AppleInsider › Forums › Mobile › iPhone › Researchers demo ability to steal passwords by jailbreaking Apple's iPhone
New Posts  All Forums:Forum Nav:

Researchers demo ability to steal passwords by jailbreaking Apple's iPhone - Page 2

post #41 of 66
2/10/11 at 10:31am
Quote:
Originally Posted by stevetim View Post

You give any security expert physical access to any computerized device and they can get any data out of it that they want.

and the jailbreakme exploit showed you can get the iphone to run remote commands and download data. if there is another exploit like that in the OS then someone can build trojans and viruses around this
Reply
Reply
post #42 of 66
2/10/11 at 10:33am
Quote:
Originally Posted by NasserAE View Post

The problem with using the passcode for encryption is that most people don't use them to lock their iPhones. I agree that this is serious but the solution is not as simple as you think.

If you do not use a passcode to lock your phone, you obviously do not care. The issue is for people who have chosen a lockscreen password and even those who have chosen to enable device encryption. I am all for having a choice on what security level a user wants, but when someone chooses to turn on the security features, they should work.
Reply
Reply
post #43 of 66
2/10/11 at 10:33am
If you have MobileMe account, all the more reason to use Find My Phone feature to erase it remotely as soon as you realize it's lost or stolen. You can always restore it if you get it back.

Not much chance that a randomly lost phone would find its way into the hands of someone with jailbreaking "tools" in hand within 6 minutes of loss. The only real risk would be from a thief who has this in mind and is ready to jailbreak and extract what they want before you can get to the web to find and erase your phone.
A.k.a. AppleHead on other forums.
Reply
A.k.a. AppleHead on other forums.
Reply
post #44 of 66
2/10/11 at 10:55am
Quote:
Originally Posted by Robin Huber View Post

The only real risk would be from a thief who has this in mind and is ready to jailbreak and extract what they want before you can get to the web to find and erase your phone.

Except that all the thief has to do to defeat remote wipe is to keep the phone from having a data connection.
Reply
Reply
post #45 of 66
2/10/11 at 10:56am
Quote:
Originally Posted by AIaddict View Post

If you do not use a passcode to lock your phone, you obviously do not care. The issue is for people who have chosen a lockscreen password and even those who have chosen to enable device encryption. I am all for having a choice on what security level a user wants, but when someone chooses to turn on the security features, they should work.

I do use a passcode to lock my iPhone. However, I understand that a passcode is just a way to buy time until you initiate a remote wipe. Like Dennis Huges said:

Quote:
The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one
Reply
Reply
post #46 of 66
2/10/11 at 10:59am
Quote:
Originally Posted by Robin Huber View Post

If you have MobileMe account, all the more reason to use Find My Phone feature to erase it remotely as soon as you realize it's lost or stolen. You can always restore it if you get it back.

Not much chance that a randomly lost phone would find its way into the hands of someone with jailbreaking "tools" in hand within 6 minutes of loss. The only real risk would be from a thief who has this in mind and is ready to jailbreak and extract what they want before you can get to the web to find and erase your phone.

Turning off the phone or removing the sim card from current GSM iPhone 4 blocks out the option to remote wipe. It would be nice if Apple would give the option to require a passcode to turn off the phone so it stays on till passcode is entered.
Reply
Reply
post #47 of 66
2/10/11 at 11:08am
Quote:
Originally Posted by caliminius View Post

Except that all the thief has to do to defeat remote wipe is to keep the phone from having a data connection.

It depends on whether the hacker immediately shuts it off in time to prevent the command from reaching the phone. Most thefts involve wiping and reselling, not lifting data or accessibility from the contents.

