Feb. 10, 2011 at 9:28 AM ET
Discovering that your iPhone has been lost or stolen can be a terrible experience. Not only do you have to deal with replacing the device, but you also have to worry about someone accessing all the personal information you've got on the gadget. That's why you always remember to password-protect your iPhone — to keep all your data safe if something goes wrong.
Too bad that only slows hackers down for about six minutes.
PC World reports that researchers at the Fraunhofer Institute Secure Information Technology in Germany published a paper which describes how someone with malicious intent can easily reveal most of the passwords stored on an iPhone — whether the device itself is password-protected or not — using a process that takes barely more than six minutes to complete.
The first step in the method is to jailbreak the device — which basically means circumventing some iPhone security measures and installing software not authorized by Apple. This can be accomplished using one of many freely available software tools and allows for the installation of an SSH server — which in turn allows for access to the device's password management system, better known as the keychain. At this point there's a tricky step in which hackers face a keychain database which is encrypted with a key that can't be extracted from the iPhone. The solution? Use the key from software within the device.
Ta da! A few clicks later the iPhone will happily share its stored secrets. MS Exchange accounts, LDAP accounts (Lightweight Directory Access Protocol that allows for access to all sorts of directories, generally for corporate use), voicemail, VPN passwords, WiFi passwords and some app passwords are all easily viewed. The only things safe for the time being are passwords for web sites, and that's only because they are stored in a different protection class.
Scary, no? The good news is that the researchers who discovered this particular password revealing method will not be revealing the exact scripts they used to accomplish the task. The bad news? It shouldn't take long for someone else to figure the method out.
So what can you do? Not very much. There doesn't appear to be any preventative measures you can take to keep your data safe. All you can do is rush to change your passwords the instant you notice your iPhone is missing:
Owner’s [sic] of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords. Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts.