My Vice President, John Simek, has been foaming at the mouth about the iPhone's lack of real security. He finally got agitated enough to write a post for me. So if you've implemented the iPhone in a business environment . . . read on.
The words iPhone and security do not belong in the same sentence, although you would never know it from the Apple marketing blitz. Some of the advertised features of the iPhone 3GS are the inclusion of encryption and remote wipe functions. As most folks know, encryption is a killer for computer forensic examiners and a fine way to protect your data. So what does encryption do for the 3GS? Not a heck of a lot. From my foxhole, it appears that encryption was an afterthought and not inherent in the iPhone design. The iPhone is feature rich and has lots of consumer appeal – but secure? Nope.
So if the 3GS is encrypted, how can we get to the user’s data? Jonathan Zdziarski has demonstrated how easy it is to gain access to a supposedly secure iPhone 3GS. Should we believe him? I certainly do, especially since I own his book on iPhone forensics and have personally seen the mountains and mountains of electronic evidence that is stored on an iPhone. The key to gaining access to the data is to extract a disk image from the device. First off you “jailbreak” the phone by placing it into recovery mode and installing a custom RAM disk to the iPhone. Jonathan mentions that the tools are only available to law enforcement (nice thought, but not so), but also acknowledges that it is fairly simple to develop your own. Several products like Red Sn0w and Purple Ra1n are freely available to “jailbreak” the phone. You then install a Secure Shell (SSH) client to port the raw disk image onto your computer.
Those of us in the forensic community know that sucking a disk image from an encrypted drive to a destination drive just gets you another encrypted image which is no earthly good to you. What makes the iPhone 3GS any different? This is the part where Apple is so very, very helpful. Even though the data on the iPhone disk is stored in an encrypted form, the iPhone actually decrypts the data as it feeds the zeros and ones through the SSH connection. You call that security? What genius at Apple came up with that one?
Just as Billy Mays would say, "But wait…it gets even better." In order to secure your iPhone, make sure you configure an unlock code. Then again, tsk, tsk, tsk, perhaps you shouldn’t waste your time. Jonathan has another demo where he replaces the passcode file with one that contains a blank password, effectively removing the unlock code. How is this possible? Just like the previous explanation, putting the iPhone into recovery mode doesn’t require the passcode PIN. What a great design. As I said before, security appears to have been a complete afterthought to the phone’s developers. Don’t they test these things? Geez.
So let’s summarize. The iPhone encryption is a non-starter and accessing the device is child’s play even if it is password protected. Now, granted, in both cases you have to have physical access to the device. And no one ever loses their phone, right?
Apple says losing your phone is not a problem. If you leave your iPhone in the back seat of a taxi, you just use the remote wipe feature to “kill” all of the personal data. Alas and alack, there’s a problem with that too. Apparently, the remote wipe feature requires that the iPhone be connected to the cellular network. Oh, my. The last I checked, removing the SIM card or placing the phone in a Faraday box would solve the network connection problem. Take the phone off the cellular network and you can take all day to retrieve the disk image (in an unencrypted form) from the iPhone 3GS. Again, what a crud design. Seriously, Apple (like Ricky Ricardo) has a lot of 'splaining to do. Even Microsoft (and yes, it hurts to say something nice about Microsoft) has a secure remote wipe function with Windows Mobile that actually works. When you establish a security policy for Windows Mobile, the device does not have to be on the network to destroy the data. Define the number of invalid PIN attempts before the wiping begins and the personal data is gone, network or no network.
Bottom line…I love the iPhone. Not because of its technical superiority, but because its design gives us access to more electronic evidence than any other phone we’ve ever seen. Keep up the good work Apple. We now believe you when you say the ‘S’ in 3GS stands for speed and not security. If you’ve implemented the iPhone (which is clearly a consumer phone and NOT an enterprise phone as currently designed), you’ve hung yourself out to dry if a phone “goes missing” with confidential data.
Pass this one around to the IT and security folks – and Apple, are you listening? We’d love to print your response.
E-mail: firstname.lastname@example.org Phone: 703-359-0700