Slashdot Mirror
iPhone 3Gs Encryption Cracked In Two Minutes
An anonymous reader writes "In a Wired news article, iPhone Forensics expert Jonathan Zdziarski explains how the much-touted hardware encryption of the iPhone 3Gs is but a farce, and demonstrates how both the passcode and backup encryption can be bypassed in about two minutes. Zdziarski also goes on to say that all data on the iPhone — including deleted data — is automatically decrypted by the iPhone when it's copied, allowing hackers and law enforcement agencies alike access the device's raw disk as if no encryption were present. A second demonstration features the recovery of the iPhone's entire disk while the device is still passcode-locked. According to a similar article in Ars Technica, Zdziarski describes the iPhone's hardware encryption by saying it's 'like putting privacy glass on half your shower door.' With the iPhone being sold into 20% of Fortune-100s and into the military, just how worried should we be with such shoddy security?"
I am confused. Does it suck, or does it blow? These are opposites, are they not?
<Complete your profile by adding a signature!>
Because if that same hacker had a Blackberry in his possession with encryption enabled, he would not be able to get in.
security theatre: (1) security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security, usually resulting from political absurdity, poor engineering, the need to present an image of security more than real security, or some combination of these factors. (2) The real mission of the Transportation Security Administration.
Examples: airport screening, "No-Fly" lists, random searches on subway systems, 1950's "duck and cover" drills in U.S. public schools
My understanding is that the encryption in the 3GS is not meant to prevent a user with physical access to the device from accessing the data. It's to make Remote Wipe instant instead of taking 1 hour per gigabyte because the Remote Wipe only has to destroy the decryption keys, not every bit of data on the disk. When you Remote Wipe an iPhone 3G it takes 1 hour per gigabyte to destroy the data. With a 3GS, it takes a few seconds.
Isn't the point of remote wipe to prevent unauthorized access to the data on the physical device? So, it doesn't matter how long it takes to do the remote wipe if the keys can be broken in 2 minutes since that leaves only a small window of time to do the wipe. Especially if the attacker can copy the entire contents of the iPhone to a remote storage device and do it offline.
Disk encryption, especially mobile and laptop, should be designed specifically to prevent data retrieval when physical possession is obtained by an attacker.
.. I won't lose a blink of sleep over them using Apple products. This guy had to have physical access to the iPhone to crack it, and even then the iPhone did not start sending its data out over the Internet along with a virus payload that formed a massive botnet that crippled Internet bandwidth.
That is because they are completely different cases with completely different mechanisms to prevent them. You're talking about the ability to load a spambot or something on a mobile device. The encryption is there to ensure your address book is safe, your calendar is safe, any photos and other data are safe. Not to ensure the device does not run arbitrary code. The problem with the data encryption being crackable within an arbitrary length of time is a large issue, as it is meant to be protection regardless of where the device lies, in hands or not.
My understanding is that the encryption in the 3GS is not meant to prevent a user with physical access to the device from accessing the data
That is exactly the purpose of encryption.
enÂcrypt (Än-krÄpt) tr.v. enÂcryptÂed, enÂcryptÂing, enÂcrypts
1. To put into code or cipher.
2. Computer Science To alter (a file, for example) using a secret code so as to be unintelligible to unauthorized parties.
http://dictionary.reference.com/browse/encryption
So yes, it is a major issue, as it circumvents what the encryption is meant to accomplish.
We have a winner...
The real issue at hand is how much time nerds spend thinking of ways they are right, instead of trying to understand how they might be wrong. iPhone 3gs was never marketed as having strong encryption (http://www.apple.com/iphone/specs.html), the /. crowd simply saw "something" was implemented and decided that the intent was to hide data.
Platform advocacy is like choosing a favorite severely developmentally disabled child.
With the iPhone being sold into 20% of Fortune-100s and into the military, just how worried should we be with such shoddy security?
Well, as someone who isn't part of any Fortune-100 corporation or military force, I guess my response would be "Not at all."
It's generally understood and widely acknowledged that the secrecy in such organizations functions primarily to keep their inner workings private from their own populations, i.e., us "little people" who pay to keep them running but aren't allowed to look into their inner workings. If they are riddled with holes in their communications because they're using iPhones or MS Windows or whatever, that means that there's a good chance that investigators can find out what they're up to and inform the rest of us.
Consider the last few years of disasters in the American financial industry. It's pretty clear now that the perpetrators knew quite well what they were doing, and were profiting quite well from it all. It's the "little people" who are paying for the collapse, while the officers of the corporations are still taking home huge paychecks and bonuses. The reason it went on for so long was that the companies involved were able to keep their shady dealings secret from the great majority of their investors. If we'd had better security holes to see inside them, maybe some of the disaster could have been avoided.
It's hardly a secret that military security primarily functions to hide their internal corruption (and bungling) from their own citizenry. Making their internal communications available to the citizenry via poor comms security seems like a win for the country as a whole.
(Yeah; I know; "Such a dreamer." ;-)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.