Slashdot Mirror

← Back to Stories (view on slashdot.org)

iPhone Attack Reveals Passwords In Six Minutes

Posted by samzenpus on from the what-took-so-long? dept.

angry tapir writes "Researchers in Germany say they've been able to reveal passwords stored in a locked iPhone in just six minutes and they did it without cracking the phone's passcode. The attack, which requires possession of the phone, targets keychain, Apple's password management system. Passwords for networks and corporate information systems can be revealed if an iPhone or iPad is lost or stolen."

5 of 186 comments (clear)

  1. Re:Well... by intellitech · · Score: 4, Insightful

    Give them a break! It's not like they have billions of dollars in annual profit which could help them do some serious security R&D.

    --
    vos nescitis quicquam, nec cogitatis quia expedit nobis ut unus moriatur homo pro populo et non tota gens pereat.
  2. Re:Physical Access by rainmouse · · Score: 3, Insightful

    It's easier to steal or loose your phone than it is to break into your home and steal your desktop and considering the majority of people use the same passwords for email, Facebook, Amazon shopping and online banking, I'd consider this a serious security breach. Yes you can call people dumb for not being tech savvy but isn't that the target audience for apple products? (I don't mean dumb, just non-technical minded folk)

  3. Re:Every single smart phone has same problem by clang_jangle · · Score: 3, Insightful

    THink about it.... Do you enter a passwrod when start your phone?

    Of course I do. Any real geek probably has a password set, and a suitably short timeout. Still, physical access to any device trumps almost any security measure. The headlines scream "iPhone" but this can be done with any mobile device, once you have it in your possession.

    --
    Caveat Utilitor
  4. Re:What by Cronock · · Score: 3, Insightful

    Nobody says they're unhackable. I think youre thinking about the classic "macs are more secure" debate, which is much different. But nobody with an ounce of geek in them would stretch so far to say something is unhackable. Anything can be hacked when an appropriately skilled person is given enough patience, physical access, and the right tools.

  5. Re:Relies on Jailbreaking by v1 · · Score: 4, Insightful

    Whatever. Being root does not somehow magically allow you to decrypt abitary data.

    The data decrypted isn't arbitrary. It's information the phone requires when it starts up. Therefore the phone itself has to have some way (usually protected by root privileged objects) to unlock that information.

    Any phone, or computer for that matter, that has automatic login enabled has to make this sacrifice. The iphone auto logs in as user "mobile". OS X (and therefore iOS) has a very convoluted/obfuscated way to unlock the user keychain based on automatic login, but of course no matter how much they obfuscate it, it can be defeated given enough time and dedication, by people that are capable of reverse-engineering your binaries.

    This isn't a security blunder by Apple, it's a necessary tradeoff made by any operating system that features auto login. The only way to strengthen this is by encrypting the actual key with the unlock code, but four digits isn't enough entropy to even be worth the effort. You might turn a 6 minute hack into a 7 minute hack if you're very lucky. And as others have pointed out, that's about as much inconvenience as users will tolerate in an unlock code.

    --
    I work for the Department of Redundancy Department.