iPhones and iPads reveal passwords regardless of passcode protection

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

Losing your iPhone or iPad equals having your passwords compromised – even if the device is protected with a passcode.

The results of an experiment conducted by Jens Heider and Matthias Boll, two researchers from the Fraunhofer Institute for Secure Information Technology, have proven that the combination of a modified jailbreaking technique and the installation of an SSH server on a device running iOS results in a complete circumvention of the passcode.

According to the researchers, this is not the first time that someone managed to access great portions of the data stored in these devices without having to know the passcode. “Tools are available for this tasks that require only small effort. This is done by tricking the operating system to decrypt the file system on behalf of the attacker. This decryption is possible, since on current iOS devices the required cryptographic key does not depend on the user’s secret passcode,” they explain.

So, they chose to concentrate their efforts on gaining access to the data stored in the keychain, which usually contains various user accounts and passwords for e-mail, VPN, WiFi, various websites and sometimes also passwords and certificates used in 3rd party applications.

This data is also encrypted, and for the sake of the experiment, they assumed the device is in the hands of a thief or someone who found it, that it is protected by a strong passcode and that it’s not jailbroken.

After having bypassed the passcode using the previously mentioned procedure, software on the device can be used to access the encrypted keychain database. A specially crafted script is then copied into the device via the SSH connection and, when executed, it reveals information concerning the found accounts in the shell screen.

The script decrypts the keychain with the help of functions provided by the operating system itself, but there are some passwords that remain protected and inaccessible, and some that can only be accessed if the attacker knows the passcode:

“We judge the effort for the shown attack method as low, since the used jailbreaking tools are freely available and the additional steps to decrypt the keychain requires only moderate programming skills,” conclude the researchers, and advise everyone who lost their iPhone or iPad or had it stolen to immediately change all the passwords stored on it.