Researchers Demonstrate Vulnerability Allowing Theft of iPhone Passwords

[Speedy2]

The exploit obviously requires a fair amount of technical knowledge, and thus shouldn't be an issue for the vast majority of users whose devices become lost or stolen.

I'm sorry, but this comment is completely ignorant.

The process demonstrated in the video can be automated very easily, and it is only a matter of time until someone can be bothered to write a simple toolkit to steal passwords off an iPhone, just like you have easy-to-use WiFi password scanners and Trojan toolkits.

The reports also says that the passwords within the new iOS 4 password storage were not retrievable. It's up to the app developer to use it. Apparently not even Apple thought it would be necessary to store important passwords there. What ignorance. While the password for regular POP3 accounts IS stored safely, the Exchange passwords are not. This lack of rational thought and wrong prioritization in terms of security and vulnerability is typical for Apple, at least has been for the last years. I bet they will completely ignore this story too.

It's time they really step up their game.

Independent research shows that OS X has a bad security model and Apple's policy of handling security flaws is unprofessional. They have been lucky simply because hackers deem the Mac too uninteresting. Unfortunately, this kind of sloppiness can be found in their iOS department too.

They can't rely on being a small target forever, especially in the smartphone market. It's obvious that smartphones will be the "next big thing" for hackers. Apple better strengthen their security and rethink their priorities before the onslaught of attacks will start.
Otherwise they'll end up as the Microsoft of smartphone OSes. MS had a hard lesson to learn and they made the exact same mistakes Apple is making now by relying on security-by-obscurity and the assumption that only a few professionals can exploit holes.

Their walled garden approach will make it harder for attackers, but by far not impossible. iPhones can be jailbroken simply by surfing to a website, and similar exploits can be used to do pretty much anything on your phone. It would be foolish to think that apps are the greatest danger when browser exploits are everywhere on the Windows platform.

So Apple, do your effing job and invest some of your cash pile to shift your priorities, create a decent security model and improve your reaction times.

 

[DDustiNN]

No, this is NOT a non-jail broken phone vulnerability. Seeing as it requires SSH which is not there without a jailbreak.

Keep your FUD to yourself.

Considering the jailbreak is the first part of the technique, and nothing else is possible without said jailbreak, it is 100% a jail broken phone exploit.

Suggesting anything else is just semantics really.

Yes, and the thief can easily jailbreak a non-jailbroken phone. Like I said, when I did mine the other day, there was absolutely zero information lost. It was just basically a reboot, and then I magically gained root access. So this is 100% a jailbroken phone and non-jailbroken phone exploit.

 

[SockRolid]

And the best way to rob a bank is to steal the whole building. Yes, it's possible. No, it's not easy. But you won't show up on the security cameras.

 

[mentholiptus]

"In a video that demonstrates the attack, the researchers first jailbreak the phone..."


Moving on...

Exactly.

 

[GFLPraxis]

No, this is NOT a non-jail broken phone vulnerability. Seeing as it requires SSH which is not there without a jailbreak.

Keep your FUD to yourself.

Considering the jailbreak is the first part of the technique, and nothing else is possible without said jailbreak, it is 100% a jail broken phone exploit.

Suggesting anything else is just semantics really.

*sigh*

No, you're arguing semantics. Yes, it requires that the thief jailbreak the phone, but it still means that someone can steal a non-jailbroken phone and then jailbreak and steal the data.

Jailbreaking does not increase your risk, to say otherwise is FUD to scare people from jailbreaking.

 

[Speedy2]

the point is when it comes to hacking theres ALWAYS a way in with physical control. The best apple could do to prevent this is use an encrypted bootloader

If you store your passwords safely, there is NOT always a way in. Try reading data from a TrueCrypt encrypted hard drive. You can't. It's impossible. Strong encryption is unbreakable with current technology.
You would need to retrieve the password by social engineering, which is completely out of Apple's control.
But they should at least provide basic security for everything that IS in their control.

 

[aylk]

Yes, and the thief can easily jailbreak a non-jailbroken phone. Like I said, when I did mine the other day, there was absolutely zero information lost. It was just basically a reboot, and then I magically gained root access. So this is 100% a jailbroken phone and non-jailbroken phone exploit.

You can only do that with some outdated firmwares...

 

[dave420]

At last count, all of the jailbreaks require either a) restoring the device from a custom IPSW, which will wipe the contents of the phone or b) for the JailbreakMe.com one- having an unlocked phone to use to to visit the website.

You can only do that with some outdated firmwares...

I'm not quite following. I have an iPhone 3GS running 4.2.1 that was jailbroken using redsn0w. This process didn't require any custom IPSW or wipe. All information was preserved.

 

[Speedy2]

And we'd like to take this opportunity to thank MacRumors for broadcasting this information to an even larger audience of morins who will take advantage of this opportunity.

No really, thanks very much!

This way Apple is forced to react.
The problem exists nevertheless, and rest assured, your local hacker will know about it, no matter if MacRumors reports it or not.

 

[SockRolid]

Whiner.

Independent research shows that OS X has a bad security model and Apple's policy of handling security flaws is unprofessional. They have been lucky simply because hackers deem the Mac too uninteresting.

And I'm sure you're going to whine about the App Store being a 'walled garden' and how it is an attack on the freedom of the people.

Their walled garden approach will make it harder for attackers, but by far not impossible. iPhones can be jailbroken simply by surfing to a website, and similar exploits can be used to do pretty much anything on your phone.

What do you know? I was right.

You have a bad personal security model if you let someone take control of your iPhone for 5 or 10 minutes so they can run off and jailbreak it. I don't need "independent researchers" to tell me that.

It's only a matter of time before Apple shuts down jailbreaking once and for all. Good riddance. If you want to mess up your OS, get a droid. You'll love the Android Market Weedpatch too. Lots of malware to complain about over there. Or so I hear.

Oh, and it's easy to un-jailbreak your iPhone. Trust me. I've done it.

 

[TitoC]

*sigh*

No, you're arguing semantics. Yes, it requires that the thief jailbreak the phone, but it still means that someone can steal a non-jailbroken phone and then jailbreak and steal the data.

Jailbreaking does not increase your risk, to say otherwise is FUD to scare people from jailbreaking.

Exactly. People don't seem to realize that this has nothing to do with "Jailbroken" or Non-Jailbroken" phones. Either way the thieves are getting in. Period. You can pat yourself on the back once your phone is stolen and say to yourself "Well, at least my phone wasn't jailbroken before it was stolen . . ." It doesn't matter - they're getting in anyway.

Actually, you are better off jailbreaking your phone and changing the root password to something other than "alpine." This way, the default password has ALREADY been changed by you. And, I believe (someone please correct me if I am wrong here) but once your phone has been jailbroken, you can not jailbreak it again without doing a hard restore of the phone and it's contents, which defeats the thieves purpose at this point.

 

[noire anqa]

I thought you'd like to know, remote wipe works over wifi too - even with the sim removed. Also, in case you've been too busy belittling other people for the past week, there is a new iPhone out now that doesn't have a sim chip.

Right yes, because if i steal a phone the first thing i'm going to do is connect it to the internet right?

And yes, you're right, the verizon iPhone is more secure than the gsm iPhone precisely for this reason. But that said this exploit hits the majority of iPhones out there, the cdma version has only *just* gone on general sale.

 

[kayno]

"German researchers have demonstrated how a knowledgeable thief could bypass the iPhone's passcode locking to upload a script capable of revealing entries from the device's password keychain system, potentially giving the hacker access to sensitive passwords stored on the device."

Actually what they did was show the non Knowledgeable thieves how to do it... idoits!!

Exactly. People don't seem to realize that this has nothing to do with "Jailbroken" or Non-Jailbroken" phones. Either way the thieves are getting in. Period. You can pat yourself on the back once your phone is stolen and say to yourself "Well, at least my phone wasn't jailbroken before it was stolen . . ." It doesn't matter - they're getting in anyway.

Actually, you are better off jailbreaking your phone and changing the root password to something other than "alpine." This way, the default password has ALREADY been changed by you. And, I believe (someone please correct me if I am wrong here) but once your phone has been jailbroken, you can not jailbreak it again without doing a hard restore of the phone and it's contents, which defeats the thieves purpose at this point.

What if the thiefs purpose is to steal an iPhone and not your password. cause as far as I know.. thats usually why people steal phones.. cause they want the actual phone..

 

[Popeye206]

This way Apple is forced to react.
The problem exists nevertheless, and rest assured, your local hacker will know about it, no matter if MacRumors reports it or not.

Do we really feel threatened right now? I mean really. If someone wants my info that bad they'll get it without hacking my iPhone. I'm more concerned about my Banks on-line system being compromised... and that I don't worry about.

You are right though... Apple will see this and need to respond. A good thing before something more evil can get out of control.

 

[Amazing Iceman]

What did you expect???

While this is true, it is to be expected.
There's no such thing as 100% secure.

Currently, the only way someone can access your data in our iPhone is by physically having your phone.
Someone could steal your identity just by simply stealing your wallet; you can't password protect it, or put a lock into it.
Even if you keep your private information inside a safe box, someone could steal it and finally break into it.

The only way to prevent loosing the data in your phone is by always keeping your phone with you.

