or Connect
AppleInsider › Forums › Mobile › iPhone › Researchers demo ability to steal passwords by jailbreaking Apple's iPhone
New Posts  All Forums:Forum Nav:

Researchers demo ability to steal passwords by jailbreaking Apple's iPhone

post #1 of 66
Thread Starter 
Researchers from Germany have demonstrated a way to quickly retrieve passwords from the stored keychain of a locked iPhone or iPad by obtaining the device and jailbreaking it.

The Fraunhofer Institute Secure Information Technology team have demonstrated their exploit online, proclaiming that an "attacker can retrieve passwords in 6 minutes." The hack requires the person to have access to the physical phone, and relies on "jailbreaking" the device, a term used to refer to hacking Apple's iOS mobile operating system to allow users to run unauthorized code.

In a video detailing the exploit, Fraunhofer shows a password-locked iPhone tethered to a computer via USB and then jailbroken. The attacker then accesses the filesystem of the handset and copies a keychain access script to the device.

From there, the script can be executed, and passwords stored on the iPhone can be extracted. All of this can reportedly be accomplished without even unlocking the password-protected phone, with all of the data transferred via USB to a connected PC.

The research firm claims that the "flawed security design affects all iPhone and iPad devices containing the latest firmware."



Apple has discouraged jailbreaking of iOS devices, including the iPhone, iPad and iPod touch, noting that the practice can result in significant security risks. In 2009, a worm targeting jailbroken iPhones affecting some users who did not change tehir default SSH password, which allows file transfers between phones.

Jailbreaking can be used to steal software from the App Store, while it can also be employed to run unauthorized third-party applications or operating system customization and modifications not allowed by Apple. A significant community dedicated to jailbreaking has emerged since the iPhone was first released in 2007, and it has gone back and forth with Apple as the Cupertino, Calif., company works to patch exploits and jailbreakers look to discover them.

Last November, Apple enhanced the security of iOS devices by making the Find My iPhone service free. Previously, the functionality was only available to users who subscribed to Apple's $99-per-year MobileMe service.

Using Find My iPhone, a user can remotely track a missing iPhone, iPad or iPod touch, provided the device has a data connection available. The owner of the device can also remotely disable or wipe all data from the missing hardware.
post #2 of 66
Quote:
Originally Posted by AppleInsider View Post

Researchers from Germany have demonstrated a way to quickly retrieve passwords from the stored keychain of a locked iPhone or iPad by obtaining the device and jailbreaking it. ...

Meanwhile, researchers from everywhere have demonstrated that it's possible to retrieve passwords that are intended to be retrievable in unencrypted form from any system that you have physical and root access to. ...
post #3 of 66
And did you know that by actually having my phone they would deprive me of it's use?
post #4 of 66
Quote:
Originally Posted by anonymouse View Post

Meanwhile, researchers from everywhere have demonstrated that it's possible to retrieve passwords that are intended to be retrievable in unencrypted form from any system that you have physical and root access to. ...

So you're saying this was designed this way? What if someone's iphone has naked photos, or business secrets? Shouldn't they be alarmed that their password can be considered useless if the phone gets stolen?

I bet you would find this is possible with most phones, but because of the iphone's popularity, it gets the attention from people looking to do such things. Kind of like how Windows gets all the attention from virus makers.
post #5 of 66
You give any security expert physical access to any computerized device and they can get any data out of it that they want.
post #6 of 66
Because you actually install an .ipsw file (or something like that) that is like a whole disk partition and you loose any content (programs and data) on your iPhone. That's what I learnt sometime ago, but maybe that is not true anymore or I just not got it right in the first place.
Could any body confirm this? I'll certainly appreciate more insight from this topic
post #7 of 66
Quote:
Originally Posted by chronster View Post

So you're saying this was designed this way? What if someone's iphone has naked photos, or business secrets? Shouldn't they be alarmed that their password can be considered useless if the phone gets stolen?

If the naked photos are of you then you probably should be alarmed. If you have naked photos of kids you should be in jail. If they are of miscellaneous men or women, its hardly a big deal. Business secrets ought to be secured beyond locking your iphone.

Address books and emails might be sensitive. Can they be accessed through this method?

