Smartphone security has jumped to the top of the list of concerns for many IT security staffs and one of the main reasons for that is the epidemic of lost and stolen smartphones. Many of those devices have only minimal password protection, and now researchers in Germany have devised a new technique that can recover stored iPhone passwords in little more than five minutes, further heightening concerns.
The technique, developed by researchers at the Fraunhofer Institute for Secure Information Technology, builds upon existing methods that researchers have used to jailbreak iPhones and gain access to the device’s file system. It also requires that the attacker have physical access to the phone, so it can’t be done over the air. But what it can do is enable the attacker to recover passwords stored on the phone that are used for email, VPNs, WiFi networks and other applications.
The researchers performed their attack against an iPhone 4 with the latest firmware installed, that wasn’t jailbroken. They said that it could also be used against an iPad.
“After using a jailbreaking tool, to get access to a command shell, we run a small script to access and decrypt the passwords found in the keychain. The decryption is done with the help of functions provided by the operating system itself. Our script reveals the always unencrypted settings (e.g., user name, server, etc.) for all stored accounts. For the account types marked “w/o passcode” in Table 1, also the account’s cleartext secrets are revealed,” Jens Heider and Matthias Boll said in their paper on the iPhone attack.
“This indicates, that an attacker would not need to know the user’s passcode nor does he would need to exploit new vulnerabilities to reveal these secrets. The results were taken from a passcode protected and locked iPhone 4 with current firmware 4.2.1. The overall approach takes six minutes, which might provide an additional opportunity for an attacker to return the device to the owner to cover the revealing of passwords.”
The researchers noted that there were a number of passwords that they could not recover without knowing the phone’s passcode, including passwords for Web sites and a number of email services, such as Yahoo and AOL mail.
There are a number of tools available that will accomplish the initial jailbreak on the iPhone for this attack, and researchers also have developed techniques previously to access the phone’s file system. But what the Fraunhofer researchers accomplished is the last step of being able to grab a user’s protected passwords from the encrypted storage on the device.
“However, it was already shown that it is possible to access great portions of the stored data without knowing the passcode. Tools are available for this tasks that require only small effort. This is done by tricking the operating system to decrypt the file system on behalf of the attacker. This decryption is possible, since on current iOS devices the required cryptographic key does not depend on the user’s secret passcode. Instead the required key material is completely created from data available within the device and therefore is also in the possession of a possible attacker,” the paper says.
“Less considered is the aspect that, as an extension to the ability to decrypt the file system, an attacker may aim at gaining access to stored secrets kept in the keychain. Therefore, the impact of extending the known iOS weaknesses by targeting the keychain security should be shown in this paper.”