iPhone encryption? Not really

Filed Under: Apple, Mobile, Privacy

iPhone 3GS data folder

Sean Richmond from our Sydney, Australia office sent me a note yesterday asking if I had been following a thread on the Full Disclosure mailing list.

The author of the message noted that when he plugged in his iPhone 3GS to a Ubuntu 10.4 (Lucid Lynx) workstation he was able to access some of the data without authenticating to the phone or OS.

I must admit my focus on Apple security waxes and wanes, so I did some research into the topic. I booted the live CD version of the latest Ubuntu on my test workstation and performed the steps described in the post. I got an identical result which I have to admit was a great surprise.

Not that I don't trust Apple, but they have been talking about how the iPhone is enterprise ready and secure ever since the launch of the 3GS.

On initial examination all that is required to access the "user content" areas of a fully encrypted iPhone is Ubuntu. No passcode required. Since we do encryption here at Sophos I was a bit startled by this as any proper encryption should have the keys protected by some sort of passphrase that is required in order to access the protected volume.

iPhone 3GS Photos

Many have pointed out that the most sensitive information is still unavailable like SMS history, email, address books, etc. After seeing the phone boot without the passcode though, I thought there may be more of a story to this.

If you use full disk encryption on your computer you will notice that it cannot boot until you have provided the passphrase.This is because the key that encrypts the volume is protected by your passphrase. If you turn on an iPhone it boots all the way up and allows access from USB.

If the device boots, it must be able to access the encryption key without a passphrase. In turn this means it is as good as unencrypted as soon as it is turned on.

I started digging some more and noticed some research done by Jonathan Zdziarski in July 2009. Jonathan shows how you can boot an altered kernel from RAM disk and gain access to the device.

He also has another video where he recovers all the data from a protected iPhone, all without altering the device in any way. He can recover all of your "keystrokes", email, phone calls, voicemails, deleted messages and voicemail. Everything on the device is available without the passphrase.

Encryption is not difficult to do, but the way you choose to implement it is. As demonstrated by Apple's implementation, a state of the art AES-256 encrypted device has no protection if keys are not handled appropriately.

At Sophos we strive to provide excellent security in the simplest manner possible. Like Apple we know users care about their security, but do not want it to get in the way. To implement security simply, but effectively is very difficult. Unfortunately for businesses or consumers who think their iPhones are secure, they are incorrect.

The good news is that it would appear Apple is taking more of a FileVault encryption approach for sensitive data in their new iPhone v4 software. On Apple's site for "iPhone in Business", they now have a statement implying they have changed their implementation to be more secure:

Data Protection
Security enhancements in iPhone OS 4 protect email messages and attachments stored on iPhone 3GS by using the device passcode as an encryption key. New data protection APIs can be used for custom and commercial apps so that business-critical information is protected even if a device is compromised.

It's good to see Apple taking this problem on, and providing APIs for third party developers to secure their stored data as well. In the mean time if you have a 3GS or use an iPhone that contains sensitive information, be sure to not let it out of your sight.

, , ,

You might like

One Response to iPhone encryption? Not really

  1. Bill Hunter · 811 days ago

    I like reading back issues of NakedSecurity, it refreshes things in my mind and prompts me do what I said I would do when I first read it.
    As for encryption, well I'm not an Apple fan I'm a Samsung fan, but no mind. If I was going to rob people of bank account access details, whether it a mainline Bank like Bank of Ireland or a bank account in the ether like PayPal, I would attack people like me. Why? Well everything you have written up above is quite meaningless to some like me. I've no idea what kernels are except the ones that come from nuts, or how to encrypt my data. The latter I thought I had cracked as there was something on my PC that offered encryption so I encrypted a few documents that weren't important and hey presto! /It worked, I thought. It was several days later I went into that folder with the intention of encrypting something, another document, and saw the encrypted ones sitting there with their padlocks. Next to them I found other documents with similar names and clicked on them wondering what the were, boy was I surprised to see it was the original copy, the encrypting whatch-ma-call-it had only encrypted a copy it made of the originals. Well, that really stumped me, I can't for the life of me think how to encrypt a document on my PC so encrypting one on my phone seems impossible.
    Never mind kernels and keystrokes etc, although I could make a guess at keystrokes being what we do when typing in a password. Anyway, I'm sure there must be thousands of me out there walking around or sitting/standing on crowded trains etc. with their hand buried deep into their pocket holding tightly onto their smart phones and too terrified to use a hot-spot or WiFi because we hear about all these terrifying things out there but nobody is willing to talk decent English to us. I see it as those legal letters you get but just don't understand.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.