Lost your iPhone? Got it password protected? It may not be enough to stop hackers.
Researchers in Germany have discovered a way to get inside the iPhone in just six minutes--without using a password, PCWorld reports. Basically, after jailbreaking the phone, they simply targeted Apple's password management system, keychain, to get a huge cache of sensitive information.
Jailbreaking is more commonly performed by iPhone users who want to bypass Apple's restrictions on outside software. In this hack, the researchers were then able to install software that rendered passwords in the keychain vulnerable.
PC World explains,
The attack works because the cryptographic key on current iOS devices is based on material available within the device and is independent of the passcode, the researchers said. This means attackers with access to the phone can create the key from the phone in their possession without having to hack the encrypted and secret passcode.
Using the attack, researchers were able to access and decrypt passwords in the keychain, but not passwords in other protection classes.
"As soon as attackers are in the possession of an iPhone or iPad and have removed the device's SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well," the researchers said in a statement. "Control of an e-mail account allows the attacker to acquire even more additional passwords: For many web services such as social networks the attacker only has to request a password reset. Once the respective service returns the new password to the user's e-mail account, the attacker has it as well."
Their recommendation? Change all of your stored passwords should your phone be lost, or stolen.
Watch the video explaining the hack below: