Daniel Eran Dilger
Random header image... Refresh for more!

Reality Check: iPhone OS data protection flaw

Daniel Eran Dilger

Two researchers, Bernd Marienfeldt and Jim Herbeck, have detailed the ability to mount the iPhone 3GS and access its data even while a pin code is set and active. That is a flaw, but the people covering this news are only interested in sensationalism, so here’s some context.
iPhone 3GS and encrypted wipe

The iPhone 3GS, unlike earlier iPhone models, supports data hardware encryption that enables it to support instantaneous remote wipe. On earlier iPhones, and many competing smartphones (Palm Pre, Android phones), data is stored without any hardware encryption.

This leaves these earlier models unsupported by Exchange Server’s default security policy, which demands hardware encryption. The iPhone 3GS’ hardware encryption also enables the phone to immediately wipe itself after receiving an appropriate remote wipe message from an Exchange Server management console or from MobileMe, sent by the user. Note that neither Apple nor a nefarious hacker can wipe your phone without your knowing it, because to wipe it the phone must be authenticated with a network account such as Exchange or MobileMe.

Remote wipe is handled by the phone itself. Previous devices (such as the original iPhone and 3G) can wipe their local data clean, but must actually zero out all the data on the device, which takes some time to do. With an encrypted data store, the iPhone 3GS can wipe its data immediately without having to sequentially zero all the data.

Today’s Android phones can’t wipe themselves at all. That’s a software feature in the upcoming Android 2.2, but many Android users won’t get that update anytime soon, if at all. Even those phones that can upgrade still won’t support hardware encryption, so they can’t ever pass the security credentials of Exchange nor support immediate wipe, putting them on the level of the 2008 iPhone 3G.

Encryption isn’t unbreakable

Apple’s hardware encryption on the iPhone 3GS isn’t marketed as being a flawless lockbox of data, and customers should understand that, as with any computing device, if somebody possess a device with both stored data and the keys to access that data, they can eventually get to the data on it. The failed history of attempts at creating impenetrable DRM illustrates this.

Setting a pin only slows down a malicious thief. A better strategy at securing data on mobile devices is to enable the ability for the device to self-destruct and wipe its data clean before anyone malicious can actually get to it. That’s what remote wipe does, and hardware encryption enables the device to simply wipe itself faster.

Thus, when the prototype iPhone was stolen, Apple could wipe the device before anyone could spy out its installed software or data. Had the thief known to immediately take the device off the network, a remote wipe could not have been performed. In that scenario, you’ll need a feature the iPhone OS doesn’t yet offer: the ability to self-destruct after a the PIN has been entered wrong too many times in a row. This is something BlackBerry phones can do. (Readers point out that there actually is a setting to wipe the iPhone after too many false PIN logins, under Settings > General > Passcode Lock > Erase Data).

The discovered flaw

What the researchers found was that if you plug an iPhone 3GS into certain new Linux machines, the device will mount even with the PIN code set. That’s not supposed to happen, and is a flaw. A locked iPhone should refuse to mount without authentication, rather than just showing up on the desktop as if it were a brainless hard drive or SD Card.

Ironically, the discovery was made and reported in the midst of an article complaining that Apple exercised too much control over the iPhone. It described Apple’s cryptographic signatures on apps as a “restriction” that the researchers seem to advocate “overcoming” by jailbreaking the device, which removes its security model and exposes it to threats from viruses and worms. They also complain that there’s no antivirus built in, and that jailbreaking would invent a need for this.

Realistically, if you’ve lost your phone, the best you can do is try to wipe it before the thief begins their attempts to access your data. If you don’t have a PIN set, you have no security at all. If you have MobileMe, you can attempt to remotely lock the device and or remotely wipe it, but a knowledgeable thief could also strip your MobileMe account settings, beating you to the punch.

If you have a PIN set, you have some degree of security, although a knowledgeable person could access the data using the mounting process the researchers described, even with hardware encryption in place. Basically, the iPhone just decrypts its own encrypted data for the mounted computer, which it’s not supposed to do. Again, this puts the iPhone 3GS at the level of Palm and Android phones or earlier iPhone 3G devices, at least when in the hands of experts.

iPhone business security framework « Bernd Marienfeldt

Security in context

In reality however, Palm, Android, BlackBerry and Windows Mobile devices are typically even less secure because they store all their content on SD Cards, which can be immediately removed from the device and mounted, not by the phone and its security model, but by a generic card reader. Android doesn’t encrypt users’ data on SD Cards, nor does it encrypt any data on the device.

The excitement about the iPhone 3GS’ failure to authenticate the mounting PC when it is directly attached, providing malicious thieves with access to your photos and game data, is therefore mostly something for Apple-haters to crow about, not a significant security issue that is relevant to the millions of iPhone users who don’t even bother to lock their phones.

Realistically, the fact that you can remotely lock and wipe an iPhone if you have MobileMe makes it far more secure for consumers than comparable smartphones, particularly those with SD Cards. But security is not binary; how you use your phone stacks up into layers of security vulnerabilities that make such exploits more useful for sensationalized reporting than for buying decisions.

Security: iPhone vs Android

If you’re worried about European hackers stealing your mobile phone photos, you can panic about the iPhone 3GS, or you can be glad you don’t have an Android device that a 10 year old child could hack by simply taking your SD Card out when you’re not looking.

Good luck trying to log into the nonexistent MobileMe-type service for Android and attempting to lock or wipe your stolen SD Card at that point.

Android is security-free in so many respects that it makes security attack reports on the iPhone appear to be completely ridiculous. Android is comparable security-wise to a iPhone that has been jailbroken to remove its security system.

What Apple needs to do for users

Apple can address the mounting issue via a software update. All of the Palm and Android phones ever sold will never be able to be secured from the (completely taboo to even mention) gaping security hole that is SD Cards, nor can they be accorded hardware encryption via an update, nor can they be supported by the standard security policy of Exchange Server nor be remotely wiped by an administrator at your request (or by yourself via your MobileMe account).

So anyone speaking of this as an extremely serious security problem really only identifies themselves as being removed from reality and speaking without any context of how other phones stack up in terms of their relative security.

At the same time, Apple should make it clearer what exactly is secured by hardware encryption on the iPhone, what users can expect after losing a phone with a PIN set, and how to secure and wipe data after a device has been lost. So far, the company seems to be content simply talking about security issues in rather nebulous marketing speak. It needs to do better than that.

  • Myaushka

    Not a flaw – it’s a bug/defect. What Apple should do is fix the bug.

  • Chris

    In that scenario, you’ll need a feature the iPhone OS doesn’t yet offer: the ability to self-destruct after a the PIN has been entered wrong too many times in a row. This is something BlackBerry phones can do.

    Since version 2.1 the iPhone OS offers the option to wipe the device after 10 failed passcode attempts. But the way it’s implemented, it’s not really a viable method to secure your data against some even moderately skilled hacker. Until it really wipes the data, it will lock the phone down for 5 min and later 60 min and thus providing clues to the even less skilled, that they better google for another way to get to the data.

  • gmp5

    The iPhone can wipe itself if the PIN is entered incorrectly too many times. Look in the Passcode settings. The last entry is “Erase Data” and its description is “Erase all data on this iPhone after 10 failed passcode attempts.”

  • reddot

    The new Palm devices (Pre / Pixi) don’t take SD cards. The old Treos and their WinMo devices did though.

  • http://berendschotanus.com Berend Schotanus

    Good clarification. You are perfectly right Android and iPhone are measured against different standards and this issue has been way exaggerated.

  • gus2000

    Thanks, Daniel, I keep forgetting that most of the iPhone comparisons are made to unshipped, future-planned, no-release-date-yet devices and software. The iPhone stacks up pretty well to what’s currently on the shelves.

    Many bloggers were panning the iPad based on Courier, which is now such a lark that even Microsoft doesn’t fantasize about it anymore. And, where’s that HP Slate, again? JooJoo, where are you?

  • sprockkets

    And only a specific version of Linux can mount the device properly too. Why? Who knows yet.

  • Chris

    And only a specific version of Linux can mount the device properly too. Why? Who knows yet.

    It works with Windows as well (and people got access to even more data than on Linux).
    Apparently it happens if you sleep your iPhone when it’s unlocked. On wake, it restores the unlocked state for a short while until it gets locked by the springboard. If the iPhone is paired during that short interval, it will stay open. So Apple needs to fix the sleepmode / wake-up.

  • http://www.austinsteele.blogspot.com bOMBfACTORY

    Hi Dan – it’s amazing what keeps the techtard media awake at night, isn’t it? Realistically, if I lost my iPhone, what are the chances a well-informed cell phone hacker would be the one to find it? More likely, your typical finders-keepers opportunist is apt to just erase what’s on it and sell it on Craig’s List. It’s not like I have the plans for the Rebel assault on the Death Star stored on it anyway. Besides, the next iPhone OS update will make this a non-issue before 99% of iPhone users even know about it. Bring on the next imagined crisis!

  • harrywolf

    @bombfactory – exactly!
    No-one is carrying important stuff, for the most part. Maybe your bank access on the web, but then you will still need the password.
    Anyway, if you lose your phone, just call the bank.

    Lost phone, found by crook, sold on craigslist or ebay is the 99% scenario.
    Lose your credit cards, bank cards, car keys, etc. All security issues that have some solution, but often not perfect.

    Life isnt perfect – who knew?

  • kdaeseok

    Securities aside, that certain linux – Ubuntu 10.4 is just great! Currently using 5OSs (Windows XP, 7, Mac OSX Leopard, Puppy Linux, and Ubuntu) and Ubuntu is definitely the best of the lot, and now you can mount your iPhone without entering the PIN each time. It’s free (like all other Linux’s) so have a go.
    Come to think of the security, I don’t think it matters much- lost your phone and the thief will have a look at the pics of your daughter or read some of the stored emails, and get to know your mother’s mobile number and address. What’s the big deal? I don’t think these are serious. You carry a lot of things with your smartphone, so if you lose you lose them, simple as that.
    Probably not a good idea to leave anything business-related on the iPhone or any other smartphones though.

  • dnil8r

    @bombfactory- the funny statement about the rebel assault.

    @Dan – i’m surprised you forgot about the data erase feature of the iphone. As you said its not perfect but it is something.

  • Snadert

    With a headline as ‘Encryption isn’t unbreakable’ and an explanation like ‘if somebody possess a device with both stored data and the keys to access that data, they can eventually get to the data on it’, isn’t that obvious? If you have the keys of the safe, you can open it. It does not explain the headline. AES security (I don’t know if Apple uses it), in fact, the Rijndael algorithm can withstand ANY attempt of decryption WITHOUT the key.

  • jinxjab

    Thanks Dan, I was waiting for your point of view.
    There are heavy IT solutions for WinMob6 :
    Features :
    ” * Implement push mail functions securely
    * Secure terminal data (PIM base and all terminal files) with a proven encryption algorithm: AES256.
    * Secure SD providing for the secure increase memory capacity of the mobile devices
    * Synchronise any company data through a VPN tunnel
    * Check Bluetooth, Infrared and USB ports and reroute web streams via the VPN

    Don’t ask me how i know this solution blow away your battery life and slow down the device dramaticly. (plus it doesn’t work on every WM6 devices)
    Great crypto means great CPU.
    I suppose Apple doesn’t increase their crypto’s engine like this, because of some lacks of performance.
    I understand that there is an API for that in iPhoneOS4, but this is an API from an US company. Others (governments and companies except US) don’t use crypto technology made by an other country, and i agree. (don’t know if there is a backdoor). This is the reason why iPhoneOS can’t be used in many european companies. “Ca me fait chier !”
    Opinion : i don’t care, there’s no ultimate protection (maybe if i’m alone on earth). As soon as a malicious guy get my iPhone in his hand, this is too late. It’s all about time, whatever the shield is. Yes the best is : wipe data over the air (ASAP).

    a french reader.

