Really... because my Verizon phone has 4.2.6 and I used the greenpois0n jailbreak with absolutely no loss of information. I think you're just uninformed.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researchers Demonstrate Vulnerability Allowing Theft of iPhone Passwords
- Thread starter MacRumors
- Start date
- Sort by reaction score
Really... because my Verizon phone has 4.2.6 and I used the greenpois0n jailbreak with absolutely no loss of information. I think you're just uninformed.
Any idea how fast and easy it is to jailbreak your phone? The jailbreak part is a non-issue.
The problem here is not what may happen to the average consumer. But possibly prominent businessmen who expect security. If I was into corporate spying I could steal this iPhone and have access to all the secure info on there. Email accounts almost always have mail in there containing other passwords in their contents. I'd they were using VPN also I'd have the information needed to remotely access their internal network. This is a recipe for a corporate nightmare. The info they are obtaining is supposed to be encrypted, which means if thy had physical access, they STILL should not have access to this data short of having the unlock key. That's what we use encryption to protect against.
pretty much if you can touch it, you can own it, no matter what it is. given time, and effort, anything can be cracked.
This is completely true. However, with the strong encryption apple is using here you would normally need an extremely long amount of time to break it, assuming you didn't have the key. We are talking about lifetimes here. This bypasses that and let's the phone unlock it for you with it's saved key.
I'm just amazed that such a trivial issue generates so much talk--well on second thought no, I'm not surprised. 
I'm not worried about anyone getting past my screen lock--I don't lock my phone.
I'm not worried about anyone getting past my screen lock--I don't lock my phone.Haha, um, did you even watch the video or read the article? That is exactly what is going on here...
Here's an interesting post on the subject of cracking a TrueCrypt password. And it not only deals with the time, but also, as importantly and often forgotten, the energy required to do it.
Safer to jailbreak yourself then
Good! I was thinking exactly the same . Probably Apple should leave you the ability to personalize the root password
Good! I was thinking exactly the same . Probably Apple should leave you the ability to personalize the root password
Simple; If my iPhone is lost, to the point It wasn't just left somewhere I could locate and retrieve it later and & assuming someone else may come upon it with the smarts to jailbreak etc.
Remote wipe using my MobileMe account.
1. Remove back.
2. Disconnect antennas.
30 seconds of work? Just 2 screws.
I know that remote wipe will work fine for lost phones and simple theft, but enterprise users should be very cautious at this point.
To all the naysayers, this actually is a big deal.
1) You all think you can just go to mobile me and wipe the phone. But if the thief is of the type that's going to steal your passwords, he'll just take out the sim, turn off the phone, etc. right after he steals it and you won't be able to wipe. The next time he turns the phone on, it will be directly into DFU mode to do his jailbreak so you won't ever have a chance to wipe it.
2) You probably don't just have pictures of your kids in your email. The truth is, the vast majority of iphone users check their primary email on their iPhone and this is tied to any number of accounts online. So the thief would just go to google, reset your gmail password (since he has access to the account), and then from there proceed to reset your passwords at Bank of America, etc.
3) The real issue stems from the fact that a standard non-jailbroken iPhone has root access all with the same default password "alpine", and on non-jailbreak you can't change it. All apple needs to do is let people change their root access password (like you can do when you do indeed jailbreak your phone), and this current "hack" won't work as the thief would be forced to wipe the phone to get past the root/pass and thus defeat his access to your email accounts, etc.
1) You all think you can just go to mobile me and wipe the phone. But if the thief is of the type that's going to steal your passwords, he'll just take out the sim, turn off the phone, etc. right after he steals it and you won't be able to wipe. The next time he turns the phone on, it will be directly into DFU mode to do his jailbreak so you won't ever have a chance to wipe it.
2) You probably don't just have pictures of your kids in your email. The truth is, the vast majority of iphone users check their primary email on their iPhone and this is tied to any number of accounts online. So the thief would just go to google, reset your gmail password (since he has access to the account), and then from there proceed to reset your passwords at Bank of America, etc.
3) The real issue stems from the fact that a standard non-jailbroken iPhone has root access all with the same default password "alpine", and on non-jailbreak you can't change it. All apple needs to do is let people change their root access password (like you can do when you do indeed jailbreak your phone), and this current "hack" won't work as the thief would be forced to wipe the phone to get past the root/pass and thus defeat his access to your email accounts, etc.
Good! I was thinking exactly the same . Probably Apple should leave you the ability to personalize the root password
This. Yet again, counterintuitively, jailbreaking your phone and changing your root pass is actually FAR MORE SAFE than leaving your phone non-jailbroken.
No I just don't think you get that most of us have more pressing issues to worry about. But it still makes for interesting reading.
No I just don't think you get that most of us have more pressing issues to worry about. But it still makes for interesting reading.
Well as you said earlier you don't even lock your phone screen. So of course this wouldn't be a pressing issue for you since it doesn't even apply.
But considering in the recent iOS revision, Apple expanded on the lock screen capabilities, I'd venture that many many people care about the security of their iPhones. And for them it is a big issue as it shows how quickly and easily the lock screen security tech can be circumvented. I mean, if I had my laptop with me at a coffee shop for example, and someone left their iPhone on the table, I could (or anyone with any knowledge of this stuff) could LITERALLY get around the lock screen and gain root access to the phone in less than 10 minutes. And then from there, proceed to easily see all their saved safari passwords, their saved app passwords, email, everything.
Yep - because the customer prefers it that way. If people had to type in a strong password every time you opened your address book, checked your mail, etc. they would simply stop using the phone and buy a different phone.
There is always a tradeoff between security and convenience.
Or in the case of a phone, I could just watch you type your code while standing in line at Starbucks.
In the case of a desktop, I could sneak a USB key logger on the back of your computer.
Another thing besides manbearpig, global warming, oil drying up and the alien/shadow USA conspiracy to worry about!
Unfortunately, they have it already working in a much better way on the mac. This was just an oversight/mistake.
For a CDMA iPhone perhaps, but a GSM iPhone is a piece of cake.
Even easier... pull the SIM card.
All you need is a paper clip and two seconds.
Access to your keychain can mean access to PayPal meaning access to your credit card. Of course, having the physical card is easier for the baddies then via PayPal.
Isn't allowing the user to save passwords a massive security flaw on any platform? saving passwords to the device essentially means anyone with physical access to any device running any OS has the potential to access password protected user accounts.
In terms of corporate use of iphones and network security, etc. there are easier and far more effective ways of gaining access to sensitive information such as blackmail, intimidation, bribery or disgruntled employees.
Tens of thousands of sensitive US Government documents were recently obtained and leaked to the world and not a single exploit or hack was used.
In terms of corporate use of iphones and network security, etc. there are easier and far more effective ways of gaining access to sensitive information such as blackmail, intimidation, bribery or disgruntled employees.
Tens of thousands of sensitive US Government documents were recently obtained and leaked to the world and not a single exploit or hack was used.
I would never save a password for paypal or my online banking etc. to the keychain, like I said allowing the user to do this is a security flaw in itself.
Everyone keeps on saying "Pull the SIM".
We are taking about criminals here, not rational human beings. Criminals do not think like we do.
Here is what I would do if I "lost" my iPhone.
First I would log try to call it. Then I would go onto mobile me to try to locate it. If it can still be found then it still has a SIM in it.
Next, i would send a message requesting its return with a number to call.
If I did not receive a response, I would save the location where I last tracked it, attempt to perform a remote wipe and change all of my email passwords with 1Password.
I'd go over with a posse to look for it at the last known location.
If I was not able to get it back then at least, I would know that my accounts were secure.
At the end of the day, if I was not able to retrieve it, I would report it stolen and have the IMEI banned from all GSM networks.
We are taking about criminals here, not rational human beings. Criminals do not think like we do.
Here is what I would do if I "lost" my iPhone.
First I would log try to call it. Then I would go onto mobile me to try to locate it. If it can still be found then it still has a SIM in it.
Next, i would send a message requesting its return with a number to call.
If I did not receive a response, I would save the location where I last tracked it, attempt to perform a remote wipe and change all of my email passwords with 1Password.
I'd go over with a posse to look for it at the last known location.
If I was not able to get it back then at least, I would know that my accounts were secure.
At the end of the day, if I was not able to retrieve it, I would report it stolen and have the IMEI banned from all GSM networks.
I really can't understand why some people don't take data security seriously. You may not think that it's important, but a criminal would beg to differ. Also, there is a Nigerian prince ready to share his fortune with you.