SplashID does not challenge user for password after the iPhone is reset

This is likely related to this announcement by Philip Chase of a Vulnerability in SplashID 5.5 http://seclists.org/fulldisclosure/2011/Jan/412

This is a video demonstrating that if you left SplashID running (at the main screen) and reset your iPhone, you are not challenged for your SplashID password after the reset. After the iPhone reset, enter your iPhone password then launch SplashID and it will open right up without asking for the password. In this example the SplashID application lock timeout value was set to 30 minutes. But this will work as long as you have it set to anything longer than 1 minute.

SplashID_example.avi Watch on Posterous

Note that I edited this down a bit so you wouldn't have to wait for the entire reset.

This implies to me that the data is decrypted once you enter the password and remains decrypted until a process returns to encrypt it again (the app timeout value triggers this). This approach is obviously flawed.

Remediation: The vendor told me that they are releasing version 6 shortly which will fix this issue. Until then change the application lock timeout value in Tools, Security Options, Lock on Exit or Sleep and set the value to "1 minute" or "immediately". 

Posted via email from ken5m1th

No comments:

Post a Comment