My concern would be if 1Password could be compromised.
post #8 of 66
I thought the keychain was an encrypted file, so not sure how they're doing this.
post #9 of 66
Quote:
Originally Posted by chronster View Post

So you're saying this was designed this way? What if someone's iphone has naked photos, or business secrets? Shouldn't they be alarmed that their password can be considered useless if the phone gets stolen?

Well, one could argue Apple has been incredibly lackadaisical with regard to iPhone security design. There is a file system on the phone and way too much data is stored in clear text. Pretty much the only protection Apple has built in is the lack of a filesystem browser or a command shell to give access to the files.

So, YES, people should be concerned that the password on the phone is nothing more than a minor speed bump. No one should trust their iPhone with business secrets and naked photos they don't want others to see, unless they keep the phone itself secure.
post #10 of 66
Quote:
Originally Posted by stevetim View Post

You give any security expert physical access to any computerized device and they can get any data out of it that they want.

In 6 minutes? I don't think so.

For example, on my Mac if I use encrypted disk image to store sensitive files, or I do whole-disk encryption, I would expect it would take significant time and resources to access my protected files--even if you had physical access.

Apparently the same is not true for stored passwords on an iPhone. That's a serious problem.
post #11 of 66
In 6 minutes without unlocking the phone? F'me.
post #12 of 66
Quote:
Originally Posted by malax View Post

In 6 minutes? I don't think so.

For example, on my Mac if I use encrypted disk image to store sensitive files, or I do whole-disk encryption, I would expect it would take significant time and resources to access my protected files--even if you had physical access.

Apparently the same is not true for stored passwords on an iPhone. That's a serious problem.

Here's some more information

http://www.sit.fraunhofer.de/en/Imag...m502-80443.pdf
post #13 of 66
Quote:
Originally Posted by Ungenio View Post

Because you actually install an .ipsw file (or something like that) that is like a whole disk partition and you loose any content (programs and data) on your iPhone. That's what I learnt sometime ago, but maybe that is not true anymore or I just not got it right in the first place.
Could any body confirm this? I'll certainly appreciate more insight from this topic

Jailbreaking modifies ("patches") the OS to allow other programs to be installed. It does not have to wipe out your data. Usually people do the jailbreak right after a software upgrade, and in that case it is generally recomended to do a clean OS install (rather than update) and then JB and restore personal data and apps, but that order is not mandatory for the process to work.
post #14 of 66
Quote:
Originally Posted by ascii View Post

I thought the keychain was an encrypted file, so not sure how they're doing this.

Because the key has to be on the phone, otherwise the owner couldn't read the file.
--Johnny
Reply
--Johnny
Reply
post #15 of 66
Quote:
Originally Posted by chronster View Post

So you're saying this was designed this way? What if someone's iphone has naked photos, or business secrets? Shouldn't they be alarmed that their password can be considered useless if the phone gets stolen?

I bet you would find this is possible with most phones, but because of the iphone's popularity, it gets the attention from people looking to do such things. Kind of like how Windows gets all the attention from virus makers.

It's possible with any phone, tablet, laptop, desktop, server or mainframe. On some systems it's even possible to retrieve passwords that ought not be retrievable in unencrypted format (for example, it used to, and may still, be possible to retrieve all user system login passwords on IBM AS/400-iSeries systems by running a widely and readily available utility with "root" (QSECOFR) authority.

The whole point of Keychain is to allow the user to store passwords that can later be retrieved in unencrypted form and used as needed. Since they need to be used unencrypted, they must be unencryptable with sufficient authority. So, as long as you have sufficient (e.g., root) authority and access to the file, they will be unencryptable. If it didn't work this way, there would be no point to Keychain.
post #16 of 66
Quote:
Originally Posted by malax View Post

In 6 minutes? I don't think so.

For example, on my Mac if I use encrypted disk image to store sensitive files, or I do whole-disk encryption, I would expect it would take significant time and resources to access my protected files--even if you had physical access.

Apparently the same is not true for stored passwords on an iPhone. That's a serious problem.

Think of the iPhone as a Mac without disk encryption. If you had a password on the Mac with no encryption, someone with a boot disk could have your data in less than 6 minutes. Same witha Windows PC, LINUX PC etc. The iPhone is not much harder.
post #17 of 66
Quote:
Originally Posted by anonymouse View Post

Meanwhile, researchers from everywhere have demonstrated that it's possible to retrieve passwords that are intended to be retrievable in unencrypted form from any system that you have physical and root access to. ...

I can break into a Mac that has a password lock screen too. You just need the Snow Leopard install disk. You boot from there and use the utilities to reset the password for any user. That is one thing that can be done with Mac or Linux, but actually retrieving the existing password is much worse because that password may be used for other things like email or banking etc. The passwords should at least be shadowed.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #18 of 66
Quote:
Originally Posted by anonymouse View Post

The whole point of Keychain is to allow the user to store passwords that can later be retrieved in unencrypted form and used as needed. Since they need to be used unencrypted, they must be unencryptable with sufficient authority. So, as long as you have sufficient (e.g., root) authority and access to the file, they will be unencryptable. If it didn't work this way, there would be no point to Keychain.

That is just plain stupid. The root account does not need access to the unencrypted file, and for that matter nor does the user. The file can be stored encrypted and the data can be unencrypted by the user account WHEN THE USER PROVIDES THE KEY. Relying on the user password and or filesystem permissions to protect unencrypted passwords was considered a major security flaw in 1990, anyone wwho thinks that is OK in 2010-2011 is beyond incompetent.
post #19 of 66
Quote:
Originally Posted by paxman View Post

If the naked photos are of you then you probably should be alarmed.

If they see naked photos of me, they will have clawed they're own eyes out, thus achieving karmic payback!!
post #20 of 66
The line that jailbroken phones can be used to "steal software" is just plain wrong. If I shop at Joe's Drugs instead of Walmart, I'm not "stealling" anything. Even in the linked article, the author points out you can only buy software from third-party vendors that APPLE REFUSES TO SELL. You're not even "stealing business" in the metaphorical sense, if the owner won't stock the item. Very poor, sensationalist wording.
post #21 of 66
Quote:
Originally Posted by lundy View Post

Because the key has to be on the phone, otherwise the owner couldn't read the file.

Fom the report, the section i bolded points out Apples's complete incompetence in this matter:


When an iOS device with hardware encryption capabilities is lost or stolen,
many users believe that there is no way for a new owner to access the stored
data at least if a strong passcode1 is in place. This estimation is comprehensible,
since in theory the cryptographic strength of the AES256
algorithm used for iOS device encryption should prevent even well equipped attackers. However,
it was already shown2 that it is possible to access great portions of the
stored data without knowing the passcode. Tools are available for this tasks
that require only small effort. This is done by tricking the operating system to
decrypt the file system on behalf of the attacker. This decryption is possible,
since on current3 iOS devices the required cryptographic key does not depend
on the users secret passcode. Instead the required key material is completely
created from data available within the device and therefore is also in the possession
of a possible attacker.

Less considered is the aspect that, as an extension to the ability to decrypt the
file system, an attacker may aim at gaining access to stored secrets kept in the
keychain. Therefore, the impact of extending the known iOS weaknesses by
targeting the keychain security should be shown in this paper.
post #22 of 66
Quote:
Originally Posted by wildcatherder View Post

The line that jailbroken phones can be used to "steal software" is just plain wrong. If I shop at Joe's Drugs instead of Walmart, I'm not "stealling" anything. Even in the linked article, the author points out you can only buy software from third-party vendors that APPLE REFUSES TO SELL. You're not even "stealing business" in the metaphorical sense, if the owner won't stock the item. Very poor, sensationalist wording.

No I think the method is something like this: You buy one copy of the software then redistribute it to your friends who also have JB phones.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #23 of 66
Quote:
Originally Posted by mstone View Post

I can break into a Mac that has a password lock screen too. You just need the Snow Leopard install disk. You boot from there and use the utilities to reset the password for any user. That is one thing that can be done with Mac or Linux, but actually retrieving the existing password is much worse because that password may be used for other things like email or banking etc. The passwords should at least be shadowed.

Not the same situation at all.

These aren't system login passwords which ought to be one-way encrypted. These are passwords stored in your Keychain to make it easier for you to, for example, log in to web sites. So, they must be retrievable, other wise there would be no point in storing them. So, yes, with physical access and root authority, you can retrieve them.
post #24 of 66
Quote:
Originally Posted by anonymouse View Post

Not the same situation at all.

