A Russian password-cracking company has released software it says can recover passwords stored on Apple's latest iPhone without modifying the device or any of the data stored on it. ElcomSoft of Moscow says the latest version of its iPhone Password Breaker will recover the encrypted keychains that the iPhone 4 uses to store …
Light blue touch paper and retire
Now where's my beer and troll-watching hat?
Light blue touch paper and retire
Oh crap, can it break 1Password?
I told everybody....
...that when Apple becomes as big as MS, we will start to see how crappy their products are, how weak their systems are and how evil Jobs is. No one believed me.
Antenna, security, weird software developer policy.....well....let's see what is next.
There's "Fail", "Epic Fail", and "Epic Fail, directed by Michael Bay"...
... I'll leave the choice of which one fits your post best as an exercise for the reader.
Here, have some clue: iPhone backups are encrypted using AES128 encryption with a 256-bit key. This is an industry standard even the *US Government* uses for securing secret data.
The Elcomsoft application discussed in the article doesn't actually run on the iPhone: it's a *Windows* app. And note that they tout its GPU acceleration as a key selling point.
Yes, it'll run the usual cracking techniques, so the dictionary scan element will find a weak password in minutes. BUT... if you're using a strong, complex passcode or pass-phrase, even with their GPU acceleration, you're still going to be looking at a cracking time measured in hours, or, for seriously secure pass-phrases, days!
Why do you think they offer scalable versions of their tools designed to run on as many as *ten thousand* GPU-accelerated machines?
Strong, complex passwords...
From the average smartphone luser, yeah right! How many even changed if from the default password do you think? And how many have a 14 digit-or-greater password as it's got to be that long before it takes any longer than a patient all nighter with a creaky old laptop (it's fun working with pen testers) to break.
IIRC Apple's device "security" has been described as worse than useless and as they get as big a MS this will start to hurt them.
the software 'phones home with the results of your cracking session.
Don't they just do a brute force attack?
Unless ElcomSoft have changed their software significantly, its approach to cracking the actual backup password (the 'iPhone Password Breaker') seemed to be that of a brute force attack (with a few attempts at shortcuts). This new feature just seems to then go on to decrypt the data that represents the on-device keychain (NB. 1Password uses its own data store. Though we have no real way of knowing if it's any more secure.)
My understanding of iPhone/iPod touch backups is this: If you apply a password to the backup of the phone (in iTunes, it's an option when the phone is plugged in) then this is used to encrypt the phone's in-built key (the one that is actually used for the encryption.) Further, the device does the encryption of the data on the way out when being backed up, and it only provides the key encrypted with the user's password from thereon (which is why you can't remove a password once you've set one, without wiping the phone with a full restore.)
I suspect, if you have a copy of the key on disk from before you set a backup password - e.g. in an earlier backup (from a restore point, or via TimeMachine maybe), then it's straightforward for ElcomSoft's 'iPhone Password Breaker' to decrypt your backup. Otherwise it has to crack it the hard way (still not too hard if you used a dictionary password or something a few "st3p5" away.)
None of this prevents just copying the data out of the device directly, per previous reports, if you actually have access to it (perhaps they've fixed that with iOS 4, and/or iPhone 4. There haven't been any attention-grabbing reports about it yet.)
Can any one corroborate, expand, or correct?
@Basic: Sorry to disappoint you.
Elcomsoft's software runs on a Mac or Windows box which has *backed-up* the iOS 4 keychain, rather than running anything on the iPhone itself. Apple could trivially change the encryption method used by updating iTunes, forcing Elcomsoft to modify their application, but it's a losing battle.
All any security system today does is make access *harder*. It cannot make it *impossible*, however: with enough power and brute force, pretty much any security system can be cracked, be it real or virtual. The trick is to raise the barriers so high, potential thieves simply won't bother trying. But you can never reduce the threat to zero.
Elcomsoft's other tools include PDF password crackers, internet password crackers, etc. They all use the same brute force algorithms though. Crackers have been using such techniques for ages, so this isn't new in itself. The GPU acceleration is Elcomsoft's primary selling point. It speeds up the process somewhat. Insecure passwords will usually be discovered within minutes, but a particularly complex passcode or pass-phrase can still take a very long time to hack. Many hours—even days—are not unheard of.
Smartphones generally don't lend themselves to complex pass-phrases and tricky passwords with symbols and numbers as well as letters, simply because most people find them difficult to type. The iPhone is no exception, so Elcomsoft's software should be no surprise to anybody. I don't know if Android phones have a similar "backup" feature, but if they do, expect a similar application for that to appear soon.
(Before anyone asks, Elcomsoft's cracking tools are only available for—drum-roll please!—Windows!)
Can you clarify why it matters which OS runs the cracking software? Surely the whole point is that the passwords can be retrieved from the backups of the phone? Certainly it doesn't matter to me that I could (I don't know if you still can) recover Windows passwords from the SAM files using linux or Windows apps, what matters was that they could be recovered.
The issue here is one of securing the backup files, regardless of which OS you backup to. Also that it still keeps the iPhone out of the reach of serious business or Government, still leaving the Blackberry as the only secure option.
In my experience their stuff works.
In real-life work on encrypted PDF files it will find simple passwords (< 8 chars common word) in a few minutes, but serious passwords can take a while - a 28 character random letter and number password took me six-weeks last year on a 2.8GHz dual CPU.
Re : agreed
Not an expert on cryptography but this suggests to me that you were trying 2E68 passwords a second ( or were VERY lucky)
6 weeks to break a PDF?!
You know you're not getting that 6 weeks back don't you?
You really need to get out more.
Yes - but I was prepared to wait. As for getting out more. the process was running in the background 24/7 so it was no big deal. I was prepared to wait but since they used the same "strong" password on the rest of the documents it was worth it.
Job's Mensis Horribilis just got extended
What started with Jobs sort of admission that not all was well with Lemon 4, his 'Mensis Horribilis' (horrible month) just got extended. He has no one but himself to blame as his arrogant high and mighty attitude is just right to incite people to take him down a notch or two (or 4).
He is learning that notwithstanding his glorious blue anechoic rooms and his talented engineers that he hasn't a monopoly on infallibility.
And if Jobs thinks it can't get any worse, just wait!
Just wondering, but did Jobs personally kill your pet hamster or something?
If there is an article mentioning Apple, here you are talking about Lemons and 'having a go'
It's not big, and it's not clever. Please try to get a life.
new update soon
it's perfectly simple
if you store your passwords on a device they're not secure. It's a simple as that.
So you need physical access to the computer the phone has been backed up to?
There are few systems you can't break into if you have unlimited physical access to them though,
As security vulnerabilities go it's a bit of a non-story.
Fanbois, stop the justification
and just accept Apple is run by humans, not gods.
They are just as vulernable as the rest of us.
BANG goes the iPhone bubble for those who value more that looks.
Apple don't store the passwords to email accounts in backups. That's why if you restore from one, you need to setup your email accounts again.
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...