backtop


Print 91 comment(s) - last by zzdinko.. on Aug 1 at 9:34 AM


Apple says its iPhone 3G S is "ready for business", however one leading hacker calls it "useless" for business users, thanks to its woefully poor encryption and security. He says the phones pose a serious threat to companies adopting them. Still, some companies say it's worth the risk.  (Source: The iPhone Blog)
The iPhone yet again experiencing criticism over poor security

Jonathan Zdziarski, an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones, hasn't been very impressed with the iPhone's security -- or lack thereof.  Mr. Zdziarski has indicated that iPhone OS v3.0 is a bit better when it comes to security, but he says with only a few pieces of readily available freeware you can easily crack it in under two minutes.  That news must be concerning for the corporations and government agencies that support the hundreds of thousands of business iPhones Apple says it has sold.

Mr. Zdziarski says the iPhone's security woes are entirely unnecessary and are the result of incompetence.  He states, "It is kind of like storing all your secret messages right next to the secret decoder ring.  I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security."

His statements stand in stark contrast with Apple Chief Operating Officer Tim Cook's cheerful news that 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones apiece and that multiple government organizations had purchased 25,000 iPhones apiece.  Mr. Cook had bragged, "We’re seeing growing interest with the release of iPhone 3.0 and the iPhone 3GS due in part to the new hardware encryption and improved security policies.  The phone is particularly doing well with small businesses and large organizations."

Mr. Zdziarski says these entities might be in trouble as the encryption on the phone is so poorly implemented a simple software tool makes it as easy to view encrypted files as unencrypted ones.  Thieves could extract live encrypted data from the phone in a mere 2 minutes, and have an entire raw disk image in about 45 minutes.  Interestingly, the iPhone itself helps with these tasks – it begins to decrypt data on its own automatically after the extraction process has started.

Corporate users often edit finance spreadsheets and other corporate documents on their phone, as well as using the phone to make transactions with corporate credit cards.  All of this information is easy pickings for hackers thanks to the phone's woeful security.  Mr. Zdziarski surmises, "If (companies are) relying on Apple’s security, then their application is going to be terribly insecure.  Apple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but it’s entirely useless toward security.  We’re going to have to go with the old imperative of ‘Trust no one'.  And unfortunately part of that is, don’t trust Apple."

Still, some companies say that the risks of deployments are worth it.  States Lance Kidd, chief information officer of Halton Company, an industrial equipment provider, which lets its employees use iPhones, "Your organization has to be culturally ready to accept a certain degree of risk.  I can say we’ve secured everything as tight as a button, but that won’t be true…. Our culture is such that our general manager is saying, ‘I’m willing to take the risk for the value of the applications.’  It’s like business continuity.  You prepare for disasters. You prepare for if there’s an earthquake and the building breaks down, and you prepare for if there’s a crack in [information] security."



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Assumes Physical Access to iPhone?
By ltcommanderdata on 7/24/2009 2:23:21 PM , Rating: 0
From the way the article is phrased it sounds like they are assuming hackers have physical access to the iPhone, like it's been stolen. In such a case, it's best if employees are trained to report missing iPhones as soon as possible so that they can be remote wiped. Perhaps they should investigate how effective Apple's remote wipe is in making data unrecoverable. I don't believe the researchers commented on the ability to hack into iPhones over the internet which would be a greater concern.




By dark matter on 7/24/2009 2:33:37 PM , Rating: 2
I may have misread your post. But it seems to me that you are downplaying this threat. Not only do people have the phone stolen, but they often just leave them lying around.

What is the point in having encryption in the event that if you lose your phone or have it stolen it is worthless.

You cannot play for human failure (such as having your phone stolen or lose for it) so you expect the technology to provide some security for confidential material.

When you buy a lock, you don't expect it to come with a spare key constantly attached to the underside, do you?


By leexgx on 7/24/2009 2:35:49 PM , Rating: 2
back at ya, yes but any one that intends to crack open the phone would of disabled the data connection or put it into flight mode, as they would know about remote kill


RE: Assumes Physical Access to iPhone?
By Voo on 7/24/2009 2:36:44 PM , Rating: 2
Well that's also a timeproblem, if you can get a whole disk image in less than 1 hour, I'd say it's quite possible that the employee couldn't report his loss in time.

After all you've got to notice that you've lost it, make sure you didn't leave it in the car or similar, then find time to talk to the right person, which then has to do whatever it takes to remote wipe the thing.

In a usual bureaucratic company that sounds highly unlikly to take less than a hour.

And there are a lot of ways to prevent the iphone from getting any connection at all (Pb should do it, right?)


RE: Assumes Physical Access to iPhone?
By Shadowself on 7/24/09, Rating: -1
By Lonyo on 7/24/2009 3:06:10 PM , Rating: 2
It's about encryption.
There basically is none.

Sure, you can hack my PC if you have physical access to it, but if everything is encrypted and protected you won't be able to access the data particularly easily. This guy is saying that due to flaws in the iPhone OS, the encryption is pretty worthless.


"Intel is investing heavily (think gazillions of dollars and bazillions of engineering man hours) in resources to create an Intel host controllers spec in order to speed time to market of the USB 3.0 technology." -- Intel blogger Nick Knupffer














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki