Wired.com talks to Jonathan Zdziarski, iPhone developer, hacker, forensics teacher, finder of the iPhone kill switch, creator of the AMBER alert app, about the iPhone 3GS‘ new hardware encryption, recently touted as giving consumers “enterprise-class” security. His take? It’s implemented so poorly it can be cracked in two minutes, “like storing all your secret messages right next to the secret decoder ring”.
To steal an iPhone’s disk image, hackers can use popular jailbreaking tools such as Red Sn0w and Purple Ra1n to install a custom kernel on the phone. Then, the thief can install an Secure Shell (SSH) client to port the iPhone’s raw disk image across SSH onto a computer.
We’ve heard before that Jailbreaking strips away security layers on the iPhone, though that’s been in the context of the users own device. This is using the Jailbreak process to actively get at another device’s data.
Is Apple going to change the way they implement their hardware-based iPhone 3GS encryption in light of this? Can the current model be made more robust? And what, if any, changes made to keep bad guys out of the iPhone will effect users who simply want to gain access to their own iPhones?
[Thanks to Antony for the tip!]
TidBITS has an interesting write-up on the various security features of iPhone 3.0 in general, and the 256-bit AES hardware encryption of iPhone 3GS in particular, and how combined together:
consumers can now experience enterprise-class security.
They cover passcode lock, data erase, remote wipe, lack of insecure external data cards, frequent and easy to install software updates/security patches, and (encrypted) backups that can restore your data if your device is accidentally wiped. Definitely worth a read if you tend towards the security conscious.
iPhone OS 3.0 is the gift that just keeps on giving, this time revealing features in iTunes 8.1 we hadn’t seen before. Now, when you hook an iPhone running the 3.0 beta 1 software up, under the Summary tab you have a new option: Encrypt iPhone backup.
Checking off the option opens a pop-up window for you to enter your password.
We’re not sure yet what form of encryption Apple is using, though the Steve Gibson is us hopes it’s something with a really, really strong security focus. Especially for those in enterprise or government who might have a need for it.
(And when the time comes, using a really gnarly password like the kind GRC.com’s perfect passwords generates would be a great idea for the truly security conscious.)
