iPhone 3GS crypto easy to crack, expert warns

Elinor Mills CNET News | July 27, 2009 5:51 AM PDT

Summary

Corporations should think twice about using the iPhone 3GS, according to an expert who has shown how easy it is to crack the encryption on the device.

Topics

Apple iPhone, Encryption, Smart Phones, Consumer Electronics, Personal Technology, Apple, iPhone, security, Elinor Mills CNET News

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

The encryption functionality of the iPhone 3GS is so easy to crack that it is essentially "broken" when it comes to protecting sensitive personal data such as credit card numbers, according to a forensics expert and iPhone developer.

"I don't think any of us [developers] have ever seen encryption implemented so poorly before, which is why it's hard to describe why it's such a big threat to security," Jonathan Zdziarski told Wired.

With physical access to an iPhone 3GS and some free software, data can be extracted within two minutes and an image of the entire raw disk in about 45 minutes, he said. The iPhone decrypts the data on its own once the extraction has begun, Zdziarski explained in a video demonstration.

Apple has been touting the encryption and other features to entice corporate users to the device.

Nearly 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones per company, the company said on its financial results conference call on Tuesday.

This article was originally published on CNET News.

Talkback Most Recent of 18 Talkback(s)

Follow via:: RSS; Email Alert

Can't wait to hear the Apple Fanboi/grl excuses...

I suppose this is an unfair attack by ZDnet...or maybe iPhone users are soooo cool and disaffected by silly things like security that they don't care....
agent_bippy
27th Jul 2009
- Reply to
- Flag
Or just maybe...

iPhone owners are more conscientious about letting others muck about with their property.

The key here is in the opener: "With physical access to an iPhone 3GS...". Personally, I think any device that can cause you to step into oncoming NYC traffic because you're so distracted should be banned, but unless you're in the habit of leaving your iPhone on the table at Starbucks while you wait for your venti frappa-spresso-latte-with-a-twist, your iPhone is actually pretty safe.
Timpraetor
27th Jul 2009
- Reply to
- Flag
And of course the anti-iPhone crowd

has to rush in here guns blazing to have the first word... Can't wait to hear their excuses and attacks over the following:

Sorry but ANY device can be broken into - WM, BB, Symbian, Andriod, iPhone, Palm, etc... if someone has physical possession of it. And I'll grant that not so long ago is was not possible to remotely wipe an iPhone on an enterprise server like one could with a BB, and now that is no longer the case. Hell I could remotely wipe my iPhone now as an end user - I can't do that with my BB nor could I have done that with my WM device - not as an end user. Of course it all comes down to how fast one notices their device is missing and how much time they spend backtracking prior to reporting it to their IT people as being lost or stolen.

It's not so much an unfair attack as it is that the author is leaving out things... like the fact that any device can be hacked into given enough time and physical possession of it. I love it how some people jump up and down screaming about how the iPhone lacks this or that while at the same time glosses over any sort of similar defects or issues with their own choice of mobile device. Or chooses to troll the Apple forums waiting for a biased ZDNet blogger to lay down more anti-iPhone articles...

And no, I'm not an Apple fanboi, just a fan of the iPhone... most of the rest of their gear is good but sadly way overpriced.
Pete "athynz" Athens
27th Jul 2009
- Reply to
- Flag
Encryption doesn't protect device, it protects the data

like the fact that any device can be hacked into given enough time and physical possession of it

Encryption isn't designed to prevent anyone from using your device, it prevents them from retrieving the data that is on the device. Well, unless the device is an iPhone! While no one can expect to prevent someone from using your device should they get physical access to it, other mobile OS makers have successfully come up with encryption systems that prevent someone from getting at your data with physical access to it. That is the difference.

Of course it all comes down to how fast one notices their device is missing

Think you would notice within 2 minutes because that is all the time it takes to break Apple's encryption.

nor could I have done that with my WM device - not as an end user

Yes you can. Go to Outlook Web Access -> Options -> Mobile Devices and choose "Wipe All Data from Device". And if you say "yeah, but you need exchange", I'll say "yeah, but you need a mobileme subscription". Same thing. And with all the hosted exchange options out there, individuals can get access to remote wipe for about the same cost as a mobileme account.
NonZealot
27th Jul 2009
- Flag
I was wondering when you'd show up...

Yes you can. Go to Outlook Web Access -> Options -> Mobile Devices and choose "Wipe All Data from Device". And if you say "yeah, but you need exchange", I'll say "yeah, but you need a mobileme subscription". Same thing. And with all the hosted exchange options out there, individuals can get access to remote wipe for about the same cost as a mobileme account.

