iPhone 3GS about as secure as a chocolate teapot

iphone-fail Its not really news that the iPhone is not suitable for business, but according to Apple this did not stop hundreds of thousands of these devices being adopted into Fortune 100 companies who should really know better.

The news that the smartphone’s touted full device encryption, which was supposed to bring it up to par feature-wise with RIM and Windows Mobile, is so weak it can be cracked in two minutes with a few pieces of readily available freeware should however bring a chill down their spine.

“It is kind of like storing all your secret messages right next to the secret decoder ring,” said Jonathan Zdziarski, an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones. “I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”

Calling the iPhone 3GS’ encryption feature  “broken” when it comes to protecting sensitive information Zdziarski said it’s just as easy to access a user’s private information on an iPhone 3GS as it was on the previous generation iPhone 3G or first generation iPhone, both of which didn’t feature encryption. Live data can be extracted in as little as two minutes, and an entire raw disk image can be made in about 45 minutes, Zdziarski said.

To steal an iPhone’s disk image, hackers can use popular jailbreaking tools such as Red Sn0w and Purple Ra1n to install a custom kernel on the phone. Then, the thief can install an Secure Shell (SSH) client to port the iPhone’s raw disk image across SSH onto a computer.

“If they’re relying on Apple’s security, then their application is going to be terribly insecure,” he said. “Apple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but it’s entirely useless toward security.”

Nonetheless, professionals using the iPhone for business don’t seem to care, or know, about the device’s encryption weakness.

“Your organization has to be culturally ready to accept a certain degree of risk,” said Lance Kidd, chief information officer of the Halton Company, an industrial equipment provider. “I can say we’ve secured everything as tight as a button, but that won’t be true…. Our culture is such that our general manager is saying, ‘I’m willing to take the risk for the value of the applications.’”

Kidd noted that Halton employees are not using iPhones for holding confidential customer information, but rather for basic tasks such as e-mailing and engaging with clients via social networking sites such as Facebook and Twitter. 

Read the full article at Wired here.

Comments