These aren't system login passwords which ought to be one-way encrypted. These are passwords stored in your Keychain to make it easier for you to, for example, log in to web sites. So, they must be retrievable, other wise there would be no point in storing them. So, yes, with physical access and root authority, you can retrieve them.

You have no clue what you are talkign about. If the passwords were encrypted with a user password, like has been done hundreds of times by others who get security, simple access to the disk would not be enough to retrieve and access them. The problem is Apple did not use a user entered password (including possibly the device lock password) in order to encrypt that data. In a properly designed system, stored passwords can be available tot he OS after the user enters a single sign on, but remain unaccessible to system adminstrators with root or admin access to the disk. This is 100% Apple's fault for ignoring age old industry best practice.
post #25 of 66
Quote:
Originally Posted by anonymouse View Post

Not the same situation at all.

These aren't system login passwords which ought to be one-way encrypted. These are passwords stored in your Keychain to make it easier for you to, for example, log in to web sites. So, they must be retrievable, other wise there would be no point in storing them. So, yes, with physical access and root authority, you can retrieve them.

I see, I don't know much about keychain since I don't use it except in ssh as a server key but that is encrypted fingerprint of known hosts from the server.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #26 of 66
Quote:
Originally Posted by mstone View Post

No I think the method is something like this: You buy one copy of the software then redistribute it to your friends who also have JB phones.

No, it is more like a hacker gets one copy, alters it to remove the DRM and then makes it available in a public repository for hacked software. This is not a common practice for iPhone owners within the US, but the capability is there. It appears to be more accepted practice in Russia and some other countries. Most jailbreakers and members of the community are anti-piracy because it gives them a bad name from bigotted press and forums like AI, and also because many of them sell their own software in the Cydia store and are themselves potential victems.
post #27 of 66
Quote:
Originally Posted by mstone View Post

I see, I don't know much about keychain since I don't use it except in ssh as a server key but that is encrypted fingerprint of known hosts from the server.

I don't believe those are actually stored in Keychain.
post #28 of 66
Steve Jobs: "Just try not to lose your phone."
post #29 of 66
Quote:
Originally Posted by AIaddict View Post

That is just plain stupid. The root account does not need access to the unencrypted file, and for that matter nor does the user. The file can be stored encrypted and the data can be unencrypted by the user account WHEN THE USER PROVIDES THE KEY. Relying on the user password and or filesystem permissions to protect unencrypted passwords was considered a major security flaw in 1990, anyone wwho thinks that is OK in 2010-2011 is beyond incompetent.

Thanks for your contributions to this thread, Aladdict.

Fortunately this should be a fairly easy fix (as far as security fixes go), right? Apple "just" needs to include the access code that the user enters to unlock their phone as part of the encryption/decryption process. You're absolutely right that's it is insane that this wasn't done from the beginning. What's the point of encrypting something, if everything you need to decrypt it is available on the same device?
post #30 of 66
Sounds like this method would not work if the root password is changed on the JB phone. Granted, this doesn't protect someone who's phone was stolen and freshly JB, but anyone who is ALREADY JB and changed their root password (which is suggested--sort of) should be okay. Correct?
Summer '09 Macbook 6 GB RAM, SSD; iPhone 3GS, aTV v.2

Jesus told her, I am the resurrection and the life. Anyone who believes in me will live, even after dying. Anyone who lives in me and [trusts]...
Reply
Summer '09 Macbook 6 GB RAM, SSD; iPhone 3GS, aTV v.2

Jesus told her, I am the resurrection and the life. Anyone who believes in me will live, even after dying. Anyone who lives in me and [trusts]...
Reply
post #31 of 66
Quote:
Originally Posted by malax View Post

Thanks for your contributions to this thread, Aladdict.

Fortunately this should be a fairly easy fix (as far as security fixes go), right? Apple "just" needs to include the access code that the user enters to unlock their phone as part of the encryption/decryption process. You're absolutely right that's it is insane that this wasn't done from the beginning. What's the point of encrypting something, if everything you need to decrypt it is available on the same device?

Well, it COULD be an easy security patch, except Apple has yet to provide such a thing for the iPhone. They only make fixes in new iOS releases and we only get them when the OS update is made available. I would not be surprised if we don't see a fix for this until iOS 5 in June, and then any older models such as the 3G and possibly 3GS may not get the patch if they are not compatible with the latest iOS like has been done with the iPhone 2G already.
post #32 of 66
Quote:
Originally Posted by kohelet View Post

Sounds like this method would not work if the root password is changed on the JB phone. Granted, this doesn't protect someone who's phone was stolen and freshly JB, but anyone who is ALREADY JB and changed their root password (which is suggested--sort of) should be okay. Correct?

I am not sure, but it would not be the only security BENEFIT to jailbreaking your phone. Unfortunately there are also security downsides.
post #33 of 66
Quote:
Originally Posted by Wurm5150 View Post

Steve Jobs: "Just try not to lose your phone."

Far too many words
Use duckduckgo.com with Safari, not Google Search
Been using Apples since 1978 and Macs since 1984
Long on AAPL so biased. Strong advocate for separation of technology and politics on AI.
Reply
Use duckduckgo.com with Safari, not Google Search
Been using Apples since 1978 and Macs since 1984
Long on AAPL so biased. Strong advocate for separation of technology and politics on AI.
Reply
post #34 of 66
Not being the proud owner of an iPhone or iPad (yet), an obvious question would be does Apple have the user selectable option of creating a "Log-On" password?
Would a feature such as that be a help with this problem?
Obviously, a password could be an issue when answering a call, but there may be a work around for this sort of thing. No?
post #35 of 66
Quote:
Originally Posted by AIaddict View Post

You have no clue what you are talkign about. If the passwords were encrypted with a user password, like has been done hundreds of times by others who get security, simple access to the disk would not be enough to retrieve and access them. The problem is Apple did not use a user entered password (including possibly the device lock password) in order to encrypt that data. In a properly designed system, stored passwords can be available tot he OS after the user enters a single sign on, but remain unaccessible to system adminstrators with root or admin access to the disk. This is 100% Apple's fault for ignoring age old industry best practice.

So, how would that work when you don't necessarily have to log into your iPhone?
post #36 of 66
This is why - for my most sensitive sites such as banks - I never store passwords. It is fine for scale sites - but never for anything financial or for email.
post #37 of 66
Quote:
Originally Posted by mstone View Post

I can break into a Mac that has a password lock screen too. You just need the Snow Leopard install disk. You boot from there and use the utilities to reset the password for any user. That is one thing that can be done with Mac or Linux, but actually retrieving the existing password is much worse because that password may be used for other things like email or banking etc. The passwords should at least be shadowed.

You may be able to reset the password for a given Mac user but NOT for his keychain. That is NOT reset - i.e. remains the same as previously - when the account password is reset, and therefore that data is still protected -- at least from this level of attack.

BTW - you can change the keychain password anytime to be different form your login.

Once again - for the sensitive sites (banks, amazon, stocks) I always click "Never for this site"
post #38 of 66
Quote:
Originally Posted by jmmx View Post

This is why - for my most sensitive sites such as banks - I never store passwords. It is fine for scale sites - but never for anything financial or for email.

Whether is helps I do not store passwords either. However I do store text lists of codes for them (for example "1dnicky" would trigger that the password is my 1st dog's nickname and how old he was when he died. Maybe my code works and maybe not.

However if I do access a site that requires a log on. Does the iPhone remember the actual password I enter in a cookie or (similar file) and I can not stop the iPhone from storing this info?
post #39 of 66
Quote:
Originally Posted by AIaddict View Post

Well, it COULD be an easy security patch, except Apple has yet to provide such a thing for the iPhone. They only make fixes in new iOS releases and we only get them when the OS update is made available. I would not be surprised if we don't see a fix for this until iOS 5 in June, and then any older models such as the 3G and possibly 3GS may not get the patch if they are not compatible with the latest iOS like has been done with the iPhone 2G already.

The problem with using the passcode for encryption is that most people don't use them to lock their iPhones. I agree that this is serious but the solution is not as simple as you think.
post #40 of 66
Quote:
Originally Posted by stevetim View Post

You give any security expert physical access to any computerized device and they can get any data out of it that they want.

Not if it's 256 bit encrypted with a strong password.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • Researchers demo ability to steal passwords by jailbreaking Apple's iPhone
AppleInsider › Forums › Mobile › iPhone › Researchers demo ability to steal passwords by jailbreaking Apple's iPhone