According to the results of tests carried out by the Fraunhofer Institute for Secure Information Technology or ‘SIT,’ an institute working for IT Security that develops solutions for immediate use customized to the customer’s needs, the passwords stored in the lost iPhones are not as secure as people usually consider them to be.
Based in Darmstadt, Germany, the institute held some tests during which its staff was able to break the iPhone’s (News - Alert) encryption and decipher the passwords stored on it within just six minutes. It makes the insecurity to the data stored within the iPhone even more serious if the mobile device is used for business purposes as it puts the organization’s network security at acute risk. The institute emphasizes that the security design of all iPhone and iPad devices containing the latest firmware doesn’t offer much security to intrusion; however the new revelation breaks the usual myth that the Smartphone device encryption offers sufficient security to the data and passwords.
“This opinion we encountered even in companies’ security departments,” commented Jens Heider, technical manager of the Fraunhofer (News - Alert) SIT security test lab. “Our demonstration proves that this is a false assumption. We were able to crack devices with high security settings within a very short time.”
During the test, the institute employees were able to successfully access the passwords stored in the devices’ keychain without even having to break the 256 bit encryption. They used a serious weakness lying in the security design of the Smartphone, which is that the device stores the necessary coding that is responsible for encryption of the passwords within its operating system. It makes the encryption free from the personal password, which is actually supposed to protect the access to the device.
The testers found that it is possible to attack any device powered by the iOS operating system, whatever the user’s password. Attackers just need to remove the SIM card of the iPhone or iPad to access the e-mail passwords and access codes to VPNs, WLANs and company network accesses. Further, after getting the control of an e-mail account, the attackers are able to access even more passwords as a number of web services such as social networks need just a single request to reset the password.
In October 2010, Professor Dr. Michael Waidner had been appointed as the director of the independent Fraunhofer SIT Darmstadt, with locations in Darmstadt and Birlinghoven. Previously, Dr. Waidner was chief technology officer for Security at IBM (News - Alert) and led the security research team at the IBM Zurich Research Laboratory in Rüschlikon, Switzerland till the year 2006.