For the record, does any other smartphone offer native enhanced encryption (which the user does not have to turn-on) to offer protection against this?
If you are going to insist on being an ass, at least demonstrate the intelligence to be a smart one
Reply
If you are going to insist on being an ass, at least demonstrate the intelligence to be a smart one
Reply
post #48 of 66
2/10/11 at 11:14am
Quote:
Originally Posted by AIaddict View Post

If you do not use a passcode to lock your phone, you obviously do not care. The issue is for people who have chosen a lockscreen password and even those who have chosen to enable device encryption. I am all for having a choice on what security level a user wants, but when someone chooses to turn on the security features, they should work.

And what happens in your idealized world when someone has a passcode on their phone, and then they remove it? I know you think security is trivial to implement, but I don't think you've thought through even a tiny percentage of the possible scenarios where issues with your "solution" can arise and have to be dealt with.

And, again, as has been pointed out, if you don't physically secure the device, it's not going to be secure.
Reply
Reply
post #49 of 66
2/10/11 at 11:22am
Quote:
Originally Posted by fecklesstechguy View Post

It depends on whether the hacker immediately shuts it off in time to prevent the command from reaching the phone. Most thefts involve wiping and reselling, not lifting data or accessibility from the contents.

..

Or you get lucky and this guy steals your iPhone
Reply
Reply
post #50 of 66
2/10/11 at 12:07pm
Quote:
Originally Posted by bongo View Post

Not if it's 256 bit encrypted with a strong password.

Then they'll just read the password off the sticky note on the monitor that the computer was attached to.
Reply
Reply
post #51 of 66
2/10/11 at 12:10pm
Quote:
Originally Posted by ascii View Post

I thought the keychain was an encrypted file, so not sure how they're doing this.

Think about this:
When your mail app checks for mail, does it always ask for your mail password?
When you re-visit a site you logged into yesterday (via http security) does it ask for your password?

No, it doesn't. Therefore, the key to decrypt the keychain must be stored on the device somewhere. The thief then jailbreaks your phone, and reads the key, and then decrypts your keychain.

On a desktop, it's usually tied to your login. There's no login on a phone so it must use a password it already knows.

This is a classic tradeoff between security and convenience. Users don't want to have to type in their password all the time, and they want their mail to check automatically, so the system has to know the password. If it asked the user every time, they'd get annoyed and switch to a different phone.
Reply
Reply
post #52 of 66
2/10/11 at 12:30pm
Quote:
Originally Posted by Gustav View Post

Think about this:
When your mail app checks for mail, does it always ask for your mail password?
When you re-visit a site you logged into yesterday (via http security) does it ask for your password?

No, it doesn't. Therefore, the key to decrypt the keychain must be stored on the device somewhere. The thief then jailbreaks your phone, and reads the key, and then decrypts your keychain.

On a desktop, it's usually tied to your login. There's no login on a phone so it must use a password it already knows.

This is a classic tradeoff between security and convenience. Users don't want to have to type in their password all the time, and they want their mail to check automatically, so the system has to know the password. If it asked the user every time, they'd get annoyed and switch to a different phone.

Ultimately the issue will lie with AT&T activating stolen phones. With Verizon, the phone's ESN has to match what's in the servers. With AT&T, you pop in a new sim, and AT&T lets you activate it (while charging the victim full price for a replacement.)

With this news out, I'd hold my iphone a little tighter if I were y'all..
Reply
Reply
post #53 of 66
2/10/11 at 12:50pm
Quote:
Originally Posted by chronster View Post

So you're saying this was designed this way? What if someone's iphone has naked photos, or business secrets? Shouldn't they be alarmed that their password can be considered useless if the phone gets stolen?

I bet you would find this is possible with most phones, but because of the iphone's popularity, it gets the attention from people looking to do such things. Kind of like how Windows gets all the attention from virus makers.

Well I would assume by keychain, they meant passwords stored in the system itself. Anyone writing an application could have their own method of encrypting data and possibly storing passwords. OS X does come with a system wide keychain, but it's an opt-in feature.

