iPhone security broken in 6 minutes, many passwords exposed

So you lost your iPhone last night but you aren’t worried because you had put a password on it right? The Fraunhofer Institute for Secure Information Technology in Germany has developed an application that can take your iPhone and reveal all stored passwords in its keychain in about 6 minutes. The phone that was tested was an un-modified up to date iPhone.

The program does this by initiating a custom jailbreak protocol which allows it to get full access to your phone even though its password protected. What kind of information is stored in your keychain you may ask? Anything you have ever entered a password for on your iPhone including but not limited to: Wifi networks, anything in Safari, app passwords, anything that was stored in the keychain.

“Even in the security departments of companies we have encountered again and again on this assessment,” said Jens Heider, technical manager in the test lab IT security at the Fraunhofer SIT. “Proves our demonstration that this is a fallacy. Even devices with high security settings operated be allowed to crack in no time. “

UPDATE: Although passwords can be viewed not all passwords could be revealed per the following quote from this PDF.

Secrets within other protection classes, such as passwords for websites, could not be revealed in our lost device scenario. In our proof of concept implemen- tation, these secrets — marked “protected” in Table 1 — were available to the script only after entering the passcode to unlock the device, which by assump- tion should not be possible for an attacker. However, note that in many situa- tions it is sufficient for an attacker to gain access to the user’s email account for abusing the password recovery processes of many other accounts.

Fraunhofer thinks that companies need to take larger steps to secure their mobile devices from intruders as their software has been tested at various other companies. The company has included a video demonstration of their software to show how easily this is done. I would suggest if you lost your iPhone to use the remote wipe as soon as possible via Find my iPhone which is now free from Apple. [Press Release, VIA BGR]

Learn more the author of this post:

I was a Computer and Information Technology student at Purdue University. I have always wanted my own website and have been fascinated with technology my entire life. So here I am, what's next?