

IPhone Attack Reveals Passwords in Six Minutes - ukdm
http://www.pcworld.com/article/219245/

======
program
This is not actually a "news". Every piece of tecnology can be cracked/hacked
if you have physical possession. The "Fraunhofer Institute Secure Information
Technology" used an iPhone only cause the device attract more attentions than
others.

The PDF remote exploit that forced Apple to release iOS 4.0.2 was a news.

~~~
jvdongen
Except that storing the passwords in encrypted form in a keychain is
explicitly meant to shield them from prying eyes even in the event the
hardware falls in the wrong hands. You may get at the file, you just can't get
at the data.

At least - that is what I as a user would want and expect. And from a
technical point of view, that situation can be achieved with modern crypto.
Clearly, the way Apple implemented it is not sufficient in this regard. That
is the news.

~~~
program
It's not true cause Apple encrypt the keychain entries with Triple-DES (which
isn't modern crypto but it's better than nothing.)

If you get the file you can't read it unless you have the password. The
"attackers" do load the code in the phone and then they got the entries using
the system API which is very (very) different from having only the file and/or
only a not jailbroken phone.

I repeat, !news.

------
RiderOfGiraffes
Dup: <http://news.ycombinator.com/item?id=2201213>

No votes, no comments, no attention, no traction.

~~~
stcredzero
Newsflash: You can do what you want on a jail broken iPhone. This includes
running Keychain tools.

The same goes for laptops, and has been true forever. Physical possession = no
security applies. Not news, exactly.

~~~
DougBTX
The keychain is encrypted with the user's login password on OSX, you need the
login password to decrypt the passwords stored in the keychain. The point
being made in the article is that changing your iPhone pin/password does not
re-encrypt the saved passwords since they are encrypted with a fixed key.

