Researchers demo ability to steal passwords by jailbreaking Apple's iPhone

Posted:
in iPhone edited January 2014
Researchers from Germany have demonstrated a way to quickly retrieve passwords from the stored keychain of a locked iPhone or iPad by obtaining the device and jailbreaking it.



The Fraunhofer Institute Secure Information Technology team have demonstrated their exploit online, proclaiming that an "attacker can retrieve passwords in 6 minutes." The hack requires the person to have access to the physical phone, and relies on "jailbreaking" the device, a term used to refer to hacking Apple's iOS mobile operating system to allow users to run unauthorized code.



In a video detailing the exploit, Fraunhofer shows a password-locked iPhone tethered to a computer via USB and then jailbroken. The attacker then accesses the filesystem of the handset and copies a keychain access script to the device.



From there, the script can be executed, and passwords stored on the iPhone can be extracted. All of this can reportedly be accomplished without even unlocking the password-protected phone, with all of the data transferred via USB to a connected PC.



The research firm claims that the "flawed security design affects all iPhone and iPad devices containing the latest firmware."







Apple has discouraged jailbreaking of iOS devices, including the iPhone, iPad and iPod touch, noting that the practice can result in significant security risks. In 2009, a worm targeting jailbroken iPhones affecting some users who did not change tehir default SSH password, which allows file transfers between phones.



Jailbreaking can be used to steal software from the App Store, while it can also be employed to run unauthorized third-party applications or operating system customization and modifications not allowed by Apple. A significant community dedicated to jailbreaking has emerged since the iPhone was first released in 2007, and it has gone back and forth with Apple as the Cupertino, Calif., company works to patch exploits and jailbreakers look to discover them.



Last November, Apple enhanced the security of iOS devices by making the Find My iPhone service free. Previously, the functionality was only available to users who subscribed to Apple's $99-per-year MobileMe service.



Using Find My iPhone, a user can remotely track a missing iPhone, iPad or iPod touch, provided the device has a data connection available. The owner of the device can also remotely disable or wipe all data from the missing hardware.
«134

Comments

  • Reply 1 of 65
    Quote:
    Originally Posted by AppleInsider View Post


    Researchers from Germany have demonstrated a way to quickly retrieve passwords from the stored keychain of a locked iPhone or iPad by obtaining the device and jailbreaking it. ...



    Meanwhile, researchers from everywhere have demonstrated that it's possible to retrieve passwords that are intended to be retrievable in unencrypted form from any system that you have physical and root access to. ...
  • Reply 2 of 65
    And did you know that by actually having my phone they would deprive me of it's use?
  • Reply 3 of 65
    Quote:
    Originally Posted by anonymouse View Post


    Meanwhile, researchers from everywhere have demonstrated that it's possible to retrieve passwords that are intended to be retrievable in unencrypted form from any system that you have physical and root access to. ...



    So you're saying this was designed this way? What if someone's iphone has naked photos, or business secrets? Shouldn't they be alarmed that their password can be considered useless if the phone gets stolen?



    I bet you would find this is possible with most phones, but because of the iphone's popularity, it gets the attention from people looking to do such things. Kind of like how Windows gets all the attention from virus makers.
  • Reply 4 of 65
    You give any security expert physical access to any computerized device and they can get any data out of it that they want.
  • Reply 5 of 65
    Because you actually install an .ipsw file (or something like that) that is like a whole disk partition and you loose any content (programs and data) on your iPhone. That's what I learnt sometime ago, but maybe that is not true anymore or I just not got it right in the first place.

    Could any body confirm this? I'll certainly appreciate more insight from this topic
  • Reply 6 of 65
    paxmanpaxman Posts: 4,729member
    Quote:
    Originally Posted by chronster View Post


    So you're saying this was designed this way? What if someone's iphone has naked photos, or business secrets? Shouldn't they be alarmed that their password can be considered useless if the phone gets stolen?



