Researchers in Germany (from the Fraunhofer Institute, the same place that brought us the MP3) have deduced a method to retrieve, without your authorization, all of your iPhone’s secrets. Passwords, that is. And it only takes six minutes. Oh dear.
The attack, which requires physical access to the iPhone (i.e. the attack cannot be done remotely), reveals user passwords and other sensitive information. The phone is jailbroken, then a series of scripts are run that effectively circumnavigate the phone’s encryption. (Note that the encryption isn’t actually broken in this attack.) Passwords for things like e-mail accounts and Wi-Fi networks are readily available to the attacker. And once the attacker has your e-mail account credentials, what’s to stop him from requesting your Facebook or Twitter password be reset? Bam, now he has that, too.
The glitch affects all iOS devices running the latest firmware.
What should you do if you lose your iPhone? Your best bet is to change any and all passwords that may have been used on the device: your e-mail, social networks, Amazon, etc. If you’ve logged into a service using the phone then you need to assumed an evildoer will have access to that password.
Incidentally, The iPhone Guru has step-by-step directions on how you can remove your iPhone’s passcode (the “scroll to unlock” one) with just a few pieces of software. You’d be doing this primarily to demonstrate to yourself how puny iPhone security truly is. How about this: keep your phone glued to your person at all times, lest you find yourself in an unenviable situation.
Now, I understand that one would need physical access to the phone but how hard is that? I work in an office and I see tons of people that leave their phones on their desks while they are walking around the office, at a meeting or otherwise occupied. I've never hacked someones phone because I'm not that kind of person. Who's to say the next person won't be?