14 DAY TRIAL // German security researchers have demonstrated that passwords stored on a stolen or lost iPhone can be retrieved in around six minutes even if the device is locked.
Researchers Jens Heider and Matthias Boll from the Fraunhofer Institute for Secure Information Technology (SIT) have published a paper [pdf] and a video demonstration of their findings.
In order to get access to the phone and unlock access to the file system., the hackers used publicly available jailbreaking tools.
They then uploaded a specially designed script able to scrape passwords stored in the device's keychain. Their decryption was done using OS functions.
The extracted passwords corresponded to website accounts from Safari, Yahoo! Mail, Google Mail, WiFi, voicemail, MS Exchange, IMAP, LDAP, VPN and other services.
The purpose of the research was to demonstrate that stolen or lost iPhones can pose security risks not only to data stored on the devices itself, but also on external services.
Furthermore, the iOS device encryption feature gives users a false sense of security, because in reality this protection mechanism can be easily bypassed.
"Owner’s of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords," the researchers advise. [pdf]
"Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts," they add.
As far as companies are concerned, when loosing an iOS device they should consider immediately revoking VPN and wireless passwords. The remote wipe functionality might also be used.
The two researchers judge their attack's complexity as low, because they used tools freely available on the Internet and creating the script only required moderate programming skills.