Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Onboard Encryption Insufficient For SmartPhone Security

Fraunhofer-Gesellschaft : 11 February, 2011  (Technical Article)
Test on iPhone by Fraunhofer demonstrates ease with which on-board encryption to be voided and sensitive information including passwords to be recovered from the device
Passwords are not secure on iPhones that are lost. This is the result of tests carried out at Fraunhofer Institute SIT in Darmstadt, Germany. Within six minutes the institute’s staff was able to render the iPhone’s encryption void and decipher the passwords stored on it. If the iPhone is used for business purposes then the company’s network security may be at risk as well. The flawed security design affects all iPhone and iPad devices containing the latest firmware.  



Many people think that the Smartphone device encryption will provide sufficient security. “This opinion we encountered even in companies’ security departments," says Jens Heider, technical manager of the Fraunhofer SIT security test lab. “Our demonstration proves that this is a false assumption. We were able to crack devices with high security settings within a very short time.” The testers did not even have to break the 256 bit encryption to get to the passwords stored in the devices’ keychain. A weakness in the security design was used: The underlying secret the attacked password’s encryption is based on is stored in the device’s operating system. This means that the encryption is independent from the personal password, which is actually supposed to protect the access to the device.



Any device using the iOS operating system can be attacked in such a way, irrespective of the user’s password. As soon as attackers are in the possession of an iPhone or iPad and have removed the device’s SIM card, they can get a hold of e-mail passwords and access codes to VPNs, WLANs and company network accesses as well. Control of an e-mail account allows the attacker to acquire even more passwords: For many web services such as social networks the attacker only has to request a password reset. Once the respective service returns the new password to the user’s e-mail account the attacker has it as well.



Companies wanting to protect themselves against the consequences of such attacks should educate their staff accordingly and introduce appropriate emergency procedures. Employees who have lost their iPhone should change all their passwords, and companies should change the respective network identifications as quickly as possible. Jens Heider: “This reveals how well the security concept has been adapted to the mobile challenge.”
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo