Researchers Outline iOS Attack to Access Stored Passwords in Six Minutes
FierceCIO reports that researchers from Germany’s Fraunhofer Institute for Secure Information Technology say (PDF) they can break into an Apple (AAPL) iOS device (iPhone or iPad) to extract stored passwords in just six minutes. The attack requires physical access to the iOS device. Once boosted, large swaths of the iOS file system could be swiftly pried open by hackers.
Data that can be exploited include account passwords for MS Exchange ActiveSync, LDAP, VPN, and Wi-Fi. A successful attack starts with a jailbreak, followed by installing an SSH server to load a script to get access to the keychain entries which contain the passwords.
Based on this weakness, the author says that iOS needs work, “… a proper implementation of security using best practices could require a rewriting of key security components in Apple’s iOS.” He concludes that “… organizations deploying the iOS hardware at the moment might find it prudent to perform encryption at the app level instead of relying on the iPhone’s or iPad’s broken passphrase system.”
iPhone Password Hack Shows Flawed Security Model
Ars Technica has a different article on the latest iOS vulnerability. Ars argues that the attack isn’t entirely new, and is actually a product of Apple’s “DRM approach” to security. Forensics expert Jonathan Zdziarski told Ars that similar exploits have been around since Apple introduced the iPhone 3G. According to Mr. Zdziarski,
The real problem is that Apple hasn’t yet fully implemented a truly secure environment for iOS. Apple has … been relying on their DRM know-how, and just erasing the label that says ‘DRM’ and calling it ‘security. The problem with this is that DRM only makes things a little more difficult for hackers.”
“Real security relies on the strength of the key, and the secrecy of the key,” Mr. Zdziarski continued. “And as long as the keys are all stored on the iPhone and don’t rely on a user password, they can easily be compromised.”
The Ars article says that while Apple has continually improved the iDevices information security, they all have the same flaws. Mr. Zdziarski told Ars he believes Apple is pushing to make iOS devices compliant with the FIPS 140-2 (PDF) security standards. However, he warns that. “… at the end of the day … Apple will need to abandon their DRM approach if they want true security, as opposed to just some fancy marketing strategies.”
VMware Unleashes Virtual Desktops for Apple iPad
Network World is reporting that VMware (VMW) has released VMware View Client for iPad to the Apple App Store. “We’ve been working on it since the middle of last year,” says Pat Lee, director of end-user computing clients at VMware.
VMware said it had trouble making Windows work as a virtual desktop on the iPad. “Windows really isn’t touch-savvy,” Lee says. VMware tried to adapt the iPad experience to Windows. “We spent a lot of time building custom gestures to make sure it blends into the iOS experience,” Lee says.
VMware created a virtual trackpad that can appear on the screen. “We want it to be as logical as possible,” Lee says. VMware promised “instant-on” access to Windows desktops from the iPad, as well as support for Bluetooth keyboards. VMware is using PCoIP to deliver the remote desktops and says the client will offer a secure connection to server-hosted desktops. The View client for iPad will be free for existing users, who are charged either $150 or $250 per seat.
The VMware announcement comes after Citrix (CTXS) released Receiver for iPad, and Parallels developed Parallel’s Mobile, an iPad desktop application.
Contracts HD for iPad: Give Contracts the Finger
Hat tip to AppScout for finding Contracts HD for iPad. They say that it is one of those apps that is breathing life into the existence and usefulness of the tablet device. Contracts HD is designed to allow any Apple (AAPL) iPad user to create, collaborate, sign, and email completed contracts using iPad’s dynamic touch-screen interface. The app also provides a database of contract templates for which anyone can add an addendum to all existing contracts, auto-fill appropriate fields within the contract with your exact information, and allows both parties to sign contracts safely and securely by using a fingertip.
Once the contract is signed, and all parties have received their PDF copies via email, you can save contracts to a secure archive for easy access later. Contracts HD also has a little brother app for iPhone that enables you to synchronize contracts between devices. Contracts HD for iPad is $9.99 in the iTunes App Store ($4.99 for the iPhone version).
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.