A researcher has delved into the encryption used to protect content on the iPhone 3GS, only to claim it is "entirely useless" and that he had "[never] seen encryption implemented so poorly before". Jonathan Zdziarski spent a couple of minutes demonstrating to Wired that he could copy and decrypt secured information from an …
Can't be true
Everything Apple is perfect, even Steve's jobs don't smell.
No further comments required
The icon says it all.
People who buy the iPhone deserver to have their data stolen and their identities sold to the lowest bidder :P
After all, other studies I've seen on the Reg show how clever they are, so they will be able to recover them, right?
Reminds me of windows 95 password protection
"oh, no! I don't know the password!"
"Oh, it's let me in anyway"
Kinda like having a big steel door in the middle of an open field.
Affects all phones?
Surely any phone that you can install SSH on would be vulnerable to something like this?
Security isn't important
It doesn't matter if an iPhone is secure or not. They're designed to look good and give the user a feel-good factor when they buy one. It's like an adult version of a comfort blanket with an 18-month contract.
They're not supposed to be used for anything important where proper security is a factor.
Windows Mobile - pretty secure as well
sounds like another Windows Mobile feature that we've taken for granted but Apple has adverts making a song and dance when they finally get round to adding ("Cut and Paste" anyone?)
Windows Mobile has featured encryption (both of device memory and storage cards) for quite a while now, and many an Exchange using BOFH has been glad of the remote wipe capability to flatten a lost/stolen device ... and I've not heard many rumours of it being broken with an old straw or a Bic biro ;)
This is like Blazing Saddles
The part where they're riding along and have to pay a toll sitting in the middle of the desert. Apple iPhone 'upgrades' are starting to look more like MS patches.
Is it compatible with the SMS attack or does the receiving device have to be physically plugged into the handset?
Because if it works over the network, it could be, erm, interesting... given how easy it is to find anyone's phone number, you'd just have to send a carefully crafted SMS to one's iPhone and bingo! all the "encrypted" juicy content could be streamed directly to you... time to buy land around Lagos, the prices are bound to rocket!
@Psymon about Windows passwords: and if clicking "cancel" doesn't work, just pull the plug, reboot and start a "recovery" session...
In Apple's defence, wouldn't you need access to the phone in order to install SSH in the first place? I know that when I jailbroke my phone and installed it, I had to go through a series of processes to do it, including restoring my firmware which involved losing the data on the phone anyway.
If you've installed SSH already, well, if you haven't changed the default password, more fool you. I always disable the SSH service whenever I'm not using it: I doubt anyone will try, but it's better to not leave any potential holes open.
So let me get this straight...
1. Fails to secure the data content of the device.
2. Fails to prevent somebody from making any call they choose, even when the device is PIN-locked, without even forcing them to remove the SIM.
3. Fails to prevent jailbreaking (not that this is a bad thing from the consumer's point of view).
4. Fails to prevent removal of restrictions to specific carriers (again, not a bad thing for consumers).
Great work Apple!
@ Richard Hodgson
Sure, you'll need access - but that was the point. Consider an iPhone being stolen, with sensitive data (presumed to be) protected by the encryption.
With a stolen phone, you can bypass its encryption and view the data anyway. The Blackberry won't give up its secrets so easily, if the encryption is enabled!
So sorry, what is the story?
Apart from being bait for the usual "I hate all things Apple" crowd there really is no story here
"With the notable exception of RIM's BlackBerry devices, it's best to assume that once an attacker has physical possession of the phone he'll gain access to the contents pretty quickly."
Oh, so that'll not be Windows Mobile is any better then.
FFS children, get a life
raises (lowers?) the bar
Apple demonstrated already that they don't understand encryption when it came to the provisioning profiles used to sign iPhone apps. Worse use of encryption prior to this.
@My New Handle
A failing Apple product has nothing to do with Windows, nice try - twat.
Lost but not forgotten
Today an acquaintance of mine found a Jesus-thingy on the street. He showed it to me and said he didn't know what to do with it. It was shiny and lit up when the button was pressed. Didn't know the pin but it seemed to work anyway.
Any good ideas Chaps and Chapesses (apart from the obvious). Ha Ha ha.
What I forgot to put at the end of my last comment was that despite these shortcomings I've bought two iPhones, and I still think they're the best handset on the market by a long margin. There is nothing that I would even consider swapping mine for.
