Slashdot Mirror
iPhone's PIN-Based Security Transparent To Ubuntu
ndogg writes "Security experts found that the iPhone 3GS has very little security, even with a PIN set up. They plugged one into Ubuntu 10.04, and it was automounted with almost all of the iPhone's data exposed. This has been reported to Apple, but the company seems to be having difficulty reproducing the problem."
So the problem is that the memory of the iPhone is mounted and that the data is exposed? I may not understand this exactly but hasn't the argument been for many years now that iPods couldn't be directly mounted like that?
Linux is hard to use?
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
All of its storage is flash memory soldered to the logic board. There is no way to remove the storage.
From TFA Apple could reproduce the described serious issue and believes to understand why this can happen but cannot provide timing or further details on the release of a fix.
I am Slashdot. Are you Slashdot as well?
Hey, 1 2 3 4 might be obvious to you, but it wasn't for me!
There's no -1 for "I don't get it."
Bernd Marienfeldt updated his blog saying Apple is now able to reproduce the problem and believes they know the cause, but no timing on fix release.
[citation needed]
So this is one of those "Hey, that's the combination on my luggage" things?
Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
Let us Ubuntu fanboiz have a moment to gloat before trashing our OS as a whole.
Thanks.
0 = 1 + e^(Alt something)
All of its storage is flash memory soldered to the logic board. There is no way to remove the storage.
Except with a soldering iron. And I imagine it's fairly standard flash memory at that.
Or am I missing something? Would doing that wipe the flash?
It is a security problem with Ubuntu and should be fixed by their dev team before they are sued for hacking. Afterall, the iPhone was not meant to be connected to anything other than Apple software.
Clearly Ubuntu is some kind of crazy hacker operating system, and Apple should block their products from working with it.
Give me a solder sucker, a USB keydrive with a compatible flash chip controller, and I'll have it removed. Just because it's soldered on doesn't mean it's impossible to transfer the flash to something else, plug it in, and read it.
Will their fix consist of actually making the device more secure or will they just try to make it harder use it with Linux systems?
No safe, practical way. You can always cut it out, but soldering it back in may present issues.
No way for a casual attacker to do so. It doesn't take a rocket surgeon to remove the chips, which are a well-understood commodity item, and talk to them directly.
Depending on exactly how bad-block information and the like are stored, they may run into some trouble there; but only proper data encryption would actually stop them.
Would doing that wipe the flash?
It will if you use the Apple-standard soldering iron. Anything else is unsupported.
But that's exactly how Apple is advertising the 3GS: http://www.apple.com/iphone/business/integration/#securing
Wait a sec... if I plug in my phone, iTunes automatically makes a backup of everything on it.
This backup doesn't require a PIN either!
There's no -1 for "I don't get it."
It is standard flash memory. Desoldering and reading the data is not hard at all.
I think making sense of the raw data is more of a challenge than then desoldering and reading.
The GSM standard defines a PIN as an access number for your SIM card. It has nothing to do with your phone's contents. Most phones allow you to set up a security key, which is needed either to turn on the phone every time (even if you have your SIM set up not to need a PIN), or when you change the SIM.
I don't know if this is actually the same PIN defined by the GSM standard or if it's another, Apple-specific key; but when you're talking about phones, PIN is connected to the SIM, or to the phone line, not to the phone contents.
Seriously, people are shocked by this? Did anyone actually think entering a PIN was encrypting the device? Who told you that it would?
This was a feature intended to keep your jerkwad friends from picking up your phone and prank-texting your boss or girlfriend. Nothing more.
Helpful hint to all those who were fooled by this: those "fingerprint scanner" apps in the App Store aren't real, either.
Too late to be known as Bush the First, he's sure to be known as Bush the Worst.
Indeed, and the next update will cause the entire unit to melt if mods are not done with the iSolderingIron.
The world's burning. Moped Jesus spotted on I50. Details at 11.
I plugged my iPhone 3GS into my Ubuntu box. While it's true that Ubuntu did automount the iPhone, the only thing I can find that was exposed was my music, photos and podcasts.
I wasn't able to access email, contact info, or anything else on the phone. I did see the Application Archives, PublicStaging, Purchases, and Safari folders but they're empty. I have lots of email and contact info on the device - but it appears to be inaccessible via this method.
