi passwords and some App passwords. Researchers published a paper with full details of the attack's results.

Full story: PC Advisor









Your Comment?

0 Comments