DOJ: iPhones 'too secure'; A key moment for the enterprise?

DOJ: iPhones 'too secure'; A key moment for the enterprise?

Summary: According to MIT, the U.S. Justice Dept. is struggling to access iPhone data, making the task of law enforcement nigh on impossible. The security is good, but only BlackBerry's have the government edge.


Move over, BlackBerry. Apple is on its way, and it's only a hair's breadth away from government use -- something Research in Motion has, but may not be the last to acquire such accreditation.

According to MIT's Technology Review, Apple's iOS designed for iPhones and iPads, has security tough enough to cause even the U.S. Department of Justice headaches in criminal investigations.

A Justice Dept. official spoke at the 2012 Digital Forensics Research Conference, describing the popular smartphone platform as one of law enforcement's worst nightmares.

"I can tell you from the Department of Justice perspective, if that drive is encrypted, you're done," said Ovie Carroll, director at the Justice Dept.'s Computer Crime and Intellectual Property Section, during his address earlier this month.

"When conducting criminal investigations, if you pull the power on a drive that is whole-disk encrypted you have lost any chance of recovering that data."

iOS in its early days was a hacker's dream. There were bugs that could allow hackers to access the inner sanctum -- thanks to applications' root access permissions -- of the phone's data stores, which were not fixed until 2008, more than a year since its initial release in in June 2007. 

Since then, the enterprise sector became Apple's target. The rise of the BlackBerry in business and government use -- despite its subsequent decline -- was in the Cupertino, CA. company's sights. 

The iPhone 4S and iPad 3, despite its consumer attraction, remains a "trustworthy mobile computing" platform, MIT described.

Apple says on its website:

Device policies, restrictions and strong encryption methods on iPhone provide a layered approach to keeping your information secure. iPhone uses hardware encryption to protect all data at rest. To further secure mail messages and attachments iPhone uses Data Protection which leverages the unique device passcode to generate the encryption key.

The mobile technology giant uses primarily AES-256, a highly secure algorithm, used by the National Security Agency to encrypt data classified as TOP SECRET. Because each and every iOS device has a "unique [key] to each device and is not recorded by Apple or any of its suppliers" that is burned into the device's chips, it "guarantees that they can be access only by the [device's internal] AES engine."

You might even think the four-digit PIN code is easy to crack? Wrong. If you're lucky, you can tilt the device in a bright light and work out the combination left by a user's fingerprints, but even this is a long-shot. The iOS' six-digit or even eight-digit PIN code is "good enough for most corporate secrets," MIT said, but warned that it was equally good enough for those on the other side of the law.

In a world where the bottom-up hierarchy goes from: consumers, small-businesses and enterprises, and governments -- it's clear that the first two are pretty much covered by iOS' security.

But since the enterprise sector was covered, government use then became Apple's target. 

However, even if the devices themselves are secure enough for governments, there's still a way to go yet, in not only back-end infrastructure, but required federal certification. 

Apple has yet to acquire certification from the U.S. government, or any government for that matter. The only runner in the race is Research in Motion, which only this year saw BlackBerry 7 -- thanks to the firm's highly secure back-end data infrastructure -- achieve U.K. government certification from a division within its third intelligence agency, GCHQ. 

The U.S. granted FIPS-140-2 certification, required by U.S. law for security necessary in federal government, to BlackBerry devices almost since their first release on the market. 

Though BlackBerry's can only send and receive documents classified under the U.K. and U.S. government classification system as RESTRICTED and below, not including SECRET and TOP SECRET, it's still enough to keep the ailing Canadian firm in business.

For now, iPhone's may still be technically the most secure handset on the enterprise and government market. However, without RIM's decentralized and highly secure infrastructure in place, Apple still has a way off yet. And until it has a government certificate in its pocket -- such as FIPS award -- you won't even get close to Langley with an iPhone in your pocket or an iPad in your bag.

via MIT's Technology Review.

Topics: Security, Apple, Government US, iOS, iPhone, iPad, Legal, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Well, if nothing else, this should put to rest the myth that iOS can't

    be used in enterprise environments due to a lack of or inadequate security design for those markets.
    • It can but...

      Not all of it.
      My company just finished locking the iCloud down.
      Then there are the Siri restrictions.....
      I wonder how much is Apple's failure though as we don't have the same restrictions on Android.
      • Rhonin, could you explain your company's iCloud policy please.