From Apple:
Apple iPhone Security Overview [1]:
Data Protection:
Protecting data stored on iPhone is important for any environment with a high level of sensitive corporate or customer information. In addition to encrypting data in trans-mission, iPhone 3GS provides hardware encryption for data stored on the device.
Encryption:
iPhone 3GS offers hardware-based encryption. iPhone 3GS hardware encryption uses AES 256 bit encoding to protect all data on the device. Encryption is always enabled, and cannot be disabled by users.
This is just too funny.
The latest release of iTunes crashes in my XP VM.
The latest Ubuntu can read an iPhone like a regular iPod again.
So my Ubuntu VM is a better environment for dealing with my iPhone than my XP VM is.
What a hoot.
A Pirate and a Puritan look the same on a balance sheet.
If you try three wrong PINs, your SIM card is locked; so probably they don't do this. Unless, of course, people are using PIN for something entirely different from what PIN means when discussing GSM phones.
Not being able to talk with Linux is one of the things that has kept me off iPods for years. I finally liked the features of the iPod touch and buckled, and used it in Virtualbox under windows/iTunes (so I didn't have to jailbreak it).
Now, finally, Rhythmbox can seamlessly put music on my iPod. If they take that functionality away, then that oft-publicized letter that Jobs put forth touting open standards as an excuse for not supporting Flash is going to be exposed as pure and utter hogwash.
Karma: Non-Heinous
I think that this is just ridiculous and just more evidence that Linux users are nothing but criminals and thieves and open source should just be outlawed. It is this "free" software that engenders this attitude of laissez-faire we can do whatever we like without paying for anything that is the direct cause of security breaches such as this with the iPhone. The fact that open sores can continue to exist despite the hundreds of intellectual thefts in the form of Microsoft's patents, Fraunhofer Institutes patents with the mp3 players, Unix copyright thefts.
Don't you freetards get it? If you want something, you have to pay for it. And 100 dollars for something as great as an OS isn't that much. Look at the great things Bill Gates has done with his Windows money. Furthermore, you can't just steal it and expect to always get away. How are developers supposed to be paid? How is the US economy supposed to grow if its greatest companies like MS, Apple, SCO, Oracle, IBM, etc. are brought down by this communist freeware? If I had my way, you'd all be hunted down and put under the jail.
Seriously, they don't encrypt the content of an iPhone by default? I mean, it's not the default on Blackberry, but it's there and Blackberry have been around for a long time. When making a new device, why not build encryption into the filesystem? Apple has all the components already from their desktop and it can't suck that much battery. Now Apple is offering encryption just for e-mail? Really, that isn't good enough. And while I'm at it, Google what's up with you doing the same bloody thing? Come on guys. It's 2010. Encryption should be there by default so if your phone is stolen the data is useless, especially if you're going to offer a remote wipe. Wiping just the keys is a lot faster than hoping they don't turn it off while you wipe the whole drive.
You don't even need to remove it from the board, just connect up some leads to the pins and you can read it without leaving a single scratch. That's what my solder-less Wii mod chip does, it's a socket that fits right over the chip and has contacts that touch the pins.
rocket surgeons? Do they operate on explosives or fuel?
Ya, one of the new features in iPhone OS 4.0 is "Data Protection". Specified files for applications are on the fly encrypted and decrypted. The phone has to be unlocked (valid pin entered) to access the data.
Seems like they already handled this issue, unless someone wants to test that on an iPhone with 4.0 running on it...
--- its to bad about the monkey, I kinda liked them
It's OK, Steve. It's OK. No need to start throwing chairs here.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
You misunderstand, rocket surgeons operate with explosives..
Except I believe that the memory on the iPhone is composed of ball grid array chips. So then it becomes an issue of using a reflow gun or oven. Then, once you have removed those, you need to reball the chips or have a bga prototyping socket and then attach it a compatible controller chip. Then unless you have done this to all of the chips to dump their contents so you have a complete filesystem, or all you have is useless bits. So, while not impossible, it is not a 30 second procedure like hooking up a hard drive.
I say we send them to boot camp.
DRM: Terminator crops for your mind!
...and these things need to be accessible without PIN for compatibility with third party devices. Sounds like Apple just needs to clarify that iPod functions are not encrypted... or offer an option to encrypt them.