Hardly analogous to the issues Windows faced, which was largely due to being able to access the system remotely. If I was going to be a jerk and wanted to do this, the impact would be extremely minimal as I would have to gain access to someone's phone.
Disclaimer: The things I say are merely my own personal opinion and may or may not be based on facts. At certain points in any discussion, sarcasm may ensue.
Reply
Disclaimer: The things I say are merely my own personal opinion and may or may not be based on facts. At certain points in any discussion, sarcasm may ensue.
Reply
post #54 of 66
2/10/11 at 2:03pm
Quote:
Originally Posted by mstone View Post

I can break into a Mac that has a password lock screen too. You just need the Snow Leopard install disk. You boot from there and use the utilities to reset the password for any user.

You can reset the login password but you cannot reset the keychain password on a Mac.
Reply
Reply
post #55 of 66
2/10/11 at 2:06pm
Quote:
Originally Posted by Gustav View Post

On a desktop, it's usually tied to your login. There's no login on a phone so it must use a password it already knows.

And what stops Apple from linking the password to the iPhone's keychain to the unlock-code for those users that have set an unlock-code in exactly the same way as it does it on Macs?
Reply
Reply
post #56 of 66
2/10/11 at 2:22pm
Quote:
Originally Posted by mstone View Post

I can break into a Mac that has a password lock screen too. You just need the Snow Leopard install disk. You boot from there and use the utilities to reset the password for any user. That is one thing that can be done with Mac or Linux, but actually retrieving the existing password is much worse because that password may be used for other things like email or banking etc. The passwords should at least be shadowed.

On the Mac, you can set a password to prevent the use of that Snow Leopard disk...

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

Reply
post #57 of 66
2/10/11 at 2:29pm
Quote:
Originally Posted by mstone View Post

No I think the method is something like this: You buy one copy of the software then redistribute it to your friends who also have JB phones.

Except that you can do this on any iPhone. Simply go into settings and change the iTunes login info on that account to yours, download again from the app store, and voila. Jailbreaking doesn't enable this. Sure you can't do it an unlimited number of times but if you trust enough people, and use gift cards in iTunes you can share many apps that way.
Reply
Reply
post #58 of 66
2/10/11 at 2:42pm
Quote:
Originally Posted by chronster View Post

Ultimately the issue will lie with AT&T activating stolen phones. With Verizon, the phone's ESN has to match what's in the servers. With AT&T, you pop in a new sim, and AT&T lets you activate it (while charging the victim full price for a replacement.)

With this news out, I'd hold my iphone a little tighter if I were y'all..

This is about stealing your passwords and other data. It has nothing to do with activating the stolen phone on a carrier.
Reply
Reply
post #59 of 66
2/10/11 at 2:43pm
If you look at here under Keychain Item Accessibility Constants you can specify different levels of security for keychain items. So were the contents these guys retrieved everything? Does the keychain use different keys for different accessibility levels or did they just use items stored with the kAttrAlways attribute.

Even if Apple does store items with the attribute kSecAttrAccessibleWhenUnlocked encrypted to the passcode the default passcode only gives 1000 different keys. Pretty easy to brute force. Ideally the keychain would have a watchdog app to check for jailbreaking and wipe the keychain and also wipe after unlocking fails 3 times.
Reply
Reply
post #60 of 66
2/10/11 at 2:47pm
Quote:
Originally Posted by anonymouse View Post

And what happens in your idealized world when someone has a passcode on their phone, and then they remove it? I know you think security is trivial to implement, but I don't think you've thought through even a tiny percentage of the possible scenarios where issues with your "solution" can arise and have to be dealt with.

And, again, as has been pointed out, if you don't physically secure the device, it's not going to be secure.

Why discuss something you don't understand?

