Researchers Demonstrate Vulnerability Allowing Theft of iPhone Passwords

[TitoC]

What if the thiefs purpose is to steal an iPhone and not your password. cause as far as I know.. thats usually why people steal phones.. cause they want the actual phone..

Well, yes and no. Yes - some thieves are there only to steal the actual phone. At that point, all that you have lost is your phone. Call up your insurance company, report the theft and you're good to go. End of story. And then No - some thieve steal your smart phone because many people have much more valuable information stored on their smart phones than just the phone - i.e. bank account info, passwords, etc. (this is a mini computer we are talking about here, the same as a laptop for all intent and purposes) - stuff that is much more valuable than the phone itself. The same reason and rationale when it comes to a stolen laptop - there's the the value of the laptop itself, then there's the value of the information on said laptop. I don't think you should discount the latter by any means. It's just not worth it.

 

[manu chao]

Even if Apple did use a stronger security model, your device has to communicate with iTunes to Sync, right? Anyone with the right knowledge and equipment could capture that communication and then create a program that emulates iTunes, and finally retrieve your data. Actually, I believe that's how it's currently being done.

Create an encrypted file (eg, a disk image), mail it yourself so it ends up on your iPhone. iTunes can of course access that file during backup, but it is backing up an encrypted file, without the key (or brute force), you cannot get to it.
Unless some security whole somehow makes it possible to re-create the key, which is what happened here.

 

[AaronEdwards]

Everyone keeps on saying "Pull the SIM".

We are taking about criminals here, not rational human beings. Criminals do not think like we do.

Here is what I would do if I "lost" my iPhone.

First I would log try to call it. Then I would go onto mobile me to try to locate it. If it can still be found then it still has a SIM in it.

Next, i would send a message requesting its return with a number to call.

If I did not receive a response, I would save the location where I last tracked it, attempt to perform a remote wipe and change all of my email passwords with 1Password.

I'd go over with a posse to look for it at the last known location.

If I was not able to get it back then at least, I would know that my accounts were secure.

At the end of the day, if I was not able to retrieve it, I would report it stolen and have the IMEI banned from all GSM networks.

How long would it take you to find out that it's missing?
How would you get in contact with mobileMe?
What would you call it with?
What would you need to use 1Password?

And most importantly, how long would all this take? Under 6 minutes?

 

[Amazing Iceman]

What kind of statement do you expect? If you threaten to kill me, I will give you my password. But for that to happen you need to get hold of ME. If you just steal my harddrive, the answer is ->false<-.

Guess which scenario is more likely?

Exactly, you understood my statement!
My point is that there's no such thing as "invulnerable".
To my surprise, a little Googling gave me several links, specially this one:

http://www.mydigitallife.info/2008/...oot-attack-with-program-source-code-download/

Enjoy!

I would never save a password for paypal or my online banking etc. to the keychain, like I said allowing the user to do this is a security flaw in itself.

I currently do that, keep login info on an encrypted Note. But I don't write the full username / password; instead I use certain abbreviations and characters that would remind me the login info.

Create an encrypted file (eg, a disk image), mail it yourself so it ends up on your iPhone. iTunes can of course access that file during backup, but it is backing up an encrypted file, without the key (or brute force), you cannot get to it.
Unless some security whole somehow makes it possible to re-create the key, which is what happened here.

In order for the OS to be able to read that encrypted file, it needs to store the key somewhere. Plus, there's a log in iOS that records every keypress you make.
But don't panic, it is use to build the user dictionary, and I believe there's a way apps can block it, specially for fields containing secure information.

For the average thief what you suggest should be enough security to discourage them from trying to hack your password.

Well as you said earlier you don't even lock your phone screen. So of course this wouldn't be a pressing issue for you since it doesn't even apply.

But considering in the recent iOS revision, Apple expanded on the lock screen capabilities, I'd venture that many many people care about the security of their iPhones. And for them it is a big issue as it shows how quickly and easily the lock screen security tech can be circumvented. I mean, if I had my laptop with me at a coffee shop for example, and someone left their iPhone on the table, I could (or anyone with any knowledge of this stuff) could LITERALLY get around the lock screen and gain root access to the phone in less than 10 minutes. And then from there, proceed to easily see all their saved safari passwords, their saved app passwords, email, everything.

Yes, it can be bypassed. LOL.
Apple has a way to unlock the screen when a court order requires it (the phone has to be sent to Apple). This means that it can't be completely locked. There will always be a way to unlock the phone.

