All Your iPhone Passwords Can Be Stolen In Under Six Minutes

Illustration for article titled All Your iPhone Passwords Can Be Stolen In Under Six Minutes

A lost iPhone means more than having to rebuild your contact list. Because researchers have shown that it only takes six minutes to access every password that's stored in the device's keychain. Email, voicemail, Wi-Fi, VPN, Exchange—it's all at risk.


Have a foolproof passcode for your phone? Doesn't matter. The twisted beauty of this particular hack is that it circumvents the lock screen entirely. Because as you can see in this video, a jailbroken handset still allows access to a huge swath of the iOS file system, including where all your secret codes are stored.

Fortunately, successfully wresting passwords from a found phone does take some level of technical expertise; after jailbreaking, the researchers installed an SSH serve on the iPhone (or iPad), allowing outside software to be run on the device. Once that's done, they copied a keychain access script to the phone that uses iOS system functions to access and output your keychain entries.

Which is to say, all of your stored passwords. And if your phone was issued by your company, that includes corporate network access codes.

So how fast does it this happen? This fast:

The only way to stop the attack would be with a remote wipe through the Find My iPhone app. Otherwise, the researchers from Fraunhofer SIT caution, you're due for a major security overhaul:

"Owners of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords. Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts."

All phones are vulnerable in their own way. But knowing that a lost or stolen iPhone makes the rest of your digital life vulnerable as well, even if it's password protected? That's terrifying.


My phone is constantly with me. I am constantly taking a pocket inventory of 'keys, wallet, phone...keys, wallet, phone..." If it's missing I'll know pretty quickly. Everything important is backed up, I use randomized passwords, I keep fresh passwords pre-generated and ready to implement, I use a lock screen with a long passcode, and I can execute a search or remote wipe from nearly anywhere.

Sometimes I feel a bit neurotic, but I love the convenience of this phone, and I'll be damned if I get pwned by some punk ass crook that thinks he's so effing clever.