Its not really news that the iPhone is not suitable for business, but according to Apple this did not stop hundreds of thousands of these devices being adopted into Fortune 100 companies who should really know better.
The news that the smartphoneâ€™s touted full device encryption, which was supposed to bring it up to par feature-wise with RIM and Windows Mobile, is so weak it can be cracked in two minutes with a few pieces of readily available freeware should however bring a chill down their spine.
â€œIt is kind of like storing all your secret messages right next to the secret decoder ring,â€ said Jonathan Zdziarski, an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones. â€œI donâ€™t think any of us [developers] have ever seen encryption implemented so poorly before, which is why itâ€™s hard to describe why itâ€™s such a big threat to security.â€
Calling the iPhone 3GSâ€™ encryption feature â€œbrokenâ€ when it comes to protecting sensitive information Zdziarski said itâ€™s just as easy to access a userâ€™s private information on an iPhone 3GS as it was on the previous generation iPhone 3G or first generation iPhone, both of which didnâ€™t feature encryption. Live data can be extracted in as little as two minutes, and an entire raw disk image can be made in about 45 minutes, Zdziarski said.
To steal an iPhoneâ€™s disk image, hackers can use popular jailbreaking tools such as Red Sn0w and Purple Ra1n to install a custom kernel on the phone. Then, the thief can install an Secure Shell (SSH) client to port the iPhoneâ€™s raw disk image across SSH onto a computer.
â€œIf theyâ€™re relying on Appleâ€™s security, then their application is going to be terribly insecure,â€ he said. â€œApple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but itâ€™s entirely useless toward security.â€
Nonetheless, professionals using the iPhone for business donâ€™t seem to care, or know, about the deviceâ€™s encryption weakness.
â€œYour organization has to be culturally ready to accept a certain degree of risk,â€ said Lance Kidd, chief information officer of the Halton Company, an industrial equipment provider. â€œI can say weâ€™ve secured everything as tight as a button, but that wonâ€™t be trueâ€¦. Our culture is such that our general manager is saying, â€˜Iâ€™m willing to take the risk for the value of the applications.â€™â€
Kidd noted that Halton employees are not using iPhones for holding confidential customer information, but rather for basic tasks such as e-mailing and engaging with clients via social networking sites such as Facebook and Twitter.
Read the full article at Wired here.