 

[timbloom]

1. Isn't allowing the user to save passwords a massive security flaw on any platform?

2. In terms of corporate use of iphones and network security, etc. there are easier and far more effective ways of gaining access to sensitive information such as blackmail, intimidation, bribery or disgruntled employees.

3. Tens of thousands of sensitive US Government documents were recently obtained and leaked to the world and not a single exploit or hack was used.

1. Of course. But I don't want my phone asking for a password every few minutes, if the system was working properly this password protection method is good for 999/1000 people.

2. Stealing a phone is pretty dang easy.

3. . .. Not really relevant.

 

[The DRis]

How long would it take you to find out that it's missing?
How would you get in contact with mobileMe?
What would you call it with?
What would you need to use 1Password?

And most importantly, how long would all this take? Under 6 minutes?

The first question if very valid.

The next two I think are more easily answered. With how many iPhone are out there right now all you would have to do is ask.

"Hey anyone got an iPhone I can use real quick? Please?"

I know that there are 8 iphones in my family alone. And another dozen or so in my circle of friends. It would take time if they didn't have "Find my iPhone" already installed.

I don't use 1password so i don't knwo about that, and you never know how long it can take.

 

[firewood]

Access to your keychain can mean access to PayPal meaning access to your credit card. Of course, having the physical card is easier for the baddies then via PayPal.

At least PayPal offers two factor authentication, which means a thief would have to pick two different pockets to get all the devices required to access an account.

Any email providers offer a two factor authentication system?

 

[timbloom]

The first question if very valid.

The next two I think are more easily answered. With how many iPhone are out there right now all you would have to do is ask.

"Hey anyone got an iPhone I can use real quick? Please?"

Can you even call MobileMe support for remote wipe? I thought all support for MobileMe was online.

 

[EckoPin]

how well stated sir, kudos to you

Its so sad but true that most people do not realize how much control they have. All they can think is about what they can lose. Not to mention you don't even have to go home, all you need it a computer, ipad, ipod, or mac!

So what you're telling me is,

1. Someone must first steal my iPhone (already difficult considering how deep my pockets are, or how much it's in my hands).

2. They must hurry home and jailbreak it.

3. They must download the script.

4. Once they have my passwords, they can break into my email and see all of the pictures I sent to friends, or the documents I wrote for school.

5. Once they have my passwords, they could get close to my condo and (god forbid) use my wireless internet!

6. ...all before I sit down and goto www.me.com and push two buttons to Remote Wipe.

[sarcasm]
Well jeez, I guess I'm convinced. Guess I'd better switch to Android.
[/sarcasm]

psst, I think stealing a credit card is MUCH more detrimental...

 

[The DRis]

Can you even call MobileMe support for remote wipe? I thought all support for MobileMe was online.

Yes I believe you can call. However, I was just stating that anybody that has an iPhone can download the "Find My iPhone" app, and then you can log into your mobile me and wipe it from there.

You can do it with any iDevice, iPad, iPod touch. Granted they would need to be connected to wifi, but chances are that if you can find someone with one of those you can find an iphone.

 

[kiljoy616]

A little behind on this but if a phone is lost and I use mobileme to find it and wipe it clean does this still work, why would I just leave the phone as is if its lost, first thing I do is wipe and also call the police and tell them where the phone is.

I am wondering why I can't find the pass code menu like what is shown in the video? Is it because only Deutsche version supports the alphabets as the password?

your using the number only password setup go to and turn off "simple passcode" in General>Passcode setting.

Show me how it's done on a Blackberry, then.

No one cares about the blueberry phone (blackberry) i mean.

If someone wanted to do this they could but no one really cares at all about that phone , its used because some people like the physical key others just hate iphone and apple and the last ones like that everything goes to blackberry corp server and gets encrypted before it is sent to destination, makes it hard for authority to spy on you.

But that's changing since blackberry is opening to authority little by little.

Now go play with your blueberry phone that no one cares about and no one is going to look at it twice.

The reason for announcing exploits publicly, is because you might not be the only one who found the vulnerability. It's the equivalent of yelling across the street to your neighbor that they left their garage door open - whether he leaves it open is up to him.

http://en.wikipedia.org/wiki/Security_through_obscurity



Not true. I have an admin account password and firmware password on my laptop, and as long as my password is strong enough nobody can access anything on my MacBook.



Imagine you are someone important (like a CEO, politician, etc). I specifically steal your phone because I want your secrets. I *gasp* push the power button and turn it off so you can't wipe it. I take it to my own location, jailbreak it, install this script and I have all your info in about an hour.

