Researchers at the Fraunhofer Institute have demonstrated an easy and repeatable way to get at account details stored on a passcode locked iPhone.

There is no such thing as perfect security, but it can be better than the current state of affairs. Researchers at the Fraunhofer Institute in Germany have demonstrated an easy and repeatable way to get at the accounts including passwords stored on an iPhone.

They have to have actual physical possession of the phone being hacked, but this makes lost or stolen phones completely insecure - which is bad news for the corporate use of the iPhone. Given that the procedure only takes six minutes, it is even possible that the phone could be removed, compromised and returned without the user being aware that all their account information has been downloaded.

The attack is directed against keychain, the account/password manager which stores user details including passwords and certificates used to access third party systems such as corporate networks and email accounts.

The keychain is regarded as secure because in a locked phone the user's passcode is required to access it. Unfortunately there are ways to access keychain without knowing the passcode and the real surprise is that once you get into keychain it contains a great deal of information in unencrypted form. In other words, it relies on the phone's main access security for its protection.

The correct way to do the job would be to encrypt everything within the keychain using the passcode as part of the key. The reason that keychain doesn't do this is that it is more convenient to allow the phone to make connections without asking the user for the passcode. Other phones may well make the same trade off between convenience and security.

The attack proceeds by first jailbreaking the phone so that software can be installed on it. Then an SSH server is installed which allows applications to be installed and run, and a keychain access script is uploaded which outputs the account details stored there. In total this takes only a few minutes and it is repeatable and doesn't depend on any special knowledge of the user.

The reason that keychain data can be accessed so easily is that some of it isn't encrypted. User name and server details for all accounts are in the clear and for some types of account even the password is in the clear - including exchange mail, VPN (both IPSec and PPP) and LDAP.

The researchers do admit that passwords for some account types are securely encrypted and gaining access to these would require a lot more work. They also point out that in many cases having access to servers and email accounts would be sufficient to find out other information that would eventually lead to the same secrets via password recovery services that send the password to the email account.

You can read about the details in the paper which includes a table of which types of account are protected and which are in the clear once you are inside keychain.