Feeds

iPhone security cracked, smacked and broken

3GS cheerfully decrypts itself, says researcher

Gartner critical capabilities for enterprise endpoint backup

A researcher has delved into the encryption used to protect content on the iPhone 3GS, only to claim it is "entirely useless" and that he had "[never] seen encryption implemented so poorly before".

Jonathan Zdziarski spent a couple of minutes demonstrating to Wired that he could copy and decrypt secured information from an iPhone. He removed the SIM to disable any remote-wipe procedures - demonstrating a security risk and concluding that "Apple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but it’s entirely useless toward[s] security".

Earlier iPhone models don't use encrypted storage, but from the demonstrations performed for Wired, it seems that the iPhone 3GS will happily, and automatically, decrypt information as it's copied from the device using a remotely-installed shell - rendering the encryption pointless at best.

Apple might have demonstrated their inability to implement decent cryptographic protection of the content, but few phone systems even bother to make the attempt. With the notable exception of RIM's BlackBerry devices, it's best to assume that once an attacker has physical possession of the phone he'll gain access to the contents pretty quickly. Legally-used forensic software spends most of its time maintaining a legally-verifiable audit trail, rather than using clever techniques to extract the data.

There is an argument that implementing such weak security is worse than not bothering at all. Apple appears to be lending users a false confidence while allowing miscreants free access. But it seems unlikely that many enterprise customers were relying on Apple's encryption to protect their corporate secrets, and if they were, then they should think again. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
EE accused of silencing customer gripes on social media pages
Hello. HELLO. Can EVERYTHING EVERYWHERE HEAR ME?!
Time Warner Cable customers SQUEAL as US network goes offline
A rude awakening: North Americans greeted with outage drama
Shoot-em-up: Sony Online Entertainment hit by 'large scale DDoS attack'
Games disrupted as firm struggles to control network
BT customers face broadband and landline price hikes
Poor punters won't be affected, telecoms giant claims
Broadband slow and expensive? Blame Telstra says CloudFlare
Won't peer, will gouge for Internet transit
Netflix swallows yet another bitter pill, inks peering deal with TWC
Net neutrality crusader once again pays up for priority access
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?