        By "locking down" do you mean disabled? Just curious. Thanks
    • And the Roid-Bois are seething hate at Zack for writing this one...

      They just can't stand it every time Apple makes them look like the fools they are... Back in the pre OS X days, they were correct about Apple... Very bad SW choices/selections and very proprietary. Once they went UNIX, everything changed and the trolls haven't been right for 12+ years. I'm sure most are blowing gaskets and soiling their tighty whities on this one... LOL!!!
    • Meh.

      5 months since this news, yet none of the iGadgets have FIPS 140-2 certifications. Meanwhile the Blackberry 10 OS, which hasn't even been released already has landed a FIPS 140-2. Really, what's taking Apple so long? The devices aren't "too secure". Anyone's bog-standard PC can do AES-256, it isn't rocket science. The FIPS certs have more to do with the tests that the device won't leak CSP data, won't use wonky ciphers (like the crappy DES) among other checks. So it isn't "close to get government contracts", if it hasn't been certified, it's as far from Gov't secure usage as my TI-89.
  • Cool

    Go Apple!
  • Its good to see

    Apple finally taking security and the enterprise seriously. Handsdown EAS implementation in the iPhone is way better than stock Android. However, Blackberries are the king of hill at the moment, its not just on security but the amount of fine grained policies (about 300) that can be managed through BES. Apple is still very poor in this regard.
    • Curious...

      to know of all the fine grained security available in BES, in what % of BES implementations is each leveraged? That's not a slam on BB or BES, I just think in practicality, most companies probably on leverage a couple/few handfuls of the more obvious one while the others are left untouched by all but companies and gov't agencies dealing with very, very sensitive data.
      • True but

        it's still nice to know the options are plenty.
      • Depends on the needs ...

        The beauty of having 450+ policy options is you can create a policy(s) as you need depending of the enforcement and security concern.

        - Disable the camera
        - Turn off SMS / 3rd part email
        - Disable browser
        - Capture SMS


        With BES and BB you can pretty much restrict the device however you wish. BES also have some nice management options no other solution has. The big one is the NOC itself which creates a end to end encypted tunnel for message transport. The whole stock is encrypted.

        iOS is getting there and with a MDM Apple provides a good amount of hooks to lock down an iPhone. The difference is iOS is jailbroken quite easily which negates Apple's encryption method as it's not that robust, until they get FIPS certified and don't fail penetrations tests in a matter of minutes it's not really enterprise let alone goverment ready. The article was purely written from a consumer perspective.
  • Hardly

    Go to IOSResearch dot org. Get all the warez you will ever need to gather forensic evidence from the iphone.
    Your Non Advocate
    • Long live Whatisname

      It's a good thing that neither MIT nor the Department of Justice know about these tools. We're safe... for now.
      Robert Hahn
      • At least until September 24th

        Then they can attend the ios forensics training class.
        Your Non Advocate
      • Funny:)

        Pagan jim
        James Quinn
    • Am I missing something

      The Article clearly lists the iPhone 4s and iPad 3, the site you list does not list either of these as being supported by the toolkit. What am I missing? Older versions were clearly vulnerable, but the article never states that they had the security the newer models have.
  • Too secure, sure

    Please, Mr. Criminal, don't dare use any Apple OS, cause if you do, we'll NEVER be able to prove your wrongdoing. Trust us on that.... ;)
  • Disinformation

    There are several forensic vectors to pulling info off of iOS. With a court order in hand and some money to spend, FBI, DoJ etc have no trouble getting Apple to suck the device dry.

    For NSA, CIA and others who want to do it clandestinely and without any civilians seeing the data, then it is a little tougher since they don't want Apple to know what's going on. But it is not impossible by any means.
    terry flores
  • This is not a jab at iOS....

    ...but I'm waiving my BS flag on this one: "You might even think the four-digit PIN code is easy to crack? Wrong. " If a 4 digit pin code isn't good enough for anything else then why is it suddenly good enough on an iPhone (or any other sort of phone). Just by trying random combinations you have a 1 in 9999 chance of guessing it right the first time - which is actually pretty good. Then throw in a little social engineering and a 4 digit pin seems pretty crappy to me.
    • case and point...

      I've seen this similar information in many places.
    • 1 in 9999 chance?

      Actually its 1 in 10,000 chance. But yeah, i totally agree. 1 in 10k chance is sooooo easy...