Think That iPhone Isn't A Corporate Security Risk?
If so, you had better think again. Researchers have shown how the passwords on the iPhone can be revealed in less than six minutes.
If so, you had better think again. Researchers have shown how the passwords on the iPhone can be revealed in less than six minutes.Security managers and CIOs alike have enough to worry about when it comes to securing mobile devices. They certainly didn't need to learn that many of the passwords stored on an iPhone can be had in about half the time it takes to hard boil an egg.
But that's exactly what researchers in Germany just disclosed, and it's raising eyebrows. The cracking technique requires attackers have physical access to the device. Considering how many mobile devices are lost every year, that's not much consolation in this case.
These researchers conducted their attack against an iPhone 4 (not jailbroken) equipped with the most recent firmware. iPads are susceptible, too. Researchers said. The passwords recovered are those used for wifi networks, some applications (depending on how they were programmed) as well as the password credentials to e-mail and VPNs.
Here's a video demonstration:
The tools and techniques needed to conduct the necessary jailbreak and file access are widely available. What this team did was figure out how to extract the actual passwords.
The researchers' full paper, Lost iPhone? Lost Passwords! Practical Consideration of iOS Device Encryption Security is available here in .pdf format.
For my security and technology observations throughout the day, find me on Twitter.
Dark Reading Tech Digest, Dec. 19, 2014Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Published: 2015-01-31 VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 does not properly verify X.509 certificates from vCenter Server SSL servers, which allows man-in-the-middle attackers to spoof servers, and bypass intended backup and restore access restrictions, via a crafted certifica...
Published: 2015-01-31 The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a crafted key UID value in an inbound e-mail message, as demonstrated by the outbound Subject header.
Published: 2015-01-31 Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allow remote authenticated administrators to execute arbitrary shell commands via a crafted command line in a database-backup restore action.
Published: 2015-01-31 Multiple cross-site scripting (XSS) vulnerabilities in the note-creation page in QPR Portal 2014.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) body field.
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.