Risk
2/11/2011
10:39 AM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Think That iPhone Isn't A Corporate Security Risk?

If so, you had better think again. Researchers have shown how the passwords on the iPhone can be revealed in less than six minutes.

If so, you had better think again. Researchers have shown how the passwords on the iPhone can be revealed in less than six minutes.Security managers and CIOs alike have enough to worry about when it comes to securing mobile devices. They certainly didn't need to learn that many of the passwords stored on an iPhone can be had in about half the time it takes to hard boil an egg.

But that's exactly what researchers in Germany just disclosed, and it's raising eyebrows. The cracking technique requires attackers have physical access to the device. Considering how many mobile devices are lost every year, that's not much consolation in this case.

These researchers conducted their attack against an iPhone 4 (not jailbroken) equipped with the most recent firmware. iPads are susceptible, too. Researchers said. The passwords recovered are those used for wifi networks, some applications (depending on how they were programmed) as well as the password credentials to e-mail and VPNs.

Here's a video demonstration:

The tools and techniques needed to conduct the necessary jailbreak and file access are widely available. What this team did was figure out how to extract the actual passwords.

The researchers' full paper, Lost iPhone? Lost Passwords! Practical Consideration of iOS Device Encryption Security is available here in .pdf format.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.