Loss of Privacy

In less than six minutes, anyone, including you, can recover your lost password on your iPhone.

The technique, developed by researchers at the Fraunhofer Institute for Secure Information Technology, builds upon existing methods that researchers have used to jailbreak iPhones and gain access to the device’s file system. It also requires that the attacker have physical access to the phone, so it can’t be done over the air. But what it can do is enable the attacker to recover passwords stored on the phone that are used for email, VPNs, WiFi networks and other applications.

The researchers performed their attack against an iPhone 4 with the latest firmware installed, that wasn’t jailbroken. They said that it could also be used against an iPad.

“After using a jailbreaking tool, to get access to a command shell, we run a small script to access and decrypt the passwords found in the keychain. The decryption is done with the help of functions provided by the operating system itself. Our script reveals the always unencrypted settings (e.g., user name, server, etc.) for all stored accounts. For the account types marked “w/o passcode” in Table 1, also the account’s cleartext secrets are revealed,” Jens Heider and Matthias Boll said in their paper on the iPhone attack .

There’s no need to ever know the original user’s password. Although this method may not be able to recover the user’s passwords for things such as facebook and gmail, it still gives them a nice iPhone.



From ubergizmo:

The iPhone is equipped with a facial recognition system, dubbed MORIS, that allows the police to snap a picture of the person, which is sent back and compared against a database of bad guys that the state is currently compiling, finding out if you’re on a wanted list or not. While it’s currently using facial recognition, there is also an iris identification feature in the works, along with a fingerprint reader. Of course, it’ll be interesting to see if the iPhone’s camera is good enough to capture minute details of the iris and fingerprints in order to make a positive match, but we’ll see.

PinchMedia, a company that offers a service to iPhone application creators about how their apps are used after installation is gathering more details than is necessary.  Similar to the Palm Pre problem, instead of just reporting how the app is used, the company freely admits that it does much more;

The ID number of your device, the model and operating system version, application name and version, whether the device is jailbroken, whether the app is pirated, how long the app has been used and the user’s co-ordinates (latitude and longitude). If FaceBook is enabled the gender and age of the user is also reported.

Users are unaware that this is happening and there is no opt-out for these apps.  This is, without a doubt, spyware, and violates Apple’s EULA.  Tell Apple that you aren’t going to put up with this type of business model.  Vote with your wallet and tell as many people as you can.

The new iPhone 3GS is completely useless for businesses because it’s encryption is easily defeated in less than two minutes.

“It is kind of like storing all your secret messages right next to the secret decoder ring,” said Jonathan Zdziarski, an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones. “I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”

The iPhone is broken, for all intents and purposes, for anything that needs to be secure.  This includes passwords, credit card details, and social security information.