I have to admit I did not know that about the remote wipe of WM... and yes one does need MobileMe to enable remote wipe for the iPhone - and honestly I'm paying enough per month for my iPhone without bringing in the added expense of MobileMe... and other than the remote wipe I see no use to have it. Or more to the point I have other things to pay that are of a higher priority to me.

Think you would notice within 2 minutes because that is all the time it takes to break Apple's encryption.

Perhaps, but consider too the average corporate smartphone user... or really anyone who owns a mobile phone. When they discover it missing (say within 2-3 minutes at the least) the first thing they will do is retrace their steps (let's say 10-20 minutes), then recheck the surroundings where they fist discovered the loss (5-10 minutes), and THEN finally go through informing their manager, who perhaps informs his or her manager, and then it finally gets routed to the IT people... another 20-30 minutes depending on the number of levels it goes to, if the IT people are in a meeting, if the IT department is in house or outsourced (outsourced add at least 10 minutes more) so we're looking at at least 30 minutes. IF someone is actively looking for an encrypted device to hack (in the case of banks or government issued devices) they likely have the means to extract any info right there with them and can likely hack into any WM or BB device within 30 minutes easily. More likely scenario is some crackhead saw an unattended smartphone and sold it for some rock...:-) which would give the IT people or an end user enough time to wipe everything. In that situation it would seem the WM and BB devices are just as susceptible to being hacked or broken into to have the data stolen.

Of course the simplest solution would be to hold on to your respective devices... I've owned many devices, most of them feature phones, and have yet to lose or misplace a single one... nor have any been stolen.

But I'll worry more when someone comes out with the remote hack that allows someone to access my iPhone or my Blackberry.
Pete "athynz" Athens
27th Jul 2009
- Flag
You still don't get it

In that situation it would seem the WM and BB devices are just as
susceptible to being hacked or broken into to have the data stolen.

Except that you are wrong. From the article:

"I don't think any of us (developers) have ever seen encryption
implemented so poorly before

So WM and BB devices are not just as susceptible because
encryption is implemented better on those devices. I'll bring up a
defense that OS X people like using a lot: OS X isn't perfectly secure
but it is more secure than Windows.

Ever seen that written? Likewise, while I'm sure that WM and BB don't
have perfect security, they are more secure than the iPhone OS. 10 out
of 10 security experts agree on that.

I've owned many devices, most of them feature phones, and have yet
to lose or misplace a single one... nor have any been stolen.

And I've never been hit with Windows malware. Guess it isn't a
problem then! If you follow the news at all, you will see many stories
about sensitive data being stolen from laptops. People with much
more experience than you have deemed this to be a problem and one
way you can mitigate it is by encrypting the file system to prevent
people with physical access from getting at the data. Note that the
purpose of encryption isn't to stop them from using your device, it is
to stop them from getting access to your emails, your word
documents, your blueprints, etc. If you don't keep any sensitive data
on your device, encryption will do nothing for you. But if you do
have sensitive data on your device, you are a fool if your only security
advice is "don't let anyone steal it".

Apple touted encryption as a feature to prevent the loss of your data
should your iPhone be stolen. If it turns out that the feature does not
even come close to doing what Apple says it was built for then
wouldn't you agree this was a bad thing? And, for the record, it is a
"bad thing" regardless of how WM and BB handle it. Apple is making
the claim and it turns out the claim is a false one.
NonZealot
27th Jul 2009
- Flag
Edit reply is broken, oops!

Just to clarify this sentence:
Note that the purpose of encryption isn't to stop them from using
your device, it is
to stop them from getting access to your emails, your word
documents, your blueprints, etc.

All the permission bits and passwords and fingerprint scanners, etc.
are useless if the "bad guys" can simply read the underlying data right
off the physical media. Give me access to a computer and I wouldn't
bother trying to guess a password or "break into the system" to read
the hard drive, I would pop in a bootable CD with Linux on it and read
the data right off the hard drive, no password or hacking required!!
That is what encryption is meant to stop. The difference is that
desktops and servers can be protected from physical access much
easier than laptops and cell phones which, by their very nature, are
mobile.
NonZealot
27th Jul 2009
- Flag
The claim is not false

I doubt that they are purpously trying to mislead the buyers. I think the problem is just with the implementation.

I blame the testing that they used to verify that their encryption was good enough for the claim.

Now that they are getting feedback, I am certain that a new and improved algorithm will come up.
fernande-zdnet
6th Aug 2009
- Flag
wow

OSX is definitely just as vulnerable as windows is if not more but no one cares to try hacking osx because of the little marketshare and interest in the os as compared to windows. a few have taken the time to make malware and many more could do it easily if they feel like it.
stevehabs
9th Aug 2009
- Flag
RE: iPhone 3GS crypto easy to crack, expert warns

With physical access to any device, the necessary decrypt/crack tools, and enough time, the encryption used by any computer application can be circumvented. If this could be done by simply getting close to the iPhone with your bluetooth laptop, this would be news. But anyone that expects any software to protect your data if you lose physical control of the device needs to call me about a bridge I'd like to sell.

What makes this instance so special (other than being able to attack Apple)?

The moral of the story, don't let "security specialists" steal your iPhone.
Timpraetor
27th Jul 2009
- Reply to
- Flag
You clearly don't understand the point of encryption

But anyone that expects any software to protect your data if you lose physical control of the device needs to call me about a bridge I'd like to sell.

That is precisely the point of encryption!!! It is meant to do one thing and one thing only: protect the valuable data from anyone who is able to steal the device! Laptops and cell phones get stolen all the time and encryption helps limit the loss to the cost of the device.

What makes this instance so special (other than being able to attack Apple)?

What makes it special is that the encryption on other devices actually works. Apple is touting this as a security feature and it turns out that it actually offers no security at all.
NonZealot
27th Jul 2009
- Reply to
- Flag
You clearly don't understand the point of ______________

"What makes it special is that the encryption on other devices actually
works."

Again, as usual, you exhibit your poor reading comprehension skills,
as well as your poor command of the subject. First, nowhere in the
article did it say that the encryption deployed by the other devices is
particularly difficult to hack. (Clue: it isn't.) Saying that the iPhone's is
worse is like saying that a wall made of popsicle sticks is better than a
wall made of cheese doodles. Neither one is particularly effective, and
the end results are markedly similar (save for the wooden splinters vs,
annoying orange dust.)

Also, a previous poster stated that any phone can be broken or
hacked into if one has physical access, to which you replied that the
OP just "didn't get it (funny, coming from you) and then proceeded to
"correct" the OP about USE of the phone vs. ACCESS to the data.
But again, it is YOU who don't get it. First, the OP was not talking
about using the phone, and never used those words, but WAS talking
about accessing the data. Second, the data on any of the phones
listed is accessible with only a modicum of effort; i.e. they can be
hacked into and the data accessed.

Get it?
DeusExMachina
28th Jul 2009
- Flag
What about other phones?

The article clearly indicates that the encryption scheme used by the iPhone is not as good as advertised.

What about the ones used by WM phones or the BlackBerry? Are they uncrackable? No, they are not.

What I would like to see is a comparison of how long it takes an expert to crack the encryption of all these phones. Then, you can make a claim of which device is "more" secure.
fernande-zdnet
6th Aug 2009
- Flag
And, the Apple faithful rise as one to defend their own.

These same people, if this flaw existed in a BlackBerry or WM device, would be crowing about how stupid those companies are and how superior Apple's hardware and software is. Because the problem is with an Apple device, it isn't a problem, or the other devices are just as insecure, so what's the problem?

Here's the problem: the encryption doesn't work. It doesn't protect your data. And yes, it's a problem because it's easier to steal an iPhone than you might think, even if you claim to have never lost a device. You seem to think industrial espionage is some theoretical idea. Why don't you ask Apple about that? It isn't a theory to them, it's a reality. Knowing how paranoid Apple is about security and keeping leaks under wraps, you seriously argue that encryption failure is not a problem? Children please. Go ask Steve Jobs if it's a problem.
heres_johnny
28th Jul 2009
- Reply to
- Flag
All hail the strawman argument

But before we get to that, please cite a SINGLE piece of evidence to
confirm that the same people who criticize Blackberry or WM is are
the same people that post about the superiority of Apple products.
Not that it would matter, because unless it was over the same issue,
such a thing would be irrelevant to the argument at hand.

But now to the central issue. So the encryption doesn't work well,
which makes the iPhone less secure than it could be. The issue you
raise, however, implies that the iPhone is practically inferior to the
other products in this regard. Especially as regards WM, this
assumption is patently false. Cracking WM security is trivial, and a
number of third party products exist for this. While RIM does a
significantly better job, even it's security has been breached.

If you are going to be making someone else's argument for them, at
least get the facts right.
DeusExMachina
28th Jul 2009
- Reply to
- Flag