That is a big security hole, and one that won't and shouldn't be taken lightly by enterprise or government.

Imagine if you will you shoot the CEO in the head, you take the phone you find out who is who in the company and you go and shoot them in the head also, you are now a master criminal.

Oh hail the great one.

Imagine if 99 percent of the real world even has anything worth steeling, they probably don't. Its much easier to use social engineering to get what you want. Imagine that if most criminals actually where smart oh wait 99.99 are not and that .01 percent could care less about my sorry ass.

Lol...

Or... an appointment with the dentist: "Is it Safe?"

If your in the VA then no its not

Bad juju going on there.

 

[bearcatrp]

OMG! A flaw on an apple product! The fanboys must be committing suicide over this.
There is nothing 100% secure. If your dumb enough to put sensitive data on any cell phone, you deserve loosing it. Just a matter of time before it happens. Whats to stop apple, your ISP or the government from scanning your cell phone without your knowledge? None. It's done all the time. How secure is that?

 

[isepic]

Right yes, because if i steal a phone the first thing i'm going to do is connect it to the internet right?

Right, I guess there are no iPhones out there set up to automatically join open wifi networks.

 

[pooprscooper]

Just because someone has physical access to your computer doesn't mean they can read the data on the harddrive even if it's taken out.
If you're using OSX enable FileVault and "use secure virtual memory".
If you're on Windows use the built in BitLocker.

If you TRULY have top secret documents then you'll need to go a step further. Use Truecrypt. No one will ever know that the encypted partition even exists and if anyone tried looking for it, it would just look like random data.

Of course, even RAM can be used to retrieve information if done within seconds: http://www.bizzntech.com/2008/02/24/freeze-memory-chips-steal-encrypted-data

 

[Mr. Gates]

Annoying people never made money..

I didn't buy this phone for the stupid adverts

 

[k995]

A little behind on this but if a phone is lost and I use mobileme to find it and wipe it clean does this still work, why would I just leave the phone as is if its lost, first thing I do is wipe and also call the police and tell them where the phone is.

It takes what 5 seconds to remove the 3g card en you cant remore wipe it anymore .

 

[EvilC5]

Here's an interesting post on the subject of cracking a TrueCrypt password. And it not only deals with the time, but also, as importantly and often forgotten, the energy required to do it.

assuming the person uses a complex password, in my experience, thats a very small percentage no matter how much they are told to make it complex.

 

[KeeperInfo]

Callpod Keeper Solution

Hi Everyone,

I'd just like to let you know that this issue can be completely avoided by using our security application called Keeper. It does not use the keychain and is secured using 128-bit AES Security. You can find it in the app stores for most devices. Search for Callpod Keeper or just Keeper. There is a Free version and a paid Version. The Paid version allows transferring between devices and comes free for the first thirty days with the Free download. If you don't need to transfer your information between devices just hit No when prompted and it won't bother you again.

Thanks Again,

Callpod Keeper

IDG News Service reports that German researchers have demonstrated how a knowledgeable thief could bypass the iPhone's passcode locking to upload a script capable of revealing entries from the device's password keychain system, potentially giving the hacker access to sensitive passwords stored on the device.According to the report, the researchers were able to obtain passwords for Gmail accounts, Microsoft Exchange accounts, voicemail access, VPN and Wi-Fi network passwords, as well as passwords for some applications.

The researchers note that gaining access to an email password makes it easy for hackers to then reset passwords for other types of accounts, while compromised passwords for corporate networks can obviously result in security issues for businesses.

The exploit obviously requires a fair amount of technical knowledge, and thus shouldn't be an issue for the vast majority of users whose devices become lost or stolen. But the exploit could be used in targeted attacks by those specifically seeking to gain access to sensitive systems.

Article Link: Researchers Demonstrate Vulnerability Allowing Theft of iPhone Passwords

 

[munkery]

TrueCrypt (and other disk encryption tools including FileVault) is not safe from cold boot attacks if someone has physical access while the machine is still powered on (including sleep). Cold boot attacks reliably allow the recovery of disk encryption passwords from RAM.

So it is recommended that the system be powered OFF whenever it is not in use and the risk of theft is high.

Cold boot attacks are much less effective against sparse bundle disk images that are kept unmounted as much as possible while both logged in and out. This is because the encryption keys are less likely to persist in RAM when the disk image is unmounted (overwritten). Unless a cold boot attack occurred soon after disk image was unmounted, the key for the disk image is secure.

The downside of not using full disk encryption is the swap file is not encrypted. But, users can encrypt the swap file by turning on "secure virtual memory" in the security pane of system preferences.

 

[munkery]

This link is to the research article related to the iPhone password exploit.

Only passwords in the "w/o passcode" keychain are available via this exploit. Passwords in the "protected" keychain are not revealed. Passwords for website accounts, such as banks and paypal, are stored in the protected keychain. Gmail account passwords are in the protected keychain as well so make sure the email address used to reset critical website passwords is your Gmail address. That way an attacker can not reset those critical passwords to gain access.

 

[zenio]

About time MacRumors, this story has been up all morning

Think about it

If you were Apple you'd want this story buried too.

You probably won't see this truth in "The Daily"

Mac-Excuses is what fanboys offer about this one, it's a great place to get ideas.

You can almost smell the fear.

 

[TheOriginalKi]

I know it's been talked about already but I'm still not 100% sure.

If I change my root and mobile passwords, will that stop the particular attack show in the videos? I.e, I changed it already and attempted to rejailbreak the phone - it worked (or at least appeared to), however my custom passwords stayed in place. Safe?

 

[munkery]

I know it's been talked about already but I'm still not 100% sure.

If I change my root and mobile passwords, will that stop the particular attack show in the videos? I.e, I changed it already and attempted to rejailbreak the phone - it worked (or at least appeared to), however my custom passwords stayed in place. Safe?

Jailbreaking often uses a local privilege escalation exploit to allow the install of cydia (or another third party installer) and disables some security mitigations to allow apps installed via the third party installer to run.

Privilege escalation bypasses the requirement for password authentication to modify sensitive areas of the system. When these privilege escalation exploits can be strung together with remote exploits then this allows web based jailbreaks such as Jailbreakme. This would also allow virus or worm install.

Jailbreaks that rely on apps connected via USB most likely can not be strung together with browser exploits. The privilege escalation exploits found in iOS to allow jailbreaking tend to not be present in Mac OS X given the differences in the systems. This is shown by looking at Apple security releases.

The keychain exploit in the article relies on jailbreaking so the contents of the "protected" keychain are safe as determined by the article.

What do you mean by safe?

There is no defence from the "w/o passcode" keychain items from being revealed from the attack in the article other than making sure the "attacker" does not have physical access to the iPhone.

Making sure the email service attached to resetting passwords is also in the protected keychain (see table in previous post) will keep login passwords to sensitive services (in "protected" keychain), paypal and banks, protected from the attack in the article.

Given that jailbreaking an iPhone allows non-signed apps to run and installs a shell, jailbreaking reduces the security of an iPhone by increasing the likelihood of malware being installed.

 

[Tonsko]

Thanks for publicly posting the walk through on hacking into my iPhone. Even if it's fixed, it still plants the ideas. Come on.....

This is flawed thinking. Someone already posted the Security through obscurity link, but the concept of full disclosure was first raised in the 19th century to do with the strengths/weaknesses of locks and still applies today with regards to computer security vulnerabilities. It explains it succintly and is hard to argue against.

 

[TheOriginalKi]

Jailbreaking often uses a local privilege escalation exploit to allow the install of cydia (or another third party installer) and disables some security mitigations to allow apps installed via the third party installer to run.

Privilege escalation bypasses the requirement for password authentication to modify sensitive areas of the system. When these privilege escalation exploits can be strung together with remote exploits then this allows web based jailbreaks such as Jailbreakme. This would also allow virus or worm install.

Jailbreaks that rely on apps connected via USB most likely can not be strung together with browser exploits. The privilege escalation exploits found in iOS to allow jailbreaking tend to not be present in Mac OS X given the differences in the systems. This is shown by looking at Apple security releases.

The keychain exploit in the article relies on jailbreaking so the contents of the "protected" keychain are safe as determined by the article.

What do you mean by safe?

There is no defence from the "w/o passcode" keychain items from being revealed from the attack in the article other than making sure the "attacker" does not have physical access to the iPhone.

Making sure the email service attached to resetting passwords is also in the protected keychain (see table in previous post) will keep login passwords to sensitive services (in "protected" keychain), paypal and banks, protected from the attack in the article.

Given that jailbreaking an iPhone allows non-signed apps to run and installs a shell, jailbreaking reduces the security of an iPhone by increasing the likelihood of malware being installed.

Thanks for that. Bascially what I want to know: if I don't have SSH running, is there any point in changing my passwords for root and mobile?

I.e, is a JB iPhone with SSH off and passwords changed, any more or less secure than a non JB iPhone?