Re: So sorry, what is the story?
The story is that this could be done so much better. A phone is just a portable computer, like a laptop. When (say) the MoD lose a laptop and say "Oh, it wasn't encrypted." everyone jumps up and down saying how dumb they are. Why shouldn't we hold manufacturers of similar devices to a similar standard. (They are unlikely to improve if they don't get flamed a bit.)
@My New Handle
There's a large difference between not offering encryption (by default) and offering encryption by default that doesn't actually protect you. The latter is more dangerous as people are more likely to leave sensitive data on the phone thinking it's safe.
Windows mobile does offer encryption out of the box, if you choose to use it, and to my knowledge it isn't broken. I certainly think we'd have heard it it is. Personally I use FreeOTFE on Windows Mobile though.
So yes, Apple is the only one offering broken encryption.
626% growth in one year
I feel your pain
@My New Handle
*sniffs* I smell a fanboi/girl.
Problem with this boss is this, if you saw an iPhone, a WinMo phone and a Crackberry which would you steal?
Now chances are you probably said iPhone because they are all the rage and chances are the street price is alot higher then the other two.
Now say said phone came with interesting files on it (Financial, Photos, Work secrets) and you stole it for the intent purpose to gain access to those. You would be able to do so very easily, without so much as a hiccup when you broke the 'encryption'.
Gotta love people. And Apple for the apparent 'security' they seem to love talking about. Me'thinks the next 5-10 years are gonna be good as more stuff comes out for Macs and the false illusion is shattered.
Centro/Palm doesn't have this problem
Secret!, GNU Keyring and many other applications for the Palm platform do not have this problem.
I have nice 128bit AES encryption for the data on my Centro, and no worries about it falling into the wrong hands.
If the Pre is able to run Legacy Palm apps better than all the Ijoy apple fanbois seem to say it will then Iphone is in big trouble.
@My New Handle:
The relevant IT angle is a Vendor launched and promoted a new security feature that doesn't really work. Worse than not working, users will think it works, and not be protected. I would say most tech types here @ reg would find that interesting (yourself included having read and commented on the article)
BTW where is Cisco with their "I-Phone" they did file the patent and all?........
O did I mention that the Centro does Internet, Google Maps, Office docs (Excel, word, powerpoint etc) cut & paste, video, music, pictures, call recording, etc etc etc for well over a year now... oh it cost the grand total of around $75 over a year ago as well.
(And there are Thousands of GOOD applications for FREE for the Palm platform...note those two key words, Good and Fee who really cares how many Fart apps Iphone has for $10???)
I just hope the Pre isn't a step back from the centro.
Really this itself is not so bad, but for me this otherwise unimportant mistake is the straw that broke the camels back. I am not an Avid Apple user, but have always appreciated why people liked their products and have generally seen them as David to the Goliaths of Microsoft, Intel and IBM.
However I have read several nasty stories about Apple recently. Between poorly implemented security, fashion over function, misrepresentation, to fighting against their customers desires with their product to purposely breaking interoperability Apple has finally crossed the line. I give a Apple a BIG FAIL here for Apple in General....
Apple execs please look in the mirror, if you ever really did have any integrity you have become your enemy. I really no longer consider Apple or Microsoft that different of companies with their general approach to the public, honesty and the running of their business enterprises. (Read I'm not supporting Microsoft, Apple has just sunk to their level.
The only way Apple can fix this for me is to Open Ituens and Iphones, and the Iphone store to more interoperability... if not I consider them poison and would not want to allow their devices in my home. They need to do a total public about face and stop worrying about how they and their products look, and worry more about how their products work and make peoples lifes better. They used to be great at that, but like I said, currently BIG FAIL for APPLE.
re: Reminds me of windows 95 password protection #
Windows 95 password was merely access to network resources - it was never put in to protect the computer or it's data
Insufficient data to formulate a response
This is stupid, anyone with any gumption would set it to wipe the data after x attempts of the wrong passcode. You would need the passcode in order to install SSH and other such substrates.
If you use the iPhone Configuration Utility for business use, you can be even stricter with the security settings.
Of course I could be wrong, but at least give the details for review so that we know that there isn't a heap of impractical prerequisites.
Re: Oh, so that'll not be Windows Mobile is any better then.
