Welcome to the iPhone fold, Verizon (VZ) customers. I heard it was cold out there for a few of you.
Not to dampen your spirits too much, but there’s some bad news floating around the Internet today just in time for all that new device revelry: apparently, hackers can get into your lost or stolen iPhone and retrieve your passwords. Also — it takes roughly six minutes.
MSNBC.com is reporting that German researchers have discovered they can access the iPhone’s “keychain,” its database of stored passwords, with relative ease. After running a few scripts to get access to the encrypted password management system, it’s only a matter of tricking the iPhone into opening the system itself by getting the encryption key from your phone’s software.
In fact, six minutes is the high figure, and that’s if you keep your iPhone password-protected, according to the story. If you don’t, the time is presumably even less.
The hack can leave a lot of passwords vulnerable: voicemail is a big one, as are VPN and LADP passwords. It doesn’t sound like your Apple ID is among the items visible to hackers, but your Wi-Fi passwords are, so if you think a neighbor stole your iPhone, they might be getting even more stuff out of you for free than you realize.
Your recourse? Not much right now — the best thing you can do is change all your passwords pretty much the instant you lose your device, the researchers say. There’s not much in the way of a workaround and no solution has been presented by Apple (AAPL) as yet (although it’s only been a few hours since the story broke).
Here’s another thing you can try: Don’t save passwords on your iPhone whenever possible.
As it stands now, Internet passwords, Apple IDs and app passwords, for the most part, aren’t included in this hack. They happen to be stored in a different location with a different encryption, so while they might be vulnerable, this specific research hasn’t shown them to be. Having sensitive information like this saved on an iPhone, however, is a recipe for trouble — best to try to avoid saving passwords at all. It’s by no means a full-proof solution, but it might slow down some would-be hackers and stop short other, less-savvy ones.
A little extra time can be helpful when it comes to losing an iPhone, as far as protecting the owner’s identity and personal security information. Apple’s Find My iPhone app and service, part of its MobileMe framework but no longer costing $100 a year, includes the option to remotely wipe your iPhone. In the case of this hack and ones like it, unless your iPhone is missing in the cushions of your couch, a wipe is probably your absolute best option.
So here’s how to protect yourself, at least minimally: set up Find My iPhone on your new phone immediately. The service can track phones using their GPS signals to help them get found when they’re lost, in addition to the remote wipe service, and both of those options can be accessed from any Internet browser. Second, keep the iPhone clear of any saved passwords whenever possible, to avoid giving any would-be hackers a leg-up. Third, password protect your iPhone. It’s easy to set up in the Settings app, under “Passcode Lock.” It might be irritating to keep inputting a passcode whenever you unlock your phone, but the passcode will stop cursory glances or malicious attempts at your personal information by non-hackers.
And that passcode, according to researchers, gives you an extra six minutes to hit the wipe button — which is better than nothing.
