A group of German researchers have been able to reveal stored passwords from a locked iPhone in under 1/10th of a minute, that without cracking the phone’s passcode.
The attack requires the phone to be in possession and hits the Apple’s password management system called "Keychain". Keychain, first introduced in Mac OS 8.6, stores various type of passwords like FTP servers, SSH accounts, network shares, wireless networks and groupware applications along with private keys, certificates and secure notes.
The attack compromises the passwords for networks and corporate information systems by making use of the existing exploits that provide access to large parts of the iOS file system even for the locked device.
For the attack to be able to run, the phone has to be jailbroken with an SSH server installed. The attack script is then copied to the phone which uses the phone’s functions to retrieve information from Keychain and output it. This can be demonstrated in the video embedded below:
Explaining the attack, the German researchers said:
The attack works because the cryptographic key on current iOS devices is based on material available within the device and is independent of the passcodeEven though the attack lets retrieve the passwords from Keychain, other protection classes are still safe from it. Some of the passwords which were retrieved on the test are of Google Mail as an MS Exchange account, other MS Exchange accounts, LDAP accounts, voicemail, VPN passwords, WiFi passwords and some App passwords.
For now, since their is no fix to this, the owners of the lost iDevices should instantly change their passwords