If the user sets a passcode, you use that passcode to encrypt decrypt. If they don't, you don't encrypt. When they remove the passcode, anything that was encrypted with it gets unencrypted. This is not rocket science or something new, this has been done on various devices for more than 2 decades. This path has been well blazed and the industry has accumulated some pretty good collective knowlege over the years on different scenarios, benefits and shortcomings, loopholes etc.
Reply
Reply
post #61 of 66
2/10/11 at 2:55pm
Quote:
Originally Posted by gnuloki View Post

If you look at here under Keychain Item Accessibility Constants you can specify different levels of security for keychain items. So were the contents these guys retrieved everything? Does the keychain use different keys for different accessibility levels or did they just use items stored with the kAttrAlways attribute.

Even if Apple does store items with the attribute kSecAttrAccessibleWhenUnlocked encrypted to the passcode the default passcode only gives 1000 different keys. Pretty easy to brute force. Ideally the keychain would have a watchdog app to check for jailbreaking and wipe the keychain and also wipe after unlocking fails 3 times.

1) Read their paper on what they accessed and why. This was just an example of what they could get.
2) The iphone now supports stronger lock passwords if you want
3) You can set it to wipe the entire phone on 10 failed attempts

You can't check for jailbreaking if you don't know what the next jailbreak method is going to be. There are also other security flaws that do not involve jailbreaking. The jailbreak was probably used because there are simple and quick to use tools already developed for it, but the Dev-Team's jail break(s) is by no means necessary to gain root access to an iphone.
Reply
Reply
post #62 of 66
2/10/11 at 3:04pm
Quote:
Originally Posted by Robin Huber View Post

If you have MobileMe account, all the more reason to use Find My Phone feature to erase it remotely as soon as you realize it's lost or stolen. You can always restore it if you get it back.

Not much chance that a randomly lost phone would find its way into the hands of someone with jailbreaking "tools" in hand within 6 minutes of loss. The only real risk would be from a thief who has this in mind and is ready to jailbreak and extract what they want before you can get to the web to find and erase your phone.

If I have my laptop with me when I find your phone, I have the jailbreak tools in hand. If not, all I need to do is shut off your phone or pull out the SIM. After I have your data, I pop the SIM back in an Mobile Me will give you a reassuring message that your phone was successfully wiped.

The good news is most people who steal your phone or find a lost one will not care about your data. The problem lies with someone who is intentionally after it. A coworker, a disgruntled spouse, etc. They could grab the phone, steal data and passwords and get it back to you before you notice. If they are smart and leave Cydia off it, they could leve it jailbroken and most people would have no idea. Future data pulls would only take seconds, and could be done over the air with SSH.
Reply
Reply
post #63 of 66
2/10/11 at 3:43pm
Quote:
Originally Posted by digitalclips View Post

Far too many words

Secure different.
Reply
Reply
post #64 of 66
2/10/11 at 4:47pm
Quote:
Originally Posted by noirdesir View Post

And what stops Apple from linking the password to the iPhone's keychain to the unlock-code for those users that have set an unlock-code in exactly the same way as it does it on Macs?

And how are you suppose to get your emails, push notifications, and VOIP calls when your iPhone is locked?! Your iPhone will not be able to get access to those passwords and certificates when it is locked because your keychain is encrypted and won't decrypt without inputing the passcode manually.
Reply
Reply
post #65 of 66
2/11/11 at 4:50am
Quote:
Originally Posted by lundy View Post

Because the key has to be on the phone, otherwise the owner couldn't read the file.

I was assuming the key would be a hash of the users password, the very one they never enter in the video. Not the case I guess.
Reply
Reply
post #66 of 66
2/12/11 at 11:10am
Quote:
Originally Posted by jmmx View Post

This is why - for my most sensitive sites such as banks - I never store passwords. It is fine for scale sites - but never for anything financial or for email.

Meh - I use 1Password and consider it more than adequate. More importantly it enables me to have a different password for each site I am on, financial or otherwise. And it also allows me to have them be nice a long. Those are the most important things.
Reply
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • Researchers demo ability to steal passwords by jailbreaking Apple's iPhone
AppleInsider › Forums › Mobile › iPhone › Researchers demo ability to steal passwords by jailbreaking Apple's iPhone