  • kdaeseok

    and I… don’t think this should be about Android vs iPhone. iPhone’s advertised as one of the most secured mobile phones, and this bug is exactly the opposite. Y’know, after all Ubuntu’s a free OS that just downloadable from the internet.
    Some may save their important data on the mobile believing in Apple (or in their words), so the whole discussion about ‘iPhone still better secured than Androids’ sounds a bit vain- because the problem is not about that.
    Anyway, hopefully Apple will react to this quickly and release patches.

  • tonortall

    How does hardware encryption make destroying the data quicker?

  • kdaeseok

    tonortall// the encrypted data is useless without the key. By dropping the key it works just like wiping the whole data. If the data is not encrypted, each and every byte should be ‘zero’ed in order to properly delete the whole data.

    This time the ‘hole’ is that iPhone decrypt the data for you even without the PIN. So assuming someone took your phone not for the device itself but for getting your info, there’s practically no way to stop it. Turning off the phone, taking out the sim card would block any way of remote wiping attempts. As soon as the iPhone is connected to the computer(with Ubuntu) it will give read/write rights to the user.

  • tonortall

    That being the case (the data being useless without the key), half the premise of the article disappears. Daniel already admits that all bets are off if you have the device physically. What’s to stop a brute force attack on the encrypted data? If you have the device, you have all the time in the world.

  • airmanchairman

    Am I wrong in gathering that this “hack” (or more accurately, bug) only provides READ access to stored MEDIA (e.g. music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents, app purchases) and not anything encrypted?

    Obviously further work is on-going to try and get read/write access which will enable the sending of emails, SMS and voice calls to stored contacts but that is not the case as yet.

  • airmanchairman

    Wow, it gets even easier using Windows:
    “While with Linux only a few selected folders on the iPhone were displayed, Windows allowed full system access. For instance, it was no problem to create a complete backup using iTunes, including items such as notes, text messages and even plain text passwords.”

    Apple engineers have been working furiously in the background, but news of a fix is yet to be announced.

    An interim workaround prior to a fix being implemented involves:
    1. Shut down your iPhone only in the locked state and keep it in locked state when not in use.
    2. Always use the “encryption” feature with iTunes for your Backups. Ha! This would forestall the hack almost for sure…

  • kdaeseok

    airmanchairman// you’re confused with the other hack…
    This time, it doesn’t matter if the iPhone was turned off at the locked state or not. You just connect your powered-off iPhone to the Ubuntu 10.4, and you get full read&write access. PIN or encryption doesn’t help.
    To put it simply, until Apple releases the patch it’s pretty vulnerable now.

  • konker

    Daniel, you said “In reality however, Palm, Android, BlackBerry and Windows Mobile devices are typically even less secure because they store all their content on SD Cards”
    Which version of Windows Mobile were you referring to?
    From my years of using WinMo, ALL PIM & email data are stored on the device RAM or ROM & NEVER in the removable storage memory. Other contents can be stored on these removable storage memory (even email attachments but not a system default storage location) but there are also abundant solutions available to securely store those without ever being able to access the contents in the encrypted containers. From WinMo5.0 onwards, even the basic Storage Card encryption feature would render all data on these removable storage memory unusable when plugged into another phone or computer as the encryption key stays in the phone.
    Please clarify your statement as it is very misleading without considering the facts.

    [I disagree – Dan]

  • konker

    Would you care to comment on why you disagreed?