iPhone's PIN-Based Security Transparent To Ubuntu

ndogg writes "Security experts found that the iPhone 3GS has very little security, even with a PIN set up. They plugged one into Ubuntu 10.04, and it was automounted with almost all of the iPhone's data exposed. This has been reported to Apple, but the company seems to be having difficulty reproducing the problem."

Sounds like a feature

[kthreadd]

So the problem is that the memory of the iPhone is mounted and that the data is exposed? I may not understand this exactly but hasn't the argument been for many years now that iPods couldn't be directly mounted like that?

Re:Sounds like a feature

[stagg]

Critical bug! Product too versatile -- works with non-Apple operating systems.

Re:Sounds like a feature

[marcansoft]

They're not a block device, so you can't mount their filesystem as such. Instead, they're effectively network drives: the proprietary AFC file transfer protocol tunneled over a hugely mutilated version of TCP stuffed into USB packets. Which you can mount under Linux, using FUSE and the appropriate apps (usbmuxd, libimobiledevice, and ifuse). I maintain usbmuxd.

Apparently Apple relies on security through obscurity here (only their apps are usually able to talk to an iDevice), and the actual protocols aren't secured.

Incidentally, this is where the term "jailbreaking" comes from: breaking out of the AFC filesystem jail (which is usually limited to the user's data partition). Jailbreaking's original feature was to introduce a secondary AFC share with root privileges on the root directory, and jailbreaks to this day still do. You can use ifuse --root under Linux to mount this secondary share.

Re:Sounds like a feature

[flooey]

Which you can mount under Linux, using FUSE and the appropriate apps (usbmuxd, libimobiledevice, and ifuse). I maintain usbmuxd.

In fact, when you plug an iPhone into a Mac, you can see in the process list that usbmuxd is what Mac OS is using to talk to the device.

Re:Sounds like a feature

[fuzzyfuzzyfungus]

I have to wonder what sort of testing Apple(didn't) do here. If it is possible for a linux machine to mount the filesystem, then setting a PIN clearly has no effect at all on the device's access control of that filesystem. Even if plugged into a mac or PC running iTunes, the data should be equally accessible.

Either they simply didn't feel the need to make the PIN actually do much more than lock the screen(arguably fairly misleading), or next to no testing was done, or (even worse), setting the PIN also sets some sort of "politely ignore the data you could easily access" flag, that iTunes obeys and the third-party implementations don't.

Re:Sounds like a feature

[marcansoft]

Correct. I wrote most of the usbmuxd implementation that we use on Linux as a clone of Apple's version. In fact, you should (as of yesterday) be able to compile libusbmuxd and libimobiledevice and maybe even ifuse (with macFUSE?) and use them together with Apple's usbmuxd on OSX to pull off this hack there. Heck, I think at least libusbmuxd and libimobiledevice should even build on Windows these days (Apple provides a Windows version of usbmuxd with iTunes).

Re:Sounds like a feature

[greatica]

Breaking into an Apple device: "it just works."

Re:Sounds like a feature

[marcansoft]

The iPhone 3GS supposedly uses whole-disk encryption. This does squat when your USB comms protocol doesn't request authentication though, since you can pull the data off through the iPhone kernel's transparent decryption layer.

In other words, this hack has nothing to do with encryption and everything to do with an insecure protocol that makes no attempt to actually request PIN authentication before handing over all your data. Nobody expected your PIN to actually act as key for encryption anyway; that's impossible, as the iPhone has to be able to access your data even while locked.

Re:Sounds like a feature

[h4rr4r]

I just want to say thanks for all your work. This was a big thing in getting the last windows pc in my house to linux.

Re:Sounds like a feature

[Mike+Buddha]

The filesystem IS encrypted, but the OS happily decrypts everything for you without any form of authentication. That's the story here.

Re:Sounds like a feature

No, the keylock with a well known generic opening mechanism is what protects against pocket dialing. In the iphone case I believe that's implemented as a finger slide. The additional PIN code is obviously there to prevent people from using your phone or seeing your data -- and it failed.