There will always be a way to break into anything. How do you thing Forensic Investigators working for the Police gather their evidence from a suspect?

So these news are nothing to worry about. The same could be said about any phone or device out there.

 

[Night Spring]

You can only do that with some outdated firmwares...

Nope. Just did it on 4.2.1 with Greenpois0n. Jailbroke, all data still there from before the jailbreak.

 

[Amazing Iceman]

"German researchers have demonstrated how a knowledgeable thief could bypass the iPhone's passcode locking to upload a script capable of revealing entries from the device's password keychain system, potentially giving the hacker access to sensitive passwords stored on the device."

Actually what they did was show the non Knowledgeable thieves how to do it... idoits!!

Real Thieves already know it. Rookies will learn it anyways but will also get caught in the act.

Don't they know that an iTunes related folder contains all the encryption keys to access your iPhone data from the iTunes backup instead of accessing it directly from the phone?

Nope. Just did it on 4.2.1 with Greenpois0n. Jailbroke, all data still there from before the jailbreak.

Hello 4.3, and hello Jailbreak 4.3.

The only way to prevent the iPhone from being Jailbroken is to remove all forms of connectivity to it; no USB, no iPod connector, nothing (how to sync it, then?).
And still then someone will find a way to hack it.

 

[azakel]

This is like saying "We've come up with a way to open passcode secured metal briefcases....first get a blowtorch..."

 

[Amazing Iceman]

If you store your passwords safely, there is NOT always a way in. Try reading data from a TrueCrypt encrypted hard drive. You can't. It's impossible. Strong encryption is unbreakable with current technology.
You would need to retrieve the password by social engineering, which is completely out of Apple's control.
But they should at least provide basic security for everything that IS in their control.

If you can gain access to your saved TrueCrypt data, then anyone could potentially access it too, depending on how badly they want it.
True or False?

 

[Speedy2]

There will always be a way to break into anything. How do you thing Forensic Investigators working for the Police gather their evidence from a suspect?

You would be surprised how little even the best forensic experts can do if someone uses strong encryption. People have already been sent to prison for not giving out passwords. But who knows, they might have gotten a much better deal this way.

The issue is: Apple could have used a better security model, but didn't. As result it's now not very hard to retrieve extremely sensitive data by stealing your phone. Apple could have made it virtually IMPOSSIBLE to retrieve any of that data, but they chose not to. They were simply lazy, and there's no excuse for that. So now an iPhone thief cannot only sell the _phone with a profit, but also the data on it.

 

[Amazing Iceman]

This is like saying "We've come up with a way to open passcode secured metal briefcases....first get a blowtorch..."

Lol...

Or... an appointment with the dentist: "Is it Safe?"

 

[timbloom]

Another reason for me to remote-wipe my iPhone if it vanishes! And then when I find it, I just restore from the latest backup.

Still, you can’t get that info from a Mac’s keychain without the master password, so I’d hope the same could be true of an iPhone—at least, if you set an unlock passcode. They could use your 4 digit code as (part of) the keychain encryption.

Except brute-forcing a 4 digit key would be faster than this exploit. But yes, password lock on the keychain should be here but it isn't. Apple tried to make it user friendly here and basically left the keys in the door for them.

 

[Speedy2]

If you can gain access to your saved TrueCrypt data, then anyone could potentially access it too, depending on how badly they want it.
True or False?

What kind of statement do you expect? If you threaten to kill me, I will give you my password. But for that to happen you need to get hold of ME. If you just steal my harddrive, the answer is ->false<-.

Guess which scenario is more likely?

 

[ciTiger]

Better not get my iPhone stolen then...

 

[Amazing Iceman]

You would be surprised how little even the best forensic experts can do if someone uses strong encryption. People have already been sent to prison for not giving out passwords. But who knows, they might have gotten a much better deal this way.

The issue is: Apple could have used a better security model, but didn't. As result it's now not very hard to retrieve extremely sensitive data by stealing your phone. Apple could have made it virtually IMPOSSIBLE to retrieve any of that data, but they chose not to. They were simply lazy, and there's no excuse for that. So now an iPhone thief cannot only sell the _phone with a profit, but also the data on it.

Even if Apple did use a stronger security model, your device has to communicate with iTunes to Sync, right? Anyone with the right knowledge and equipment could capture that communication and then create a program that emulates iTunes, and finally retrieve your data. Actually, I believe that's how it's currently being done.
Use of encryption is regulated by the government. Certain devices using high encryption cannot be taken out of the country without written consent from the Department of Defense.
That's what happened years ago with Internet Explorer and Windows 2000 Server just to name a few. There was a 128-bit encryption version only available and for use within the U.S. only. Eventually that ban was removed as better encryption appeared.