Researchers in Germany say they’ve been able to reveal passwords stored in a locked iPhone in just six minutes and they did it without cracking the phone’s passcode, reports “PC World” (http://www.pcworld.com/article/219245/).
The attack requires possession of the phone and targets keychain, Apple’s password management system. Passwords for networks and corporate information systems can be revealed if an iPhone or iPad is lost or stolen, according to the researchers at the state-sponsored Fraunhofer Institute Secure Information Technology (Fraunhofer SIT).
The attack is based on existing exploits that provide access to large parts of the iOS file system even if a device is locked, they add. Among passwords that could be revealed were those for Google Mail as an MS Exchange account, other MS Exchange accounts, LDAP accounts, voicemail, VPN passwords, WiFi passwords and some App passwords, according to “PC World.”
The situation is worrisome for companies that allow employees to use iPhones on corporate networks, because it can reveal network access passwords. “Owner’s of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords,” says Fraunhofer SIT.