Re:Sounds like a feature

[Graff]

I read through both linked articles and it comes down to only this data is exposed:

This data protection flaw exposes music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents

Certainly not all of the data on the phone. Your e-mails, notes, application-specific data, address book, password keychain, and so on are still safely encrypted. Yes, this isn't a perfect situation but it's not as dire as it sounds. Most data that people expect to be secure is still secure.

Re:Sounds like a feature

[Nerdfest]

This does squat when your USB comms protocol doesn't request authentication though, since you can pull the data off through the iPhone kernel's transparent decryption layer.

It just works ... even when it shouldn't.

Re:Sounds like a feature

[Sancho]

And it always will. The purpose of the encryption is to allow remote-wipe (and even local-wipe, I suppose) to be nearly instantaneous. Wipe the key, and the data is unreadable, as opposed to having to spend time wiping the entire contents of the flash memory.

The encryption isn't meant to be used day-to-day. It's meant to be transparent until you need to destroy your data.

Re:Sounds like a feature

[Pharmboy]

And honestly, how long would it take a computer to bruteforce a 4-digit numeric password???

Forever! There must be like a million possible combinations!

Re:Sounds like a feature

[ToasterMonkey]

Even if plugged into a mac or PC running iTunes, the data should be equally accessible.

What do other phones do? Connect a blackberry to a PC with blackberry desktop for example..
Does iTunes ask for the PIN each time it syncs an PIN locked iPhone? I must be missing something.

Does this trick allow use of the SIM card without entering its PIN? Could someone who has both phones elaborate?
I don't ever remember having to enter a PIN to pair a blackberry other than the random one for pairing bluetooth devices which is responsible only for encrypting the wireless transmission.

I know "access data locally without authenticating" sounds scary, but I'm not exactly sure what the precedence is for phones authenticating with peers (bluetooth pairing is authorization, not authentication)

Re:Sounds like a feature

[totally+bogus+dude]

Can't speak to Blackberries and such, but on my Symbian-based phone (Samsung i8510) if I connect it to USB while it's PIN-locked all it does is recharge. I did this on my work PC while watching /var/log/dmesg and all it registered was a USB HUB being connected. No access to the phone memory at all. After I entered the PIN, the phone's internal storage and the SD card I have in were suddenly available.

Of course, if you have physical access to my phone you can pull out the SD card, which doesn't have any protection at all. But it's mostly just music on that, I think all my "private" information is on the internal memory and/or the SIM (which I also have a PIN on).

Re:Sounds like a feature

[GillyGuthrie]

lol...yep 4^10

Actually it's 10^4 (10,000 permutations), not 4^10 (1048576 permutations).

Re:Sounds like a feature

[marcansoft]

The "S" stands for "crappy failed security-through-obscurity DRM that absolutely no one actually uses in the real world". It has nothing to do with actual security.

Re:Sounds like a feature

[marcansoft]

OK, upon further testing (I don't use a passcode myself so I never even looked into this) and getting some information from others, it looks like this isn't a total oversight on Apple's part, but it is a real bug that requires a specific sequence to trigger.

Here's how it's supposed to work:

• The first time you connect an iPhone to a specific computer, the iPhone will "pair" with the computer. This happens behind the scenes.
• This pairing process is disabled while the phone is locked with a passcode.
• Once paired, that computer will always be able to talk to that phone, even while locked.

The actual bug is that there's a race condition during boot. There's a window during which the lock code setting hasn't been read, during which the phone will accept pairing requests even though it shouldn't.

If you want to try it on Linux, do this:

• Delete ~/.config/{libiphone,libimobiledevice} to clear the pairing data
• Create a directory to mount the device on
• Configure a passcode on your device and shut it dow
• Have a syslog window open
• Plug it into USB and power it on
• As soon as you see your device enumerate with the USB subsystem, start spamming ifuse <mountpoint> on a terminal
• With any luck it will pair and mount. From now on you can unmount it and mount it as many times as you wish with this computer.

