[real-eyes] gone in 6 minutes – your passwords
- From: Steven Clark <kcpadfoot@xxxxxxxxx>
- To: real-eyes@xxxxxxxxxxxxx
- Date: Mon, 14 Feb 2011 04:03:04 -0600
gone in 6 minutes – your passwords
By alberg
hacks
One way to get stuff out of an iPhone without the passcode...
Apple’s iPhone and iPad have been phenomenally successful in the
consumer sector
and have been making inroads into the corporate world as well. However,
the iOS
platform has been dogged by concerns around the security of information
stored on
these devices. This week, a group of researchers supported by the German
government
released a
paper
and video demonstration (see below) which once again highlights
serious weaknesses
in the security of iOS.
The group, from the Fraunhofer Institute for Secure Information
Technology, wanted
to see whether they would be able to extract user passwords from a
locked iPhone
or iPad without knowing the device’s passcode. What they found was
disturbing.
By jailbreaking the device and installing a script which takes advantage
of weaknesses
in Apple’s Keychain password storage system, the researchers were able
to extract
a variety of passwords in under six minutes.
Corporate applications did not fare well under this attack. The
research team found
that they could extract passwords for LDAP, Microsoft Exchange, VPN
connections,
voicemail, and WIFI credentials quite easily simply by having physical
possession
of the phone and low to moderate levels of technical skill. They also
found that
passwords for Gmail accounts set up as Exchange servers were easily
accessible.
The underlying problem that allows this attack to succeed has to do with
how iOS
encrypts information. They key used to do the encryption has nothing to
do with
the user’s passcode; it is made up of information present on the device.
This means
that an attacker who has physical possession of an iPhone, iPod, or iPad
has access
to the key used to encrypt the data. Not a good thing.
So, what are the takeaways from this?
First, the iOS platform is still not ready for prime time when it comes
to corporate
use. Apple still has not gotten the security features needed to keep
sensitive
information confidential right. Using the iPhone or iPad in a corporate
environment
still requires add on software with strong encryption and secondary user
authentication
to sandbox and secure corporate data.
Second, users should not rely on the passcode to protect their phones or
tablets
in case of loss or theft. If your device has gone missing, you need to
change your
sensitive passwords which were stored on that device as well as any
passwords which
you have used on multiple systems. While using Apple’s “Find My iPhone”
feature
to remotely erase your device provides some protection, you can’t really
count on
this to guarantee the safety of your passwords.
It seems to me that the iOS passcode is in some ways an anti-security
feature. Most
unsophisticated users probably see the passcode as guaranteeing that
nefarious people
can’t access their sensitive data. In fact, it is in some ways an
instance of “security
theater,” which provides a false sense of security and encourages users
to take risks
with their device and the information on it.
If Apple is serious about making iOS devices ready for the corporate
market they
need to get with the program and build real security features into iOS.
To subscribe or to leave the list, or to set other subscription options, go to
www.freelists.org/list/real-eyes
Other related posts:
- » [real-eyes] gone in 6 minutes – your passwords - Steven Clark