Wonder if remote wipe kills this content as well?
Read the advisory more carefully. You need to turn off your phone, connect it, then boot the phone while it's connected to the Lucid box.
The security check is bypassed at boot, probably assuming the phone needed to be recovered.
Hardly.
I'm just feeding the troll.
In your magic land the heat gun has not been invented yet?
You could use a heat gun, a reflow oven, hell a soldering iron and a solder sucker. Removing chips is not rocket surgery.
There's "fix" as in completely remove the functionality, and "fix" as in allow the proper mounting after the PIN is supplied.
You're missing the point. The data is supposed to be encrypted. It is not. It's not even protected by the PIN.
If I had a magical land, there would be no ASSHOLES, so your post wouldn't be here to reply to.
Here you have gone from saying there is no way to remove the storage (+5 Informative, haha), to saying there is a viable way to remove the storage. Kudos to you, sir. Now, where's my +5 Informative?
That's amazing, I have the same combination on my luggage!
If it exposes your media, like the older iPods did, that's a great thing in its own right.
---- Booth was a patriot ----
He's referring to Bluetooth pairing passcode, I bet. I would have thought the article would have mentioned if this was a Bluetooth attack -- that would make this about 1000 times more serious.
You don't even need to remove it from the board, just connect up some leads to the pins and you can read it without leaving a single scratch. That's what my solder-less Wii mod chip does, it's a socket that fits right over the chip and has contacts that touch the pins.
Except that the pins are not so easily accessible on an IC in a BGA package: http://en.wikipedia.org/wiki/Ball_grid_array
Here I sit, all broken hearted.
Came to poop, but only farted.
You can mount iPhones as disks for free on Mac with "Disk for iPhone" http://code.google.com/p/iphonedisk/ or "Phone Disk" http://www.macroplant.com/phonedisk/
I do it all the time!
Yes, you can get the raw data off without a PIN.
The original phones up until the 3Gs didn't encryption the data.
The 3GS and presumable 4.0 phones encrypted the data using a key that isnt (in theory) directly accessable to anyone outside the phone os and more specifically hardware.
So yes, there have been many ways to get data off 2g and 3g devices. 3Gs and 4.0 devices work in a different way so short of ripping apart a chip to get the key, the best you'll get is an encrypted memory dump which is more or less worthless unless you can get the key out of the hardware.
On older phones with newer OSes a remove wipe destroys the key. Updated versions of the software first destroy the key, then proceed to overwrite the encrypted data itself to make it useless even if you obtained the key somewhere else.
Basically, Apple realized this was studip 2 revisions of the hardware back and has such fixed the issue.
When you unlock the phone, you effectively add the key to the file system keystore so it can decrypt the files.
if you unlock your phone, you have ... unlocked your phone. Whats the difficulty in understanding this?
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Why bother? Just make a backup of the phone, then restore the backup to a new one and swap the SIM card. As long as it's the same color and in the same case, the victim is unlikely to notice.
There's no -1 for "I don't get it."
Good luck with using a solder sucker on that BGA flash part.
And only one of them has the strength to lift a chair, let alone throw it.
This is awesome. I may not upgrade to iPhone OS 4. Oh wait, I can't anyway because I'm first gen. Then I guess I may not upgrade to a iPhone 4G. After this phone dies, I'll choose something more inter-operative like... anything.
Insightful? Mods... really?
mod parent up, informative!!!
1 1 2 3 5 8 13 21 34 55 89 144 233 377 610 987 1597 2584 4181 6765
But that's exactly how Apple is advertising the 3GS: http://www.apple.com/iphone/business/integration/#securing
The level of security on an iPhone that has the enterprise deployment features enabled is much higher than the security on a non-enterprise iPhone. I'd be interested to see if this trick works on an enterprise iPhone or if it only works on a non-enterprise one. I'm betting that page you linked is completely accurate when we are talking about enterprise deployment
Sapere aude!
A long time ago I learned that all other security comes after physical security. Without physical security, nothing else matters. Apple should remember this when giving out prototype next gen products to employees. -ted
Of course they can't reproduce it... .. somebody at Apple has to own a Linux system first.
I thought these devices would have encrypted the files in filesystem that is why the PIN... Seems odd
Open sores, open source, same thing.
