Here’s a scary statistic: If your iPhone is lost or stolen and the thief knows what they’re doing, they can get the handset to cough up passwords stored in its keychain in only six minutes -- without ever having to crack through your passcode.
MacStories is reporting that German researches have shown that the iPhone is vulnerable to having the keychain exploited, even with Apple’s current passcode system in place. Like Mac OS X, the keychain is where iOS stores all of your passwords and other key data, which is easily hacked using an existing jailbreak exploit.
“Once jailbroken, the researchers installed an SSH server on the iPhone and install a keychain access script,” MacStories reveals. “This keychain access script utilizes functions that are built within the phone to access passwords and other data stored in keychain which is then outputted to the attacker.”
The discovery was made by researchers at the Fraunhofer Institute of Secure Information Technology, who explain “the attack works because current iOS devices have a cryptographic key that is based on data within the device and not based on the passcode,” MacStories says. “As a result, an attacker can gain access to the internal iPhone data through a jailbreak and then access all the information required to get into the keychain.”
In case you’re thinking that this attack will only give up website passwords that can be easily changed, think again -- it also includes “data such as the passwords for Google Mail, Microsoft Exchange accounts, voicemail, Wi-Fi passwords and some app passwords are fully compromised and accessible to an attacker with physical access to someone’s iPhone.”
Hopefully the jailbreak exploit isn’t one currently in use by the Dev Team, since Apple will likely plug this hole rather quickly. Have a look at just how easy it is with the embedded video below -- and in the meantime, hang onto those iPhones, folks!
Follow this article’s author, J.R. Bookwalter on Twitter
(Image and video courtesy of MacStories.net)
