/ 11 February 2011

iPhones and iPads are vulnerable to six-minute hack

Companies that let staff use iPhones and iPads for business, including the London-based bank Standard Chartered, have been warned that staff should be on “red alert” for an attack that can steal passwords from a device in just six minutes, even if its lock is enabled.

The hack, which could seriously compromise a corporation’s critical infrastructure, was uncovered by experts in Germany and allows attackers to break into a lost or stolen phone simply by removing its SIM card and following a brief procedure.

Experts at Germany’s state-sponsored research institute Fraunhofer SIT said in a statement: “Within six minutes the institute’s staff were able to render void the iPhone’s encryption and decipher the passwords stored on it. If the iPhone is used for business purposes then the company’s network security may be at risk as well. Only companies prepared for such an attack will be able to reduce their risk.”

The attack targets Apple’s password management system, known as a “keychain”, which scrambles all passwords and login information on the iPhone. It can compromise iPhones and iPads with the latest software version installed even if they have the software “screen lock” turned on.

Once an attacker has access to the phone, the first step is to install “jailbreaking” software, which a small number of iPhone owners do voluntarily so they can download apps unauthorised by Apple. From here, the attacker downloads a program on to the phone that is able to decrypt passwords held on it, most notably for Google Mail accounts and for private company networks.

“As soon as attackers are in the possession of an iPhone or iPad and have removed the device’s SIM card, they can get hold of email passwords and access codes to corporate VPNs [virtual private networks] and WLANs [wireless local area networks] as well,” the researchers said in a statement. “Control of an email account allows the attacker to acquire even more additional passwords: for many web services, such as social networks, the attacker only has to request a password reset.”

False assumption
Jens Heider, the technical manager of the Fraunhofer SIT security test lab, said many companies have a false belief that the high-security phones lent to employees are impenetrable to such attacks. “This opinion we encountered even in companies’ security departments,” Heider said. “Our demonstration proves that this is a false assumption. We were able to crack devices with high-security settings within a very short time.”

Graham Cluley, a security expert at Sophos, said the vulnerability could turn serious if hackers choose to put the attack method in the public domain. “Others may well try to do this and publish the tools to do it, so it is quite serious,” he said.

“The real worry is that this isn’t something that takes three weeks — it takes six minutes. People may not even realise their phone was temporarily in the hands of someone else.”

Apple had not returned a call asking for comment as this story was being published.

In its latest earnings call last month, Apple said that a large number of Fortune 500 and FTSE 100 companies were “testing or deploying” the iPhone and iPad.

Cluley said companies using Apple’s popular smartphone need to put pressure on the technology firm to fix the issue as soon as possible. “This is embarrassing for Apple, because they want people to believe they have a trusted enterprise device. What’s important is how quickly they can patch this.” – guardian.co.uk