Feeds

iPhone security cracked, smacked and broken

3GS cheerfully decrypts itself, says researcher

Internet Security Threat Report 2014

A researcher has delved into the encryption used to protect content on the iPhone 3GS, only to claim it is "entirely useless" and that he had "[never] seen encryption implemented so poorly before".

Jonathan Zdziarski spent a couple of minutes demonstrating to Wired that he could copy and decrypt secured information from an iPhone. He removed the SIM to disable any remote-wipe procedures - demonstrating a security risk and concluding that "Apple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but it’s entirely useless toward[s] security".

Earlier iPhone models don't use encrypted storage, but from the demonstrations performed for Wired, it seems that the iPhone 3GS will happily, and automatically, decrypt information as it's copied from the device using a remotely-installed shell - rendering the encryption pointless at best.

Apple might have demonstrated their inability to implement decent cryptographic protection of the content, but few phone systems even bother to make the attempt. With the notable exception of RIM's BlackBerry devices, it's best to assume that once an attacker has physical possession of the phone he'll gain access to the contents pretty quickly. Legally-used forensic software spends most of its time maintaining a legally-verifiable audit trail, rather than using clever techniques to extract the data.

There is an argument that implementing such weak security is worse than not bothering at all. Apple appears to be lending users a false confidence while allowing miscreants free access. But it seems unlikely that many enterprise customers were relying on Apple's encryption to protect their corporate secrets, and if they were, then they should think again. ®

Internet Security Threat Report 2014

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
Virgin Media struck dumb by NATIONWIDE packet loss balls-up
Turning it off and on again fixes glitch 12 HOURS LATER
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.