    If the naked photos are of you then you probably should be alarmed. If you have naked photos of kids you should be in jail. If they are of miscellaneous men or women, its hardly a big deal. Business secrets ought to be secured beyond locking your iphone.



    Address books and emails might be sensitive. Can they be accessed through this method?



    My concern would be if 1Password could be compromised.
  • Reply 7 of 65
    asciiascii Posts: 5,936member
    I thought the keychain was an encrypted file, so not sure how they're doing this.
  • Reply 8 of 65
    Quote:
    Originally Posted by chronster View Post


    So you're saying this was designed this way? What if someone's iphone has naked photos, or business secrets? Shouldn't they be alarmed that their password can be considered useless if the phone gets stolen?



    Well, one could argue Apple has been incredibly lackadaisical with regard to iPhone security design. There is a file system on the phone and way too much data is stored in clear text. Pretty much the only protection Apple has built in is the lack of a filesystem browser or a command shell to give access to the files.



    So, YES, people should be concerned that the password on the phone is nothing more than a minor speed bump. No one should trust their iPhone with business secrets and naked photos they don't want others to see, unless they keep the phone itself secure.
  • Reply 9 of 65
    malaxmalax Posts: 1,598member
    Quote:
    Originally Posted by stevetim View Post


    You give any security expert physical access to any computerized device and they can get any data out of it that they want.



    In 6 minutes? I don't think so.



    For example, on my Mac if I use encrypted disk image to store sensitive files, or I do whole-disk encryption, I would expect it would take significant time and resources to access my protected files--even if you had physical access.



    Apparently the same is not true for stored passwords on an iPhone. That's a serious problem.
  • Reply 10 of 65
    In 6 minutes without unlocking the phone? F'me.
  • Reply 11 of 65
    paxmanpaxman Posts: 4,729member
    Quote:
    Originally Posted by malax View Post


    In 6 minutes? I don't think so.



    For example, on my Mac if I use encrypted disk image to store sensitive files, or I do whole-disk encryption, I would expect it would take significant time and resources to access my protected files--even if you had physical access.



    Apparently the same is not true for stored passwords on an iPhone. That's a serious problem.



    Here's some more information



    http://www.sit.fraunhofer.de/en/Imag...m502-80443.pdf
  • Reply 12 of 65
    Quote:
    Originally Posted by Ungenio View Post


    Because you actually install an .ipsw file (or something like that) that is like a whole disk partition and you loose any content (programs and data) on your iPhone. That's what I learnt sometime ago, but maybe that is not true anymore or I just not got it right in the first place.

    Could any body confirm this? I'll certainly appreciate more insight from this topic



    Jailbreaking modifies ("patches") the OS to allow other programs to be installed. It does not have to wipe out your data. Usually people do the jailbreak right after a software upgrade, and in that case it is generally recomended to do a clean OS install (rather than update) and then JB and restore personal data and apps, but that order is not mandatory for the process to work.
  • Reply 13 of 65
    lundylundy Posts: 4,466member
    Quote:
    Originally Posted by ascii View Post


    I thought the keychain was an encrypted file, so not sure how they're doing this.



    Because the key has to be on the phone, otherwise the owner couldn't read the file.
  • Reply 14 of 65
    Quote:
    Originally Posted by chronster View Post


    So you're saying this was designed this way? What if someone's iphone has naked photos, or business secrets? Shouldn't they be alarmed that their password can be considered useless if the phone gets stolen?



    I bet you would find this is possible with most phones, but because of the iphone's popularity, it gets the attention from people looking to do such things. Kind of like how Windows gets all the attention from virus makers.



    It's possible with any phone, tablet, laptop, desktop, server or mainframe. On some systems it's even possible to retrieve passwords that ought not be retrievable in unencrypted format (for example, it used to, and may still, be possible to retrieve all user system login passwords on IBM AS/400-iSeries systems by running a widely and readily available utility with "root" (QSECOFR) authority.



    The whole point of Keychain is to allow the user to store passwords that can later be retrieved in unencrypted form and used as needed. Since they need to be used unencrypted, they must be unencryptable with sufficient authority. So, as long as you have sufficient (e.g., root) authority and access to the file, they will be unencryptable. If it didn't work this way, there would be no point to Keychain.
  • Reply 15 of 65
    Quote:
    Originally Posted by malax View Post


    In 6 minutes? I don't think so.



    For example, on my Mac if I use encrypted disk image to store sensitive files, or I do whole-disk encryption, I would expect it would take significant time and resources to access my protected files--even if you had physical access.



    Apparently the same is not true for stored passwords on an iPhone. That's a serious problem.



    Think of the iPhone as a Mac without disk encryption. If you had a password on the Mac with no encryption, someone with a boot disk could have your data in less than 6 minutes. Same witha Windows PC, LINUX PC etc. The iPhone is not much harder.
  • Reply 16 of 65
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by anonymouse View Post


    Meanwhile, researchers from everywhere have demonstrated that it's possible to retrieve passwords that are intended to be retrievable in unencrypted form from any system that you have physical and root access to. ...



    I can break into a Mac that has a password lock screen too. You just need the Snow Leopard install disk. You boot from there and use the utilities to reset the password for any user. That is one thing that can be done with Mac or Linux, but actually retrieving the existing password is much worse because that password may be used for other things like email or banking etc. The passwords should at least be shadowed.
  • Reply 17 of 65
    Quote:
    Originally Posted by anonymouse View Post


    The whole point of Keychain is to allow the user to store passwords that can later be retrieved in unencrypted form and used as needed. Since they need to be used unencrypted, they must be unencryptable with sufficient authority. So, as long as you have sufficient (e.g., root) authority and access to the file, they will be unencryptable. If it didn't work this way, there would be no point to Keychain.



    That is just plain stupid. The root account does not need access to the unencrypted file, and for that matter nor does the user. The file can be stored encrypted and the data can be unencrypted by the user account WHEN THE USER PROVIDES THE KEY. Relying on the user password and or filesystem permissions to protect unencrypted passwords was considered a major security flaw in 1990, anyone wwho thinks that is OK in 2010-2011 is beyond incompetent.
  • Reply 18 of 65
    Quote:
    Originally Posted by paxman View Post


    If the naked photos are of you then you probably should be alarmed.



    If they see naked photos of me, they will have clawed they're own eyes out, thus achieving karmic payback!!
  • Reply 19 of 65
    The line that jailbroken phones can be used to "steal software" is just plain wrong. If I shop at Joe's Drugs instead of Walmart, I'm not "stealling" anything. Even in the linked article, the author points out you can only buy software from third-party vendors that APPLE REFUSES TO SELL. You're not even "stealing business" in the metaphorical sense, if the owner won't stock the item. Very poor, sensationalist wording.
  • Reply 20 of 65
    Quote:
    Originally Posted by lundy View Post


    Because the key has to be on the phone, otherwise the owner couldn't read the file.



    Fom the report, the section i bolded points out Apples's complete incompetence in this matter:





    When an iOS device with hardware encryption capabilities is lost or stolen,

    many users believe that there is no way for a new owner to access the stored

    data ? at least if a strong passcode1 is in place. This estimation is comprehensible,

    since in theory the cryptographic strength of the AES256

    algorithm used for iOS device encryption should prevent even well equipped attackers. However,

    it was already shown2 that it is possible to access great portions of the

    stored data without knowing the passcode. Tools are available for this tasks

    that require only small effort. This is done by tricking the operating system to

    decrypt the file system on behalf of the attacker. This decryption is possible,

    since on current3 iOS devices the required cryptographic key does not depend

    on the user?s secret passcode. Instead the required key material is completely

    created from data available within the device and therefore is also in the possession

    of a possible attacker.


    Less considered is the aspect that, as an extension to the ability to decrypt the

    file system, an attacker may aim at gaining access to stored secrets kept in the

    keychain. Therefore, the impact of extending the known iOS weaknesses by

    targeting the keychain security should be shown in this paper.
Sign In or Register to comment.