Thursday, July 23, 2009

Hacker Claims iPhone 3GS Encryption Flawed

One of the iPhone 3GS's new features is hardware encryption. This should make it more suitable for business, but as its purportedly in hardware, it's unavailable to other iPhone models. It can also be cracked in two minutes, using nothing more than freeware, according to Jonathan Zdziarski, an iPhone developer and hacker who teaches forensics courses on recovering data from iPhones.

Zdziarski said:
"It is kind of like storing all your secret messages right next to the secret decoder ring. I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”
To grab data, one simply has to jailbreak the iPhone 3GS, then install an SSH client to port the iPhone 3GS's disk image across to a computer. As the data begins transferring, according to Zdziarski, the 3GS decrypts it automatically.

Of course, perhaps its just that corporations don't care as much as we might think.

During the fiscal Q3 earnings call, COO Tim Cook said, when asked about enterprise adoption of the iPhone:
[...] we are seeing growing interest with the release of the 3GS and iPhone OS 3.0, due in part to the new hardware encryption and the improved security policies.

The phone is particularly doing well with small business and with large organizations that allow people to purchase the phones for individual use, and this is both in corporate and government settings.

Specifically, to give you some numbers, almost 20% of the Fortune 100 have purchased at least 10,000 units or more and there’s now multiple corporations and government agencies who have purchased in excess of 25,000 each.
It should be clear by now, though, that the iPhone is such an attractive device to users, that even without encryption of any type until the 3GS model, it's still made serious inroads into the Enterprise.

Let's face it, when your CEO comes in with an iPhone, you're not going to turn him down; you're going to enable ActiveSync for him. And as more corporations move to a personal liability model, where employees bring in their own mobile device to be enabled on the company network, it's harder and harder to turn it down.

As Zdziarski said, it's up to developers to "not trust Apple" in terms of security.
“If they’re relying on Apple’s security, then their application is going to be terribly insecure. Apple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but it’s entirely useless toward security.”
Ads by AdGenta.com


No comments: