iPhones and iPads are vulnerable to six-minute hack

Companies that let staff use iPhones and iPads for business, including the London-based bank Standard Chartered, have been warned that staff should be on “red alert” for an attack that can steal passwords from a device in just six minutes, even if its lock is enabled.

The hack, which could seriously compromise a corporation’s critical infrastructure, was uncovered by experts in Germany and allows attackers to break into a lost or stolen phone simply by removing its SIM card and following a brief procedure.

Experts at Germany’s state-sponsored research institute Fraunhofer SIT said in a statement: “Within six minutes the institute’s staff were able to render void the iPhone’s encryption and decipher the passwords stored on it. If the iPhone is used for business purposes then the company’s network security may be at risk as well. Only companies prepared for such an attack will be able to reduce their risk.”

The attack targets Apple’s password management system, known as a “keychain”, which scrambles all passwords and login information on the iPhone. It can compromise iPhones and iPads with the latest software version installed even if they have the software “screen lock” turned on.

Once an attacker has access to the phone, the first step is to install “jailbreaking” software, which a small number of iPhone owners do voluntarily so they can download apps unauthorised by Apple. From here, the attacker downloads a program on to the phone that is able to decrypt passwords held on it, most notably for Google Mail accounts and for private company networks.

“As soon as attackers are in the possession of an iPhone or iPad and have removed the device’s SIM card, they can get hold of email passwords and access codes to corporate VPNs [virtual private networks] and WLANs [wireless local area networks] as well,” the researchers said in a statement. “Control of an email account allows the attacker to acquire even more additional passwords: for many web services, such as social networks, the attacker only has to request a password reset.”

False assumption
Jens Heider, the technical manager of the Fraunhofer SIT security test lab, said many companies have a false belief that the high-security phones lent to employees are impenetrable to such attacks. “This opinion we encountered even in companies’ security departments,” Heider said. “Our demonstration proves that this is a false assumption. We were able to crack devices with high-security settings within a very short time.”

Graham Cluley, a security expert at Sophos, said the vulnerability could turn serious if hackers choose to put the attack method in the public domain. “Others may well try to do this and publish the tools to do it, so it is quite serious,” he said.

“The real worry is that this isn’t something that takes three weeks — it takes six minutes. People may not even realise their phone was temporarily in the hands of someone else.”

Apple had not returned a call asking for comment as this story was being published.

In its latest earnings call last month, Apple said that a large number of Fortune 500 and FTSE 100 companies were “testing or deploying” the iPhone and iPad.

Cluley said companies using Apple’s popular smartphone need to put pressure on the technology firm to fix the issue as soon as possible. “This is embarrassing for Apple, because they want people to believe they have a trusted enterprise device. What’s important is how quickly they can patch this.” – guardian.co.uk

Subscribe to the M&G

These are unprecedented times, and the role of media to tell and record the story of South Africa as it develops is more important than ever.

The Mail & Guardian is a proud news publisher with roots stretching back 35 years, and we’ve survived right from day one thanks to the support of readers who value fiercely independent journalism that is beholden to no-one. To help us continue for another 35 future years with the same proud values, please consider taking out a subscription.

Related stories

WHO urges calm as China coronavirus death toll reaches 2000

More than 74 000 people have now been infected by the virus in China, with hundreds more cases in some 25 countries

How deep can you go in 15 minutes with Ebro?

M&G sat down with ‘Old Man Ebro’ during his Apple Music trip to SA, to see what a few minutes of conversation could produce. Apparently, a lot...

Apple pulls Hong Kong app used by protesters after China warning

The tech giant's pulling of HKmap.live was blasted as bowing to China

How to (kind of) make it as a M&G columnist

There will be rejection in the form of no replies, which will haunt you for days. Keep going.

The computer-human relationship is evolving

Many of us already talk to our computers and soon they may suggest better ways for us to work

Quilled or typed, it’s writ

If we are not thinking of a quill, when we say someone has “penned” a book, are we thinking of a standard ballpoint pen?

Vaccine trial results due in December

If successful, it will then have to be manufactured and distributed

White men still rule and earn more

Women and black people occupy only a few seats at the JSE table, the latest PwC report has found

The PPE scandal that the Treasury hasn’t touched

Many government officials have been talking tough about dealing with rampant corruption in PPE procurement but the majority won't even release names of who has benefited from the R10-billion spend

ANC still at odds over how to tackle leaders facing...

The ANC’s top six has been mandated to work closely with its integrity committee to tackle claims of corruption against senior party members

press releases

Loading latest Press Releases…

The best local and international journalism

handpicked and in your inbox every weekday