Passwords are not secure on iPhones that are lost. This is the result of tests carried out at Fraunhofer Institute SIT in Darmstadt. Within six minutes the institute's staff was able to render the iPhone's encryption void and decipher many passwords stored on it. If the iPhone is used for business purposes then the company's network security may be at risk as well. The flawed security design affects all iPhone and iPad devices containing the latest firmware. Written documentation and a video about the attack are available below. Only companies prepared for such an attack will be able to reduce their risk.
Many people think that the Smartphone device encryption will provide sufficient security. »This opinion we encountered even in companies' security departments«, says Jens Heider, technical manager of the Fraunhofer SIT security test lab. »Our demonstration proves that this is a false assumption. We were able to crack devices with high security settings within a very short time.« The testers did not have to break the 256 bit encryption to get to the passwords stored in the devices' keychain. A weakness in the security design was used: The underlying secret the attacked password's encryption is based on is stored in the device's operating system. This means that the encryption is independent from the personal password, which is actually supposed to protect the access to the device.
Any device using the iOS operating system can be attacked in such a way, irrespective of the user's password. As soon as attackers are in the possession of an iPhone or iPad and have removed the device's SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well. Control of an e-mail account allows the attacker to acquire even more additional passwords: For many web services such as social networks the attacker only has to request a password reset. Once the respective service returns the new password to the user's e-mail account, the attacker has it as well.
Companies wanting to protect themselves against the consequences of such attacks should educate their staff accordingly and introduce appropriate emergency procedures. Not only should employees who have lost their iPhone change all their passwords, the company should change the respective network identifications as quickly as possible as well. Jens Heider: »This reveals how well the security concept has been adapted to the mobile challenge.«