Last time I checked, Win Mobile does have a feature to encrypt the data on the storage card.
FAIL for the researcher
You can violate nearly ANY device if you have physical access to it. The fact that he had to install a shell application onto the phone completely violates any forensic policies I've ever heard.
This guy is a media whore, plain and simple.
Apple Sales Techniques
The next model will have much better encryption. This crap version is just preparing the market for the next IMPROVED model.
I thought this has been cracked for at least a year
This would never have happened under the Tories.
Somehow I get the feeling you are missing the point of the article. He is pointing out that anyone with access to the I'maposerPhone will be able to crack the "encryption", not just anyone doing a forensic investigation.
This is just another example of crApple dropping the ball. How long will it take them to implement a proper encryption mechanism for their product, not just the obviously slapdash effort that has gone into it so far. Judging by how long it took them to implement simple things like cut and paste or MMS, it is going to be a long time.
They should start calling it msPhone
Two bucks (what is that these days, a shilling and tupence?) says that you'll see a couple of off the wall presentations at DEFCON next week. And a whole shitload of stolen 3GS's. Crap, we'll see a lot of the latter regardless of what has come out.
I'm afraid you fail at comprehension. Gaining control of a device is not the same as decrypting data on it.
If you steal my laptop you'll be able to gain access to my user account. You won't however be able to decrypt any of my work files.
Actually the above isn't entirely true because I use full disk encryption, so unless you have my password you won't get anything, but for partial encryption as the article is talking about the above is true.
Complete and utter nonsense...
Since the article completely fails to explain how he managed to "remotely install a shell". I wouldn't have thought this possible unless the phone happened to be a jailbroken one in which case surely thats a problem with the user being a moron rather than a problem with the phone??
You don't get to contact Anonymous Coward - it could be anyone.
"How do I contact Anonymous Coward?" ...... By ArgieBee Posted Friday 24th July 2009 20:30 GMT
Most Simply with a Transparent Posting to a Thread they're Infecting/Disinfecting, ArgieBee.
Sure, you steal a phone used for business. I'm assuming that since it's a business phone, it comes unjailbroken, so it shouldn't have SSH running. IN order to jailbreak it, you need to put the phone in recovery mode and flash it with a modified firmware.
This is the important part: By flashing the phone, you erase all data on the device.
I've never been a massive supporter of Apple: I only picked up an iPhone because I managed to get one at a massive discount, but I really do think that this is some of the laziest 'research' I've seen in a while. Do we really need a professional researcher to tell us that by installing SSH, leaving the service running, and leaving the password set as its default that you are opening up your machine to security risks? I'd hope that if you knew what SSH was and had installed it, you'd know the potential implications of using such a service.
Security & Re: Fail for the researcher
There's a simple mantra in computer security...
If you can't physically secure your hardware then you have no security at all.
In other words, 99.9% of all computer hardware / software can be broken if someone can get physical access to it.
This is not news.
@Anonymous Coward Posted Friday 24th July 2009 16:29 GMT
Perhaps I am just old fashioned; easy answer: just hand it in to the Police lost and found bureau or, if he really can "use it", inform the service provider indicated on the device or read the logo on the SIM card or even, shock, horror, go to the nearest shop of that provider and give it to the staff there to inform the owner. Just be decent and do not browse the contents more than necessary to find the owner's number.
However, judging by the nasty spleen vented on these sites, perhaps decency is also out of date.
Pity your and your "acquaintance"'s employers and friends if you are really that dishonest or incapable. Against such people, is any security worth anything, for any device?
Did you bother watching the demo videos before commenting?
Please try to find out what you're commenting on before passing comments. It gets boring reading "ah but no because ..." comments from people who haven't understood the attack being described.
You do not need to wipe the iphone, or have previously jailbroken it, or need SSH preinstalled to decrypt and read the data.
The short version is you use iRecovery with the phone connected to a usb socket, then run some scripts.
Watch the videos at Wired (linked off this article), learn how it's done, then comment. Sigh.
another case of beauty being skin deep!
iPhone is a life style thing and aimed at users who want to impress others. However just like the millions of BMWs that are crowding the streets of Britain, with too many iPhones in the hands of general public, it will soon lose its appeal.
But by then I guess Apple will have introduced yet another superficially attractive gadget.
I wonder if Paris knows how to exploit the security features on her devices!
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...