Researchers have identified a method for stealing passwords stored on locked iPhones and iPads without having to crack the device’s user-defined passcode. This can have a huge impact on the adoption of these devices by enterprises, not to mention the effect on even ordinary individual users.
The method, disclosed by researchers at the Fraunhofer Institute for Secure Information Technology (SIT), is not a remote attack and requires physical access to the iOS device. But the amount of time it takes for the attack, just 6 minutes, makes this a serious issue. It only takes someone to leave their device somewhere for a few minutes, say go to the restroom, for someone to steal passwords from their device.
Many users believe that there is no way for an unauthorized person to access the stored data if a strong passcode is in place. This is true in theory since iOS devices use AES256 algorithm for iOS device encryption and that is strong enough to defeat most attackers. This attack works by tricking the operating system to decrypt the file system on behalf of the attacker. Since the encryption keys are not based on the user’s secret passcode, but instead is completely created from data available within the device, it is also available to the attacker.
Once the file system can be decrypted, any passwords stored on the file system will also be vulnerable. These can be credentials for VPN, online email services, corporate email services or websites, WiFi networks, etc.
The full details of the attack are in a paper that the researchers who found the vulnerability have published. It can be downloaded.
Check out page 7 of the document for a list of services that an attacker can obtain credentials to. If the last column says “w/o passcode”, then it is vulnerable.
This raises the stakes for enterprises where an employee may lose or temporarily misplace a device that may be broken into. Any credentials stored on the device may be used for unauthorized access to enterprise resources. This vulnerability brings additional headaches for the security departments since they have to define policies on how these incidents get handled and also ensure that passwords to all the services that were stored on the device are changed promptly.
The biggest issue is that employees may not even know that their devices have been broken into since the attack takes only a few minutes and employees may get the devices back without ever knowing that their credentials have been stolen.
On a lighter note, I am sure Apple will come up with a cool ad that blames Microsoft because an unauthorized user accessed an Exchange server using credentials stolen from an iOS device.