Researchers Jens Heider and Matthias Boll from the Fraunhofer Institute for Secure Information Technology in Germany say they can break into an iOS device (iPhone or iPad) to extract stored passwords in just six minutes, detailing their technique in a research paper (.pdf) titled "Practical Consideration of iOSDevice Encryption Security." While physical access to the iOS device is required for the break-in to work, large swaths of the iOS file system could be swiftly pried open by hackers once in their possession--even if they have been locked with a passkey.

Recoverable data includes a range of passwords such as those from MS Exchange (Exchange ActiveSync) accounts, LDAP accounts, VPN passwords and Wi-Fi passphrases, which is worrying news for businesses that have already deployed the iPad tablet in their corporate networks. A successful exploit starts with a jailbreak performed via existing tools, followed by the installation of an SSH server to load a script to access the keychain entries which contain the passwords.

Of course, jailbreaking an iOS device to load unsigned applications is nothing new here. The reason the researchers could access sensitive data on the iOS device however, is due to its encryption schemes not relying on the passphrase at all. As the research paper noted on page 3, the "required cryptographic key...is completely created from data available within the device and therefore is also in the possession of a possible attacker."

On this front, iPhone forensics expert Jonathan Zdziarski told Ars Tehnica that: "Real security relies on the strength of the key, and the secrecy of the key." My personal opinion is that a proper implementation of security using best practices could require a rewriting of key security components in Apple's (NASDAQ: AAPL) iOS.

While some think that Apple is pushing to make the iOS platform compliant with security standards such as the FIPS 140-2, organizations deploying the iOS hardware at the moment might find it prudent to perform encryption at the app level instead of relying on the iPhone's or iPad's broken passphrase system.

For more on this story:
- check out this article at PC World
- check out this article at Ars Technica

Related Articles:
Report: Apple iOS, Android seeing parallel growth trajectories in enterprise
Live from CTIA: Good reports iOS surge in enterprise 
iOS 4.3 beta offers mobile hotspot capabilities, new features
Report: BlackBerry OS outpaces iOS