gone in 6 minutes – your passwords

One way to get stuff out of an iPhone without the passcode...

Apple’s iPhone and iPad have been phenomenally successful in the consumer sector and have been making inroads into the corporate world as well.  However, the iOS platform has been dogged by concerns around the security of information stored on these devices. This week, a group of researchers supported by the German government released a paper and video demonstration (see below) which once again highlights serious weaknesses in the security of iOS.

The group, from the Fraunhofer Institute for Secure Information Technology, wanted to see whether they would be able to extract user passwords from a locked iPhone or iPad without knowing the device’s passcode.   What they found was disturbing.   By jailbreaking the device and installing a script which takes advantage of weaknesses in Apple’s Keychain password storage system, the researchers were able to extract a variety of passwords in under six minutes.

Corporate applications did not fare well under this attack.  The research team found that they could extract passwords for LDAP, Microsoft Exchange, VPN connections, voicemail, and WIFI credentials quite easily simply by having physical possession of the phone and low to moderate levels of technical skill.   They also found that passwords for Gmail accounts set up as Exchange servers were easily accessible.

The underlying problem that allows this attack to succeed has to do with how iOS encrypts information.  They key used to do the encryption has nothing to do with the user’s passcode; it is made up of information present on the device.  This means that an attacker who has physical possession of an iPhone, iPod, or iPad has access to the key used to encrypt the data.  Not a good thing.

So, what are the takeaways from this?

First, the iOS platform is still not ready for prime time when it comes to corporate use.   Apple still has not gotten the security features needed to keep sensitive information confidential right.  Using the iPhone or iPad in a corporate environment still requires add on software with strong encryption and secondary user authentication to sandbox and secure corporate data.

Second, users should not rely on the passcode to protect their phones or tablets in case of loss or theft.  If your device has gone missing, you need to change your sensitive passwords which were stored on that device as well as any passwords which you have used on multiple systems.  While using Apple’s “Find My iPhone” feature to remotely erase your device provides some protection, you can’t really count on this to guarantee the safety of your passwords.

It seems to me that the iOS passcode is in some ways an anti-security feature.  Most unsophisticated users probably see the passcode as guaranteeing that nefarious people can’t access their sensitive data.  In fact, it is in some ways an instance of “security theater,” which provides a false sense of security and encourages users to take risks with their device and the information on it.

If Apple is serious about making iOS devices ready for the corporate market they need to get with the program and build real security features into iOS.

gone in 6 minutes – your passwords

Leave a Reply