NEWS: iPhone security cracked, smacked and broken

3GS cheerfully decrypts itself at drop of a hat

A researcher has delved into the encryption used to protect content on the iPhone 3GS, only to discover it is "entirely useless" and that he had "[never] seen encryption implemented so poorly before".

Jonathan Zdziarski spent a couple of minutes demonstrating to Wired that he could copy and decrypt secured information from an iPhone. He removed the SIM to disable any remote-wipe procedures - demonstrating a security risk and concluding that "Apple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but it?s entirely useless toward[s] security".

Reply to
John Navas
Loading thread data ...

there is no security if one has physical access to a device and he makes it seem a lot easier than it really is. you still have to hack the device, and removing the sim does not necessarily block a remote wipe. just as push notification works over wifi, so does remote wipe.

Reply to

Properly developed encryption most definitely can secure against physical access to the device (unless physical access is granted while encryption key is known to the device)

The problem here is that the encryption key itself is stored on the device and not properly secured -- Normally for device level encryption you store the system key itself on the device itself, but you encrypt the system key with a user supplied key or passphrase.

This seems overly complicated, but it allows the user to change their password without requiring all data on the device to be decrypted and reencrypted with the new user key/passphrase.

In the iPhone's case, we're only allowed a 4 digit PIN, so without something that effectively secures the system key, an attacker need only try 10000 possible codes, which is trivial for someone with physical access.

While true, airplane mode effectively disables wifi, as does taking the phone to a location without any wifi signals already known to the iPhone.

Reply to

So what's your point, NavASS? It's a gawdam PHONE, not a VAULT, moron.

Reply to
George Kerby

... more to the point, it's an iToy phone, not an iToy vault.

Reply to

encryption only makes it more difficult. it can still be cracked, given sufficient motivation. there's also a lot of stuff that's not encrypted, such as safari history or the songs, for example.

the pin code just allows access to the device, it doesn't encrypt the contents.

it actually isn't, because after the 3rd or 4th attempt, the interval becomes longer and longer. at first it's a minute or two, and by the

10th try it's something like a couple of hours. there's also an option to automatically wipe the phone after 10 failed attempts.

other phones are also not secure, and on many phones, the pin code is stored in the clear and can be read with easily available software. plus, a lot of times people don't even change the pin code from the default, making it very easy to guess.

as long as it sees wifi or cell signals, it can geolocate, and it's also surprisingly accurate. it doesn't have to 'know' about the network, assuming you mean previously connected to it.

this also assumes that the original owner hasn't already instigated a remote wipe by the time someone finds it.

Reply to

How are things around PGA Blvd. these days?

Reply to
George Kerby

That simply isn't true, we've got several encryption algorithms that are basically uncrackable for all practical purposes (unless/until a flaw in the encryption is discovered, which isn't something that will happen just to hack into someone's iPhone, no matter how high value the data may be)

I can understand not encrypting media, but any user data that isn't encrypted falls into a design flaw (although not a surprising one given Apple's track record of security on the iPhone)

That's even more pathetic then -- Whoever at Apple was responsible for engineering this apparently failed to grasp "the DRM problem".

In simple terms, if you store both the encrypted data AND the key together, you can *never* secure *anything* against a sufficiently motivated attacker.

Normally you just encrypt the system key against a user supplied passphrase, or hardware token, then you just have to protect the passphrase/pin and token to remain safe.

If it were me, I'd store the passphrase on the SIM and require a SIM PIN to be enabled, but that would be too confusing for the average iPhone user and Apple isn't serious about attacking the enterprise market yet.

I'm assuming physical hardware access here, in which case you pop the case open, jtag up to the memory and create an image, then attack the encryption directly, completely bypassing any interval delays.

All true.

Umm... No. (See my next paragraph)

Assuming a phone is stolen and the SIM is immediately removed before the owner notices, the iPhone will only be able to connect to known/pre-configured wifi networks or networks that the thief adds to the authorized list.

The iPhone will be scanning for wifi signals whenever it's turned on, but it will only get as far as a list of SSIDs and matching MAC addresses of APs, those don't translate into a location until the iPhone can talk to Skyhook to geolocate. It may also grab GSM network IDs and base station IDs, I'm not sure if it tries without a SIM, but it's not really significant because of my next point:

Even if the iPhone knew it's coordinates (GPS, or cached Skyhook data) it wouldn't do any good since the iPhone couldn't transmit that data anywhere or call home to receive a remote-wipe signal without either the SIM card or a preconfigured (or thief-configured) wifi connection.

Very true. Remote Wipe is another case of a half-way design, a smarter design would wipe everything but a "If found, please call..." type message supplied by the owner, and it would continue communicating with MobileMe allowing it to transmit it's location for as long as it remains powered on and connected.

Even better, it would have a set of "call owner", "call lost and found" (which would direct them to the nearest Apple store or mobile phone carrier to drop off the phone, no questions asked) and "call 911" buttons available, allowing a phone to be easily returned to it's owner by a good Samaritan.

But that would be too pro-consumer, it's more profitable for Apple to just sell you another iPhone.

Reply to

What about a "Call God Feature" so the thief can be smited by a bolt of lightning? I'm sure ALL other cell phones have that and Apple just needs to get with the program, right?

Reply to
George Kerby

with enough money and motivation, it can be. obviously, the average person won't bother.

the average thief is not going to go through the trouble to disassemble an iphone and directly extract the contents of the flash. if someone is going to take the time to do that and then try to crack the encryption, there will have to be a *very* serious reason, such as a major crime investigation. in other words, the previous owner of the phone has a lot more to worry about that just the loss of their iphone.

find my iphone does that. remote wipe is an optional step.

Reply to
nospam Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.