iPhone passcode bypassed by security researchers

The amount of misinformation in these comments is absurd. If you don't know anything about the keychain, or iOS security, you probably shouldn't be lending your opinion on the validity of this hack.

Like it or not, iOS has piss-poor security from a professional hacking standpoint, and it puts all of your password data at risk.

This is a fairly large issue that Apple should address for the good of its users, and thankfully, it is easily remedied at the cost of a little user unfriendliness (which will most assuredly keep Apple from actually fixing the problem... oh the irony of all).

this is nothing new, the WiFi Passwords app in Cydia has been doing this for months.

Those who read the paper would find out that the key point is this:

"Our script reveals the always unencrypted settings (e.g., user name, server, etc.) for all stored accounts. For the account types marked "w/o passcode" in Table 1, also the account’s cleartext secrets are revealed. This indicates, that an attacker would not need to know the user’s passcode nor does he would need to exploit new vulnerabilities to reveal these secrets. The results were taken from a passcode protected and locked iPhone 4 with current firmware 4.2.1."

However:

"Secrets within other protection classes, such as passwords for websites, could not be revealed in our lost device scenario. In our proof of concept implementation, these secrets — marked "protected" in Table 1 — were available to the script only after entering the passcode to unlock the device, which by assumption should not be possible for an attacker."

Thus the only secrets available are the ones that are marked as "without passcode" by design. If you read the Apple Keychain Services Reference and specifically SecItemAdd(), you will see that the CFDictionaryRef attributes parameter is used to specify whether or not the keychain item being added is a password and should be protected (based upon the keychain item type attribute being used). As the paper admits, this is a necessary trade-off between security and user-experience. I.e. Allowing the phone to access WiFi immediately after boot before being logged in. The paper also admits this is not iOS specific and other operating systems are likely to make the same trade-off's. This isn't an exploit, it's simply explaining technical details of how the system works and the trade-off's it makes.

Unless they changed it, you could have the strongest password on your Mac, but if you can get a hold of an installation disk. You can boot to disk and remove password. Essentially the same thing. Then all of your data on your computer is in jeopardy as well. You could secure it with the Vault, but if you for whatever reason forget the password. Your data is lost too.

It isn't an easy problem to fix, if there is a solution at all. Don't lose your phone? Don't let shady people play with your phone? I don't know. Get a proximity alarm. If you step too far away from your device, it yells for you.

I don't mean to be flippant, but this is kind of a "well, duh" story, and I'm not so sure it is "news".

If you pull the hard drive out of any system that isn't using an on-disk encryption scheme, hardware encryption, etc (not very common outside of tightly managed IT environments) you have nearly instant access bypassing all on-screen login prompts, file system security, etc.

Want strong security? You're going to need to use a product designed for your requirement (FIPS 140, etc, etc products are all out there, and they're not suitable for the normal user in terms of the restrictions they impose, the CPU-intensive nature of their algorithms, performance, etc - but they are secure).

You can find 3rd party apps/enterprise provisioning systems through Apple's enterprise program that use all kinds of systems to provide security beyond what could be compromised here on iOS, but no, the Angry Birds high score you rack up or any other common App Store app you download isn't immune to a well-educated and determined nogoodnik who has your phone, but that's not news and I think it's unreasonable to expect Apple would protect against that beyond Find My iPhone/Remote Wipe.

Does this mean that cydia apps can potentially steal passwords from the jailbroken devices they are installed in?

What happens if you've already jailbroken and changed the root password? Doesn't that require a complete restore before they can get information?

In my opinion, this isn’t much of a vulnerability for a couple of reasons. Firstly, it requires physical access to the device, so the additional step of stealing an iPhone is required. Not many people would go to the bother of stealing a phone then going through all the steps to gain access to a few passwords. Also; the first thing someone thinks to do after stealing a phone isn’t to turn it off, so what is to stop me tracking the phone or remote wiping it using the free Find My iPhone service?

Secondly, correct me if I’m wrong, but jailbreaking tools require the device to be restored with a custom Firmware. Doing so wipes the device and so, unless they also have access to the computer you back up to, won't have access to any files on the phone — only a fresh install of (jailbroken) iOS. If they could somehow restore my system, unless they knew my passcode, they could not turn off Find My iPhone, so I could track them or wipe the device.

Physical access is total access, is anyone surprised?

While it should be that these keychains should be encrypted as they are on the Mac, it should also be noted that anytime you lose an electronic device, no matter if it is a phone or card with a magnetic strip on it, you should consider that all info on that device has been compromised. If you lose your iPhone now, you can remote wipe it for free. Even though this isn't as advertised as it should be, not many phones provide that service for free without an exchange account of some sort.

As for the things stored in the keychain, while they should be encrypted, if you lose track of a device or hard drive that contained the keychain, or any password management software, you should consider those passwords compromised and change all of them as quickly as you can. This is just good personal data security procedure that no one follows or thinks about when these stories come up. All electronic devices, given time and resources, can be cracked. Doubly so for consumer goods with features made to make security more transparent.