Notice how the "slide to unlock" SpringBoard screen will not have yet appeared when this works. Once it does, the passcode has been configured and pairing will no longer work. On the latest version of ubuntu it tries to automount as soon as it sees the device, which makes this bug a lot more obvious.

Re:Sounds like a feature

[torkus]

Sorry but no. The encryption is enabled on all 3GS phones (and only 3GS, not 3G or prior) full time and can not be disabled.

The 3GS *has* functional security except for the number of holes that have been poked in it.

I don't know what rep you're talking to but he's misinformed and would otherwise be totally in violation of Apple's disclosure policy which reads something like 'if you tell anyone before Jobs does you're fired on the spot'.

We too are doing testing @ work but all the holes that hackers keep poking into the iPhone keep putting the launch off 'until the next (secure) release'

Re:Who says...

[Lord+Lode]

Apparently it's so hard to use that they can't even reproduce it at Apple.

Re:Hard drive

[f8l_0e]

All of its storage is flash memory soldered to the logic board. There is no way to remove the storage.

Updated story

[OzPeter]

From TFA Apple could reproduce the described serious issue and believes to understand why this can happen but cannot provide timing or further details on the release of a fix.

Apple can now reproduce

[KnownIssues]

Bernd Marienfeldt updated his blog saying Apple is now able to reproduce the problem and believes they know the cause, but no timing on fix release.

Re:Apple can now reproduce

[Minwee]

The fix, of course, will be to prevent iPhones from being accessible from Ubuntu.

This is not Apple's problem.

[gimmebeer]

It is a security problem with Ubuntu and should be fixed by their dev team before they are sued for hacking. Afterall, the iPhone was not meant to be connected to anything other than Apple software.

Re:Attention Naysayers

[egcagrac0]

You two have fun with that.

And?

[lennier1]

Will their fix consist of actually making the device more secure or will they just try to make it harder use it with Linux systems?

Re:Who says...

[Amarantine]

That joke is getting a bit old, with Apple selling 4-button mice with every iMac for 5 years now.

Re:Hard drive

Would doing that wipe the flash?

It will if you use the Apple-standard soldering iron. Anything else is unsupported.

Re:Physical Access = Root Access

[Elbart]

But that's exactly how Apple is advertising the 3GS: http://www.apple.com/iphone/business/integration/#securing

PIN != content access control

[Steve+Max]

The GSM standard defines a PIN as an access number for your SIM card. It has nothing to do with your phone's contents. Most phones allow you to set up a security key, which is needed either to turn on the phone every time (even if you have your SIM set up not to need a PIN), or when you change the SIM.

I don't know if this is actually the same PIN defined by the GSM standard or if it's another, Apple-specific key; but when you're talking about phones, PIN is connected to the SIM, or to the phone line, not to the phone contents.

Re:PIN != content access control

[Steve+Max]

So, they're not talking about the PIN in the meaning you expect when discussing phones, but about a security code that has no connection with the GSM PIN. Or, in other words, you don't have to use that key when you put your iPhone's SIM in another phone.

Why can't people keep consistency? Calling a security code "PIN" when discussing cell phones is like calling a DVD "hard disc". It's not technically wrong (it's a "personal identification number", or a hard, disc-shaped object), but the word has a completely different usual meaning when used in context.

Re:PIN != content access control

[Steve+Max]

I expected more from Slashdot. Yeah, I know, I must be new here.

Attempted to duplicate - not quite what they say

[__aaaaxm1522]

I plugged my iPhone 3GS into my Ubuntu box. While it's true that Ubuntu did automount the iPhone, the only thing I can find that was exposed was my music, photos and podcasts.

I wasn't able to access email, contact info, or anything else on the phone. I did see the Application Archives, PublicStaging, Purchases, and Safari folders but they're empty. I have lots of email and contact info on the device - but it appears to be inaccessible via this method.

RTFA..

From Apple:

Apple iPhone Security Overview [1]:

Data Protection:

Protecting data stored on iPhone is important for any environment with a high level of sensitive corporate or customer information. In addition to encrypting data in trans-mission, iPhone 3GS provides hardware encryption for data stored on the device.

Encryption:

iPhone 3GS offers hardware-based encryption. iPhone 3GS hardware encryption uses AES 256 bit encoding to protect all data on the device. Encryption is always enabled, and cannot be disabled by users.

Re:RTFA..

[Late+Adopter]

So when someone rips the flash chips off the board, they can't read them, but when they just, you know, ASK the iPhone for the data, it gives it to them?

Security by friendliness?

Re:Wow.

I think that this is just ridiculous and just more evidence that Linux users are nothing but criminals and thieves and open source should just be outlawed. It is this "free" software that engenders this attitude of laissez-faire we can do whatever we like without paying for anything that is the direct cause of security breaches such as this with the iPhone. The fact that open sores can continue to exist despite the hundreds of intellectual thefts in the form of Microsoft's patents, Fraunhofer Institutes patents with the mp3 players, Unix copyright thefts.

Don't you freetards get it? If you want something, you have to pay for it. And 100 dollars for something as great as an OS isn't that much. Look at the great things Bill Gates has done with his Windows money. Furthermore, you can't just steal it and expect to always get away. How are developers supposed to be paid? How is the US economy supposed to grow if its greatest companies like MS, Apple, SCO, Oracle, IBM, etc. are brought down by this communist freeware? If I had my way, you'd all be hunted down and put under the jail.

Already fixed in iPhone OS 4.0

[bic2k]

Ya, one of the new features in iPhone OS 4.0 is "Data Protection". Specified files for applications are on the fly encrypted and decrypted. The phone has to be unlocked (valid pin entered) to access the data.

Seems like they already handled this issue, unless someone wants to test that on an iPhone with 4.0 running on it...

Re:Wow.

[VGPowerlord]

It's OK, Steve. It's OK. No need to start throwing chairs here.

Re:Hard drive

You misunderstand, rocket surgeons operate with explosives..

Re:Hard drive

[f8l_0e]

Except I believe that the memory on the iPhone is composed of ball grid array chips. So then it becomes an issue of using a reflow gun or oven. Then, once you have removed those, you need to reball the chips or have a bga prototyping socket and then attach it a compatible controller chip. Then unless you have done this to all of the chips to dump their contents so you have a complete filesystem, or all you have is useless bits. So, while not impossible, it is not a 30 second procedure like hooking up a hard drive.

Re:Wow.

[spazdor]

I say we send them to boot camp.

Re:Attempted to duplicate - not quite what they sa

[Benanov]

Read the advisory more carefully. You need to turn off your phone, connect it, then boot the phone while it's connected to the Lucid box.

The security check is bypassed at boot, probably assuming the phone needed to be recovered.

Re:Attention Naysayers

[oakgrove]

We certainly will. And thanks again for your support!

Re:Hard drive

Here you have gone from saying there is no way to remove the storage (+5 Informative, haha), to saying there is a viable way to remove the storage. Kudos to you, sir. Now, where's my +5 Informative?

Re:Ubuntu feature == exploit?

[suomynonAyletamitlU]

That's amazing, I have the same combination on my luggage!

Re:Better not fix it.

[geekoid]

There have been Linux tools for getting music on and off the iPod since about a week after the first iPod came out.

Yeah, Apple doesn't support it, but so what?

Old news ...

[BitZtream]

Yes, you can get the raw data off without a PIN.

The original phones up until the 3Gs didn't encryption the data.

The 3GS and presumable 4.0 phones encrypted the data using a key that isnt (in theory) directly accessable to anyone outside the phone os and more specifically hardware.

So yes, there have been many ways to get data off 2g and 3g devices. 3Gs and 4.0 devices work in a different way so short of ripping apart a chip to get the key, the best you'll get is an encrypted memory dump which is more or less worthless unless you can get the key out of the hardware.

On older phones with newer OSes a remove wipe destroys the key. Updated versions of the software first destroy the key, then proceed to overwrite the encrypted data itself to make it useless even if you obtained the key somewhere else.

Basically, Apple realized this was studip 2 revisions of the hardware back and has such fixed the issue.

When you unlock the phone, you effectively add the key to the file system keystore so it can decrypt the files.

if you unlock your phone, you have ... unlocked your phone. Whats the difficulty in understanding this?

Re:Wow.

[jargoone]

And only one of them has the strength to lift a chair, let alone throw it.

Re:Who says...

[jo_ham]

The i in "iMac" does not stand for the square root of minus one.

All Macs are in the real set.

Re:Who says...

[shellbeach]

That joke is getting a bit old, with Apple selling 4-button mice with every iMac for 5 years now.

Nah. It's still good for many of us :) And besides, Apple can't quite get away from the one-button meme -- even with their multiple button mice, they try and hide the different buttons under one big button. (Something which I would have thought was the single worst interface design decision ever, incidentally ...)

Anyway, I'm not sure what's the big deal about being able to read a small portion of the iPhone drive in Ubuntu -- you still can't access any application data or any of the databases that store your contacts/notes/whatevers. It does mean someone can copy your music ... but that's surely a good thing! And access to part of the file system isn't exactly unusual -- even without Ubuntu, you should be able to see the iPhone's DCIM photo folder when you plug the device into a computer.

Re:Hard drive

[exomondo]

If I had a magical land, there would be no ASSHOLES, so your post wouldn't be here to reply to.

And you'd just be full of shit.

Re:Wow.

[jetole]

This is a joke. Right? I mean how is this evidence for anything other then the fact that I paid for a phone that did not have proper security programmed into it in the first place? It took open source programmers who worked for free (I assume) to point out how the paid for product had dropped the ball and didn't have real security in the first place. Furthermore, Linux is free because the author didn't want to charge for it. Are you saying the OS is invalid because he didn't put a price tag on it? By the way, if you are not joking then you should know MS, Oracle and IBM (those are just the ones I am aware of in your list) provide open source freeware (MS working on both Silverlight/Moonlight through Novell and Active Directory with/through samba). Also if you are not joking, please tell me you are confined to a institution that makes sure a spork is the most dangerous thing you have access to. You sound like the last person that should own a gun.

If you think free software should be outlawed, all you are doing is mandating a law that says people have to charge for something even if they don't want to.

P.S. FOSS people are not known to steal anything, instead we create it from scratch and the iPhone code that Ubuntu 10.04 uses was built from scratch it was not taken from any code apple provided as apple has never provided that code to anyone AFAIK. MS has only ever made idle threats about patents without naming any identifiable aspect of it. What have we stolen from anyone. If I don't want to use Windows or OS X then you think you have the write to say I can't program productive software for it or do you honestly believe that we have somehow hacked into apple and stolen the source code for the iPhone.

P.P.S.: The post is true. I have been able to access my PIN protected iPhone 3G (not 3GS) from Ubuntu 10.04 since I installed it. The security aspect is a bit of a concern but then again, since I knew cops have been able to do this all along then I am not that surprised. The plus side is I can now upload songs to my iPhone from Linux without doing a Jail Break (I'm reluctant to Jail Break) and without having to run an app in Wine (since I hate Windows emulation) so kudos to Ubuntu for exposing a security vulnerability and at the same time making the iPhone more usable on Linux. Job well done.

From Iphone3G API documentation...

[SharpFang]

You can't blame Apple for Ubuntu mis-implementing the API and skipping a step described as mandatory.

From Iphone3G API documentation...

7.4 Mounting the phone filesystem over USB

(...)
User authentication must be assured to mount encrypted filesystem. A call to validatePIN() method is a mandatory step before attempting to acquire the system key and mounting the filesystem. A typical scenario of mounting the filesystem goes like this:

IphoneSecurity& sec = Iphone::Security();
IphoneSecurity::EncKey key = NULL;
IphoneIO::Partition mp = NULL;

if(sec.validatePIN() == true)
{
      key = sec.getEncKey();
      mp = sec.mount(device,mountpoint,options,key);
}
else
{ //error handling
}

it's a spoof, dummies