InHardFocus.com

Think your iPhone/iPad is locked down with a passcode? Think again; passwords can be hacked in about six minutes.

Watch the scientists at the Fraunhofer Institute for Secure Information Technology test laboratory in Germany demonstrate this. 

Within six minutes the institute’s staff was able to render the iPhone’s encryption void and decipher many passwords stored on it. If the iPhone is used for business purposes then the company’s network security may be at risk as well. The flawed security design affects all iPhone and iPad devices containing the latest firmware.

The testers did not have to break the 256-bit encryption to get to the passwords stored in the devices’ keychain. A weakness in the security design was used: The underlying secret the attacked password’s encryption is based on is stored in the device’s operating system. This means that the encryption is independent from the personal password, which is actually supposed to protect the access to the device.

Any device using the iOS operating system can be attacked in such a way, irrespective of the user’s password. As soon as attackers are in the possession of an iPhone or iPad and have removed the device’s SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well. Control of an e-mail account allows the attacker to acquire even more additional passwords: For many web services such as social networks the attacker only has to request a password reset. Once the respective service returns the new password to the user’s e-mail account, the attacker has it as well.