German security researchers say they’ve been able to crack passwords stored on a locked iPhone – and they did it within six minutes.
Bypassing the iPhone’s encryption, the Fraunhofer Institute Secure Information Technology team exploited a weakness of the keychain password management system. The underlying key to the encryption is based on is stored in the device’s operating system.
Any device using the iOS operating system can be attacked in such a way, irrespective of the user’s password. As soon as attackers get hold of an iPhone or iPad and have removed the device’s SIM card, they can potentially get hold of email passwords and access codes to corporate VPNs and WLANs as well.
And, they point out, control of an email account allows the attacker to acquire even more passwords. For many web services, such as social networks, the attacker only has to request a password reset. Once the respective service returns the new password to the user’s email account, the attacker has that as well.
Many people think that smartphone device encryption provides plenty of security.
“This opinion we encountered even in companies’ security departments,” says Jens Heider, technical manager of the Fraunhofer SIT security test lab.
“Our demonstration proves that this is a false assumption. We were able to crack devices with high security settings within a very short time.”
The team warns that iPhone users – especially corporate users -should react quickly when a phone is lost or stolen. Not only should the user change all their passwords, the company should change the respective network identifications as quickly as possible as well.