Comments on: iPhone 3G S – Hardware Encryption?

By: Timothy Kellar

Timothy Kellar — Sat, 03 Jul 2010 23:37:19 +0000

Great write up. The iPhone is truly revolutionary and I don’t like being without it. This time last year I had jumped in a pool with my iPhone and it was dead. I had to wait 9 days before I was able to purchasea new one. The phone I had was a cheap go phone. I really love all the apps that can be downloaded to the iPhone. The best part about the iPhone to me is the ability to check emails on the fly. Thanks for the information.

By: Wilda Cassone

Wilda Cassone — Wed, 30 Jun 2010 14:29:11 +0000

w00t ! That’s Huge ! Thanks a lot cool share !

By: Larry

Larry — Thu, 23 Jul 2009 01:58:42 +0000

http://www.iphoneinsecurity.com/

July 14, 2009: Seven Deadly iPhone Sins: What Every Enterprise Should Know
With buzzwords like, “hardware encryption” and “remote wipe”, many enterprises have been misled into believing that the iPhone 3G[s] is secure enough to store confidential correspondence or other information. Apple is no doubt pushing the enterprise market, but is the iPhone truly secure enough?

While this subject truly warrants a complete white paper, take the following points into consideration. The following apply not only to the iPhone 3G[s], but also to earlier generation devices. Here are the top seven things every enterprise should know about the iPhone:

1. The 3G[s] passcode and encrypted backup password can easily be bypassed in about 30 seconds. This allows an identity thief who gains physical access to the device (for only a short time) to not only access the 3G[s], but to sync an unencrypted copy of its data through iTunes, creating a copy of the owner’s contacts, correspondence, photos, and other valuable data. If it can be synced with iTunes, it can be stolen in a very short period of time.

2. The 3G[s] promised hardware encryption, but this hardware encryption does not protect the information on the iPhone from an information thief. The operating system needs to automatically decrypt the iPhone’s disk in order to boot, allowing anyone with the right know-how to easily acquire all of the data – including deleted data – on the device, bypassing any encryption. In fact, the only useful benefit for hardware encryption thus far has been the ability to quickly format the device, discussed next.

3. Remote wipe and “LocateMe” features can easily be disabled by simply removing the SIM card. Any semi-intelligent thief looking to steal information from your corporate handsets can easily shut these features down within seconds, armed with only a paper clip.

4. If your device is stolen, not only is the iPhone’s live information exposed, but also all of the deleted information on the device. Because the iPhone has such a large storage capacity, it can take six months or more to cycle through deleted data. The hardware itself is designed to minimize writing to the same place on disk, leaving a wealth of deleted data for an information thief.

5. The iPhone OS has a built-in keyboard “logger” which logs nearly everything you type into the device’s keyboard to auto-learn the owner’s typing habits. As a result, endless logs of data are being created containing information typed in by the user. Even fields with auto-correction turned off have been seen to have some of the data entered in them stored in this cache.

6. Every time your employee pushes the home button, the iPhone snaps a screenshot of the last thing they were doing. This is done for most built-in applications such as Mail and Safari, and has been observed for many third party applications as well. A large collection of screenshots of “the last thing” your employee was looking at are being stored on the device, exposing screenshots of potentially confidential information to anyone with the right know-how.

7. There is a wealth of information stored on the device that most users don’t even realize is there. Information about your last GPS positions, which wireless networks you’ve joined and where, your search unread voicemail, and much more. Anything that goes through the iPhone is indefinitely stored on the iPhone.

Consider the risk to your enterprise should the confidential information on corporate iPhones be stolen. The iPhone is about the size of a small laptop disk drive, and is about as easy to copy information from should a thief steal or “borrow” it without your knowledge.

By: Top 3 NoVA Infosec Blog Posts of the Week | NovaInfosecPortal.com

Top 3 NoVA Infosec Blog Posts of the Week | NovaInfosecPortal.com — Mon, 15 Jun 2009 15:01:49 +0000

[...] #3 – iPhone Security: This week, @geminisecurity wrote an interesting post entitled “iPhone 3G S – Hardware Encryption?” that discussed—you guessed it—whether or not the iPhone 3G S will really be as secure as Apple claims. Trying to get to the bottom of just how secure the iPhone 3G S will be, @geminisecurity did a bit of research and found… well, not much really. As they point out in their post, “mentioning that a device supports hardware encryption can mean a lot of things, and Apple isn’t very clear about what they mean by this. Trying to do some further research didn’t help much either as I only ended up being further confused with all the different mentions of this ‘hardware encryption.’” Listing all of the different things they found about the iPhone 3G S’s security (or lack thereof), @geminisecurity did an excellent job of explaining what each claim meant, and why they’re still too vague to mean much of anything. Closing their post with “[i]s this how security is being treated? Apple isn’t the only company being vague about these types of issues; it rolls all across the board,” this post is definitely one that you should check out for yourself. [...]