If I had a magical land, there would be no ASSHOLES, so your post wouldn't be here to reply to.
And you'd just be full of shit.
Benanov: Read my post more carefully (and the original article) before you tell me to read more carefully.
I did exactly what was described in the security advisory and saw the exact same thing they did. I'm just pointing out that almost no "personal" data was exposed (by "personal", I mean emails, calendar and contact info). Your music & photos are up for grabs, and that's not a good thing. But far less damaging than full access to my email accounts as far as I'm concerned.
Besides, don't most people *want* access to their media on the iPhone/iPod? Remember when you could mount old iPods as drives and access the music on them (there was no "security check" there either). Well, this seems to be the same thing, albeit unintentional (or is it?)
Maybe it is enough to put Mr. proper chmod on the folders?
This is a joke. Right? I mean how is this evidence for anything other then the fact that I paid for a phone that did not have proper security programmed into it in the first place? It took open source programmers who worked for free (I assume) to point out how the paid for product had dropped the ball and didn't have real security in the first place. Furthermore, Linux is free because the author didn't want to charge for it. Are you saying the OS is invalid because he didn't put a price tag on it? By the way, if you are not joking then you should know MS, Oracle and IBM (those are just the ones I am aware of in your list) provide open source freeware (MS working on both Silverlight/Moonlight through Novell and Active Directory with/through samba). Also if you are not joking, please tell me you are confined to a institution that makes sure a spork is the most dangerous thing you have access to. You sound like the last person that should own a gun.
If you think free software should be outlawed, all you are doing is mandating a law that says people have to charge for something even if they don't want to.
P.S. FOSS people are not known to steal anything, instead we create it from scratch and the iPhone code that Ubuntu 10.04 uses was built from scratch it was not taken from any code apple provided as apple has never provided that code to anyone AFAIK. MS has only ever made idle threats about patents without naming any identifiable aspect of it. What have we stolen from anyone. If I don't want to use Windows or OS X then you think you have the write to say I can't program productive software for it or do you honestly believe that we have somehow hacked into apple and stolen the source code for the iPhone.
P.P.S.: The post is true. I have been able to access my PIN protected iPhone 3G (not 3GS) from Ubuntu 10.04 since I installed it. The security aspect is a bit of a concern but then again, since I knew cops have been able to do this all along then I am not that surprised. The plus side is I can now upload songs to my iPhone from Linux without doing a Jail Break (I'm reluctant to Jail Break) and without having to run an app in Wine (since I hate Windows emulation) so kudos to Ubuntu for exposing a security vulnerability and at the same time making the iPhone more usable on Linux. Job well done.
You can't blame Apple for Ubuntu mis-implementing the API and skipping a step described as mandatory.
From Iphone3G API documentation...
7.4 Mounting the phone filesystem over USB
(...)
User authentication must be assured to mount encrypted filesystem. A call to validatePIN() method is a mandatory step before attempting to acquire the system key and mounting the filesystem. A typical scenario of mounting the filesystem goes like this:
IphoneSecurity& sec = Iphone::Security();
IphoneSecurity::EncKey key = NULL;
IphoneIO::Partition mp = NULL;
if(sec.validatePIN() == true) //error handling
{
key = sec.getEncKey();
mp = sec.mount(device,mountpoint,options,key);
}
else
{
}
it's a spoof, dummies
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
5/10 not nearly subtle enough you can do better
Security Through Arrogance.
If I jailbreak my iPod touch, my warranty is voided. That's what.
Karma: Non-Heinous
You really think they'll do the latter? It seems like it would just take a lot less man-hours (read: money) to just make it so that you provide the PIN through the only platform available (read: iTunes) to do so, thus negating the user experience for anybody not on Windows or Mac.
Karma: Non-Heinous
It does not, but that wont stop the Apple haters on /.
Ogre Wedding Planners llc.
This flaw can be defeated with a remote wipe which you can do if your phone is either setup with the Mobileme "find my iphone" feature or provisioned through exchange.
Apple will have to implement a key exchange protocol and keep that closed source. Every security measure can eventually be discovered but providing the source is giving a major head start for the would be hacker to try brute force attacks against a known implementation.
Jesus was a compassionate social conservative who called individuals to sin no more.