German researchers were able to break the password Apple's iPhone 4 in just six minutes, highlighting the public perception of protection
strength provided by Apple's iOS device encryption does not reflect
all aspects of the security for stored passwords.
In a new report, Jens Heider and Matthias Boll of the
Fraunhofer Institute for Secure Information Technology show how to
make speedy work of hacking the smartphone.
The reserahcers conducted tests with iPhone 4 and iPadWiFi+3G hardware with the latest firmware 4.2.1.
They firstly got access to the file system, copied the keychain
access script to file system and then they executed a script which
revealed stored accounts and secrets.
The first step depends on the device?s iOS version and hardware but
in general can be achieved with a jailbreaking tool and by installing
an SSH server on the device without overwriting user data. Now
software can be launched unrestricted on the device.This way the
software can access all files including the keychain database.
Secrets in this database are encrypted with the device's key, which
could not be extracted from the device. However, the key can be used
from software within the device.
In the second step, the researchers copied their keychain access
script to the device via the SSH connection. It uses system functions
to access the keychain entries, which made it not necessary to
reverse engineer the encryption mechanism of the keychain
The last step executes the script, which outputs the found accounts
to the shell screen.
After using a jailbreaking tool, to get access to a command shell,
the researchers run a small script to access and decrypt the
passwords found in the keychain. The decryption was done with the
help of functions provided by the operating system itself.
"The overall approach takes six minutes, which might provide an
additional opportunity for an attacker to return the device to the
owner to cover the revealing of passwords," the researchers said.
The results show that a lost iOS device may endanger also the
confidentiality of data that is not stored on the device, but which
is accessible for an attacker via the revealed stored secrets. This
is not specifically a problem only to iOS devices, as other
smartphone operating systems may also have circumventable password
protection mechanisms. However, iOS devices with device encryption
may keep users in false believe that these devices have in general a
strong password protection in place.
Regrading the iOS compliance to individual enterprise security
policies, especially the sometimes applied comparison to fully
encrypted notebook harddisks with preboot authenticaion is not valid,
since these systems use the user?s secret for the device encryption.
"Owner's of a lost or stolen iOS device should therefore instantly
initiate a change of all stored passwords. Additionally, this should
be also done for accounts not stored on the device but which might
have equal or similar passwords, as an attacker might try out
revealed passwords against the full list of known accounts," the