A lost iPhone means more than having to rebuild your contact list. Because researchers have shown that it only takes six minutes to access every password that’s stored in the device’s keychain. Email, voicemail, Wi-Fi, VPN, Exchange – it’s all at risk.
Have a foolproof passcode for your phone? Doesn’t matter. The twisted beauty of this particular hack is that it circumvents the lock screen entirely. Because as you can see in this video, a jailbroken handset still allows access to a huge swath of the iOS file system, including where all your secret codes are stored.
Fortunately, successfully wresting passwords from a found phone does take some level of technical expertise; after jailbreaking, the researchers installed an SSH serve on the iPhone (or iPad), allowing outside software to be run on the device. Once that’s done, they copied a keychain access script to the phone that uses iOS system functions to access and output your keychain entries.
Which is to say, all of your stored passwords. And if your phone was issued by your company, that includes corporate network access codes.
So how fast does all this happen? This fast:
The only way to stop the attack would be with a remote wipe through the Find My iPhone app. Otherwise, the researchers from Fraunhofer SIT caution, you’re due for a major security overhaul:
“Owners of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords. Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts.”
All phones are vulnerable in their own way. But knowing that a lost or stolen iPhone makes the rest of your digital life vulnerable as well? That’s terrifying.