Skip to content

February 11, 2011

Researchers Extract iPhone Data and Passwords in Minutes

A group of German security researchers from the Fraunhofer Institute for Secure Information Technology have discovered a way of extracting personal information and stored credentials from a locked iPhone, by way of a jailbreak. By gaining physical access to an iPhone (or iPad/iTouch), an attacker is able to reboot it into recovery mode, thus allowing them to upload their own jailbroken firmware onto the device. As part of this process SSH is enabled and a script can then be uploaded to the device which uses built-in system calls to extract encrypted data (including credentials in the keychain) from the device. See the video below for a demo of their attack, which can take as little as six minutes.

This attack would not be possible without existing jailbreak mechanisms, which effectively bypass the iPhone’s sandbox and allow unsigned code to be executed. The second issue is the way that iOS handles stored data and credentials, allowing any application to request the information. This is actually a prime example of the dangers of having a jailbroken iPhone or iPad, as it makes it much easier for an attacker to execute malicious code on your device.

These kinds of issues are not isolated to iOS devices, and the same would exist on other devices that could be made to run custom scripts. This will be a tricky issue for Apple to resolve, as much of its security relies on a strong sandbox. Their best chance is to try to identify and patch as many of the vulnerabilities that could be used for a jailbreak. They will also need to review the way iOS handles encrypted data, and ensure that data cannot be extracted by arbitrary applications.

Luckily there is not yet a publicly available automated tool to perform this attack, so it is unlikely that a random thief will be obtaining your data. If you’re really worried, you can use Apple’s free Find My iPhone service to remotely wipe your iOS device should it be lost or stolen. Check out my article on protecting and recovering your iPhone from loss and theft for more information.

The team’s original research paper is available here (PDF).

Related posts:

  1. JailbreakMe and the PDF Exploit
  2. Charlie Miller Discovers iOS Code-Signing Bypass Vulnerability
  3. iPad Lock Screen Bypass Vulnerability using Smart Cover [Patched]
  4. There Is No Camera Lock Screen Bypass in iOS 5.1
  5. New Lockscreen Bypass in iOS 6.1
Read more from Security, Privacy, Technology, Apple, Hacking, Vulnerabilities, iPhone
, , , , , , , , , , ,

Share your thoughts, post a comment.

(required)
(required)

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

css.php