Apple claims that hundreds of thousands of iPhones are being used by
corporations and government agencies. What it won’t tell you is that
the supposedly enterprise-friendly encryption included with the iPhone
3GS is so weak it can be cracked in two minutes with a few pieces of
readily available freeware.
“It is kind of like storing all your secret messages right next to
the secret decoder ring,” said Jonathan Zdziarski, an iPhone developer
and a hacker who teaches forensics courses
on recovering data from iPhones. “I don’t think any of us [developers]
have ever seen encryption implemented so poorly before, which is why
it’s hard to describe why it’s such a big threat to security.”
With its easy-to-use interface and wealth of applications available
for download, the iPhone may be the most attractive smartphone yet for
business use. Many companies seem to agree: In Apple’s quarterly
earnings conference call Tuesday, Apple chief operating officer Tim
Cook said almost 20 percent of Fortune 100 companies have purchased
10,000 or more iPhones apiece; multiple corporations and government
organizations have purchased 25,000 iPhones each; and the iPhone has
been approved in more than 300 higher education institutions.
But contrary to Apple’s claim that the new iPhone 3GS is more
enterprise friendly, the new iPhone 3GS’ encryption feature is “broken”
when it comes to protecting sensitive information such as credit card
numbers and social-security digits, Zdziarski said.
Zdziarski said it’s just as easy to access a user’s private information on an iPhone 3GS
as it was on the previous generation iPhone 3G or first generation
iPhone, both of which didn’t feature encryption. If a thief got his
hands on an iPhone, a little bit of free software is all that’s needed
to tap into all of the user’s content. Live data can be extracted in as
little as two minutes, and an entire raw disk image can be made in
about 45 minutes, Zdziarski said.
Wondering where the encryption comes into play? It doesn’t.
Strangely, once one begins extracting data from an iPhone 3GS, the
iPhone begins to decrypt the data on its own, he said.
To steal an iPhone’s disk image, hackers can use popular jailbreaking tools
such as Red Sn0w and Purple Ra1n to install a custom kernel on the
phone. Then, the thief can install an Secure Shell (SSH) client to port
the iPhone’s raw disk image across SSH onto a computer.
To demonstrate the technique, Zdziarski established a screenshare
with Wired.com, and he was able to tap into an iPhone 3GS’ data with a
few easy steps. The encryption did not pose any hindrance.
Nonetheless, professionals using the iPhone for business don’t seem to care, or know, about the device’s encryption weakness.
“We’re seeing growing interest with the release of iPhone 3.0 and
the iPhone 3GS due in part to the new hardware encryption and improved
security policies,” Cook said during Apple’s earnings call. “The phone is particularly doing well with small businesses and large organizations.”
Clearly, the gigantic offering of iPhone applications is luring these business groups. Quickoffice Mobile,
for example, enables users to access and edit Microsoft Word or Excel
files on their iPhone. For handling transactions, merchants can use
apps such as Accept Credit Cards to process a credit card on an iPhone anywhere with a Wi-Fi or cellular connection.
Several employees of Halton Company, an industrial equipment
provider, are using iPhones for work, according to Lance Kidd, chief
information officer of the company. He said the large number of
applications available for the iPhone make it worthy of risk-taking.
“Your organization has to be culturally ready to accept a certain
degree of risk,” Kidd said. “I can say we’ve secured everything as
tight as a button, but that won’t be true…. Our culture is such that
our general manager is saying, ‘I’m willing to take the risk for the
value of the applications.’”
Kidd noted that Halton employees are not using iPhones for holding
confidential customer information, but rather for basic tasks such as
e-mailing and engaging with clients via social networking sites such as
Facebook and Twitter. Halton also plans to code apps strictly for use
at the company, Kidd said.
According to Kidd, a security expert performed an evaluation of
Halton, and he said it was possible for any hacker to find an
infiltration no matter the level of security. Therefore, Halton has
measures in place to respond to an information security threat rather
than attempt to avoid it.
“It’s like business continuity,” Kidd said. “You prepare for
disasters. You prepare for if there’s an earthquake and the building
breaks down, and you prepare for if there’s a crack in [information]
security.”
But Zdziarski stands firm that the iPhone’s software versatility
isn’t worth the risk for use in the workforce. He said sensitive
information is bound to appear in e-mails or anything that can be
contained on the iPhone’s disk, which can be easily extracted by
thieves thanks to the new handset’s shoddy encryption.
Zdziarski said it’s up to the app developers to add an extra level
of security to their apps because Apple’s encryption feature is so poor.
“If they’re relying on Apple’s security, then their application is
going to be terribly insecure,” he said. “Apple may be technically
correct that [the iPhone 3GS] has an encryption piece in it, but it’s
entirely useless toward security.”
He added that the ability for the iPhone to self-erase itself
remotely using Apple’s MobileMe service isn’t very helpful, either: Any
reasonably intelligent criminal would remove the SIM card to prevent
the remote-wipe command from coming through. (In a past Wired.com
report, Zdziarski said the iPhone’s remote-wiping ability pales
in comparison to Research In Motion’s BlackBerry, which can self-delete
automatically after the phone has been inactive on the network for a
preset amount of time.)
On top of that, the iPhone isn’t well protected in general
usability, said John Casasanta, founder of iPhone development company
Tap Tap Tap. He said though Apple’s approval process scans for
malicious code, a developer could easily tweak the app to send a user’s
personal data, such as his contacts list, over the network without his
knowing.
“Apple can see if something is blatantly doing something malicious
in the approval process, but it wouldn’t be very hard to do something
behind the scenes,” Casasanta said.
Evidently, it isn’t difficult to sneak unauthorized content into the App Store. In May, Wired.com reported on an exploit
demonstrated by the iPhone app Lyrics. Apple initially rejected the app
because it contained profane words, and then Lyrics’ developer snuck
the profanity into the app with a hidden Easter egg. Apple then
approved the application.
Zdziarski added that there are other weaknesses with the iPhone: Pressing the Home button, and even zooming in on a screen, automatically creates a screenshot
temporarily stored in the iPhone’s memory, which can be accessed later.
And then there’s the keyboard cache: key strokes logged in a file on
the phone, which can contain information such as credit card numbers or
confidential messages typed in Safari. Cached keyboard text can be
recovered from a device dating back a year or more, Zdziarski said.
Though Apple has declined to comment on iPhone security issues, the
company has more or less admitted iPhones are vulnerable to security
threats, because an emergency measure exists. In August 2008, Apple CEO
Steve Jobs acknowledged the existence of a remote kill switch for iPhone apps,
meaning if a malicious app made its way onto iPhones, Apple could
trigger a command to delete the app from users’ devices. There is no
evidence that the kill switch has ever been used.
So, what kind of business should you do with an iPhone if the device
is not very secure? Zdziarski said there are some business-savvy apps
that have managed to integrate better security (such as secure data
fields to prevent key-stroke logging of credit card numbers, for
example), but he warned companies to be cautious about investing too
much trust in the iPhone and the apps available for it.
“We’re going to have to go with the old imperative of ‘Trust no
one,’” he said. “And unfortunately part of that is, don’t trust Apple.”
Source: http://www.wired.com/gadgetlab/2009/07/iphone-encryption/