Reality Check: iPhone OS data protection flaw
June 2nd, 2010
Daniel Eran Dilger
Two researchers, Bernd Marienfeldt and Jim Herbeck, have detailed the ability to mount the iPhone 3GS and access its data even while a pin code is set and active. That is a flaw, but the people covering this news are only interested in sensationalism, so here’s some context.
iPhone 3GS and encrypted wipe
The iPhone 3GS, unlike earlier iPhone models, supports data hardware encryption that enables it to support instantaneous remote wipe. On earlier iPhones, and many competing smartphones (Palm Pre, Android phones), data is stored without any hardware encryption.
This leaves these earlier models unsupported by Exchange Server’s default security policy, which demands hardware encryption. The iPhone 3GS’ hardware encryption also enables the phone to immediately wipe itself after receiving an appropriate remote wipe message from an Exchange Server management console or from MobileMe, sent by the user. Note that neither Apple nor a nefarious hacker can wipe your phone without your knowing it, because to wipe it the phone must be authenticated with a network account such as Exchange or MobileMe.
Remote wipe is handled by the phone itself. Previous devices (such as the original iPhone and 3G) can wipe their local data clean, but must actually zero out all the data on the device, which takes some time to do. With an encrypted data store, the iPhone 3GS can wipe its data immediately without having to sequentially zero all the data.
Today’s Android phones can’t wipe themselves at all. That’s a software feature in the upcoming Android 2.2, but many Android users won’t get that update anytime soon, if at all. Even those phones that can upgrade still won’t support hardware encryption, so they can’t ever pass the security credentials of Exchange nor support immediate wipe, putting them on the level of the 2008 iPhone 3G.
Encryption isn’t unbreakable
Apple’s hardware encryption on the iPhone 3GS isn’t marketed as being a flawless lockbox of data, and customers should understand that, as with any computing device, if somebody possess a device with both stored data and the keys to access that data, they can eventually get to the data on it. The failed history of attempts at creating impenetrable DRM illustrates this.
Setting a pin only slows down a malicious thief. A better strategy at securing data on mobile devices is to enable the ability for the device to self-destruct and wipe its data clean before anyone malicious can actually get to it. That’s what remote wipe does, and hardware encryption enables the device to simply wipe itself faster.
Thus, when the prototype iPhone was stolen, Apple could wipe the device before anyone could spy out its installed software or data. Had the thief known to immediately take the device off the network, a remote wipe could not have been performed. In that scenario, you’ll need a feature the iPhone OS doesn’t yet offer: the ability to self-destruct after a the PIN has been entered wrong too many times in a row. This is something BlackBerry phones can do. (Readers point out that there actually is a setting to wipe the iPhone after too many false PIN logins, under Settings > General > Passcode Lock > Erase Data).
The discovered flaw
What the researchers found was that if you plug an iPhone 3GS into certain new Linux machines, the device will mount even with the PIN code set. That’s not supposed to happen, and is a flaw. A locked iPhone should refuse to mount without authentication, rather than just showing up on the desktop as if it were a brainless hard drive or SD Card.
Ironically, the discovery was made and reported in the midst of an article complaining that Apple exercised too much control over the iPhone. It described Apple’s cryptographic signatures on apps as a “restriction” that the researchers seem to advocate “overcoming” by jailbreaking the device, which removes its security model and exposes it to threats from viruses and worms. They also complain that there’s no antivirus built in, and that jailbreaking would invent a need for this.
Realistically, if you’ve lost your phone, the best you can do is try to wipe it before the thief begins their attempts to access your data. If you don’t have a PIN set, you have no security at all. If you have MobileMe, you can attempt to remotely lock the device and or remotely wipe it, but a knowledgeable thief could also strip your MobileMe account settings, beating you to the punch.
If you have a PIN set, you have some degree of security, although a knowledgeable person could access the data using the mounting process the researchers described, even with hardware encryption in place. Basically, the iPhone just decrypts its own encrypted data for the mounted computer, which it’s not supposed to do. Again, this puts the iPhone 3GS at the level of Palm and Android phones or earlier iPhone 3G devices, at least when in the hands of experts.
Security in context
In reality however, Palm, Android, BlackBerry and Windows Mobile devices are typically even less secure because they store all their content on SD Cards, which can be immediately removed from the device and mounted, not by the phone and its security model, but by a generic card reader. Android doesn’t encrypt users’ data on SD Cards, nor does it encrypt any data on the device.
The excitement about the iPhone 3GS’ failure to authenticate the mounting PC when it is directly attached, providing malicious thieves with access to your photos and game data, is therefore mostly something for Apple-haters to crow about, not a significant security issue that is relevant to the millions of iPhone users who don’t even bother to lock their phones.
Realistically, the fact that you can remotely lock and wipe an iPhone if you have MobileMe makes it far more secure for consumers than comparable smartphones, particularly those with SD Cards. But security is not binary; how you use your phone stacks up into layers of security vulnerabilities that make such exploits more useful for sensationalized reporting than for buying decisions.
Security: iPhone vs Android
If you’re worried about European hackers stealing your mobile phone photos, you can panic about the iPhone 3GS, or you can be glad you don’t have an Android device that a 10 year old child could hack by simply taking your SD Card out when you’re not looking.
Good luck trying to log into the nonexistent MobileMe-type service for Android and attempting to lock or wipe your stolen SD Card at that point.
Android is security-free in so many respects that it makes security attack reports on the iPhone appear to be completely ridiculous. Android is comparable security-wise to a iPhone that has been jailbroken to remove its security system.
What Apple needs to do for users
Apple can address the mounting issue via a software update. All of the Palm and Android phones ever sold will never be able to be secured from the (completely taboo to even mention) gaping security hole that is SD Cards, nor can they be accorded hardware encryption via an update, nor can they be supported by the standard security policy of Exchange Server nor be remotely wiped by an administrator at your request (or by yourself via your MobileMe account).
So anyone speaking of this as an extremely serious security problem really only identifies themselves as being removed from reality and speaking without any context of how other phones stack up in terms of their relative security.
At the same time, Apple should make it clearer what exactly is secured by hardware encryption on the iPhone, what users can expect after losing a phone with a PIN set, and how to secure and wipe data after a device has been lost. So far, the company seems to be content simply talking about security issues in rather nebulous marketing speak. It needs to do better than that.