The software, which is aimed at Forensic Investigators, extracts the password from the keychain once it has been backed up to a computer. ElcomSoft has a variety of similar software that works with other file formats and platforms, such as ZIP and RAR file password crackers, Excel and Word, and a number of others. In the words of ElcomSoft:

ElcomSoft is world’s first to  unlock access to iPhone keychains. Prior to the release of the updated iPhone Password Breaker, the keychains were considered impossible to obtain. The ability to recover stored passwords without altering the phone’s content offers valuable court evidence to investigators and forensic authorities.

On previous versions of the iPhones, the keychains remained encrypted with a hardware-specific device key which was unique to each iPhone, even when exported to an external backup, however, since the release of iOS 4, this is no longer necessarily the case, as they can now be stored in backups that are encrypted only with the backup’s master password. If this password is known, it is possible to gain access to these encrypted keychains. If an unencrypted backup is made, though, the keychains are still protected with the phones hardware key, and therefore, to gain access to the keychains, a password-protected backup must first be made (seems counter-intuitive doesn’t it?).

The ElcomSoft iPhone Password Breaker also employs GPU Password Cracking technology to significantly increase the speed of recovery. A trial can be obtained at http://iphone.elcomsoft.com

Your jailbroken phone could possibly be held for ransom

If you’ve never changed the default device password, now’s the time. Here’s how:

The app to use on the iPhone is called MobileTerminal and it’s available for free in the Cydia store.

Once you have MobileTerminal installed, launch it and you should see a prompt saying this or similar:

iPhoneName: ~ Mobile$

• At that prompt, type: passwd
• You’ll be prompted for the ‘old’ (current) password for the mobile user.  Enter this as the old password: alpine
• You’ll then be prompted to enter the new password – so just type in your desired new password.  Use good password principles if possible (long and stong).  You will not see characters appearing on the screen as you type – that’s normal, not a concern.
• You’ll then be prompted to re-enter the new password.  Do that.
• You should then be returned to the Mobile$ prompt that you started on when opening the MobileTerminal app.  There’s no success message to say the password was changed – but if you’re returned to the prompt and do not get an error, the change was successful.  And you’re done with change for the mobile account.
• The second primary admin account for the iPhone is called root – so now you need to change that as well.
• Type this to switch to the root user: login root
• You’ll be prompted for the root user’s current password.  Enter this: alpine
• Type this to start the password change routine again: passwd
• Enter the old password for root (it is ‘alpine’, same as for the mobile user) and enter your desired new password twice, just as you did for the mobile account

Need to secure your usb drive? Click Here!

Here is how to protect yourself from this vulnerability:

1. Call your AT&T/Cingular voicemail (dial your own number from the iPhone).
2. Press 4 to go to “Personal Options”.
3. Press 2 to go to “Administrative Options”.
4. Press 1 to go to “Password”.
5. Press 2 to turn your password “ON”.
6. Hang-up and call your voicemail again from your iPhone. If your voicemail system asks you for your voicemail password you are all set.

Not only that, if you’ve changed the settings then whatever you’ve applied to the double tap action will pop open.

The gigantic security flaw lets unauthorised users call any number they like from your phone.
If that wasn’t bad enough, the second one is even worse: if you tap on the blue arrows next to the names, it will give you full access to the private information in a favorite entry. And it goes downhill from there:

• If you click in a mail address, it will give you full access to the Mail application. All your mail will be exposed.
• If there’s a URL in your contact (or in a mail message) you can click on it and have full access to Safari.
• If you click on send text message in a contact, it will give you full access to all your SMS.

For what it’s worth, a company spokeswoman is quick to point out that the flaw can easily be hidden by changing the home button double-click functionality to take you to the home screen, but most users don’t know that, now do they?