Researchers Demonstrate Vulnerability Allowing Theft of iPhone Passwords


IDG News Service reports that German researchers have demonstrated how a knowledgeable thief could bypass the iPhone's passcode locking to upload a script capable of revealing entries from the device's password keychain system, potentially giving the hacker access to sensitive passwords stored on the device.

In a video that demonstrates the attack, the researchers first jailbreak the phone using existing software tools. They then install an SSH server on the iPhone that allows software to be run on the phone.

The third step is to copy a keychain access script to the phone. The script uses system functions already in the phone to access the keychain entries and, as a final step, outputs the account details it discovers to the attacker.

The attack works because the cryptographic key on current iOS devices is based on material available within the device and is independent of the passcode, the researchers said. This means attackers with access to the phone can create the key from the phone in their possession without having to hack the encrypted and secret passcode.

According to the report, the researchers were able to obtain passwords for Gmail accounts, Microsoft Exchange accounts, voicemail access, VPN and Wi-Fi network passwords, as well as passwords for some applications.

The researchers note that gaining access to an email password makes it easy for hackers to then reset passwords for other types of accounts, while compromised passwords for corporate networks can obviously result in security issues for businesses.

The exploit obviously requires a fair amount of technical knowledge, and thus shouldn't be an issue for the vast majority of users whose devices become lost or stolen. But the exploit could be used in targeted attacks by those specifically seeking to gain access to sensitive systems.

Popular Stories

iPhone 14 Pro Purple Front and Back MacRumors Exclusive

iPhone 14 Pro Renders Highlight Multiple Design Changes

Wednesday May 25, 2022 8:56 am PDT by
Leaker Jon Prosser today shared ostensibly accurate renders of the iPhone 14 Pro, providing the most accurate look yet at what the device could look like when it launches later this year. In the latest video on YouTube channel Front Page Tech, Prosser revealed renders of the iPhone 14 Pro made by Apple concept graphic designer Ian Zelbo, highlighting a range of specific design changes...
iPhone 13 Always On Feature

iPhone 14 Pro Screen Refresh Rate Upgrade Could Allow for Always-On Display

Tuesday May 24, 2022 7:23 am PDT by
Last year's iPhone 13 Pro models were the first of Apple's smartphones to come with 120Hz ProMotion displays, and while the two iPhone 14 Pro models will continue to feature the technology, their screens could well boast expanded refresh rate variability this time round. To bring ProMotion displays to the ‌iPhone 13 Pro models‌, Apple adopted LTPO panel technology with variable refresh...
iPad Pro USB C Feature Coral

Deals: Apple's iPad Pro Reaches Up to $449 Off in Amazon's Latest Sales

Wednesday May 25, 2022 10:09 am PDT by
Amazon is marking down a wide variety of 11-inch and 12.9-inch iPad Pro models this week, with prices starting as low as $749.00 for the 11-inch tablet. You'll find the full list of sales below, all of which can be found on Amazon. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep...
apple account card

Wallet App Now Supports Apple Account Cards on iOS 15.5

Wednesday May 25, 2022 5:01 pm PDT by
Apple appears to have recently updated the Wallet app to allow users to add an Apple Account Card, which displays the Apple credit balance associated with an Apple ID. If you receive an App Store or Apple Store gift card, for example, it is added to an Apple Account that was previously visible in the App Store and Apple Store apps. As of today, the Apple Account balance can also be added to...
Apple Tap to Pay iPhone

Apple Stores Rolling Out iPhone-to-iPhone Contactless Payments Starting Today

Wednesday May 25, 2022 6:54 am PDT by
Apple in February unveiled a new "Tap to Pay on iPhone" feature that will allow compatible iPhones to accept payments via Apple Pay, contactless credit and debit cards, and other digital wallets, with no additional hardware required. Apple began testing the feature at its Apple Park Visitor Center earlier this month, and now Bloomberg's Mark Gurman has tweeted that the feature will begin...
apple wwdc 2022

Apple Shares WWDC 2022 Schedule, Keynote to Take Place June 6 at 10:00 a.m PT

Tuesday May 24, 2022 9:06 am PDT by
Apple today confirmed that the keynote event for the Worldwide Developers Conference will begin at 10:00 a.m. Pacific Time on June 6, the first day of WWDC. The keynote will be an online-only event, though a select number of developers have been invited to the Apple Park campus for a viewing event. In addition to confirming the keynote date and time, Apple has shared the full WWDC 2022...