Expert: iPhone 3GS crypto is easily crackable

The encryption functionality of the iPhone 3GS is so easy to crack that it is essentially "broken" as far as protecting sensitive personal data like credit card and social security numbers, according to a forensics expert and iPhone developer.

"I don't think any of us [developers] have ever seen encryption implemented so poorly before, which is why it's hard to describe why it's such a big threat to security," Jonathan Zdziarski told Wired.

With physical access to a 3GS iPhone and some free software data can be extracted within two minutes and an image of the entire raw disk in about 45 minutes, he said. The iPhone decrypts the data on its own once the extraction has begun, he explains in a video demonstration.

Apple has been touting the encryption and other features to entice corporate users to the device. And it seems to be working. Nearly 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones per company, the company said on its financial results conference call on Tuesday.

[cnetpre]

Explains why the iPhone is having so much trouble getting accepted by corporations and business use. All of their employees could be vulnerable to identity theft.

[Random_Walk]

Wow, you're right. I mean, all the users have to do is give their iPhones over to some random stranger for an hour, and *poof* - OMGWTFBBQsecurityleak!

[rapier1]

Its more of an issue that corporations recognize that phones can be, and are often, lost. If they have flawed encryption methods then a lost or stolen phone is essentially an open book to whoever has it. Basically, the idea that your phone is secure as long as you never lose it is little better than security through obscurity. This *used* to be sufficient but is no longer acceptable in the modern world.

[Get_a_life_Leo]

No hardware is secure in the hands of experts. Blackberry's do have some well thought out security features but are also hackable in most cases because their users are either not careful or don't activate the pass-code. Personal responsibility is the widest hole in any portable device. Some people just don't think (such as the wife of the head of MI5 who posted her husbands details on Facebook). Getting information for identity theft has become trivial.

As for adoption of iPhone in corporations, its taken off like wildfire over the past 6 months.

[Random_Walk]

"Its more of an issue that corporations recognize that phones can be, and are often, lost. "

Remote Wipe. Next fear?

[jaguar717]

"No hardware is secure in the hands of experts"? What magical tools do these experts have decades of attacks by everyone from mathematicians to basement hackers?

In two minutes you can download TrueCrypt of any over several other free encryption programs, and have a hard drive full of data that's absolutely meaningless to anyone without the pass phrase.

We're not talking about something that would take months of NASA supercomputers to crack; we're talking about a billion NASA supercomputers working for a thousand times the age of the universe, and that's for 128 bit. 256 squares it.

[chrisx1]

Unlike a Blackberry, all they have to do to disable Remote Wipe is pull out the SIM card!

[AppleSuxLeo]

That is a true statement. Very good.

[ibeetle]

This is already made the rounds on the internet a few days ago and has already been debunked. What Jonathan Zdziarski either did not tell Wired or Wired failed to write was that the iPhone has to be jailbroken. Corporate executives are not being issued jailbroken smart phones by their Fortune 100 companies.

He also forgets to mention that the tools used are not easily obtained on the internet... that is the articles' author claiming they are easily found. The tools are also difficult to use and are not only used for hacking the iPhone but other phones as well.

[chimei2]

NOTHING has been debunked.. post something to back up your post instead of opinion.

The phone does NOT need to be already in a jailbroken mode! Pay attention to what you read. You can take ANY locked iPhone 3GS, remove the passcode and access ALL information on the iPhone. = Encryption is pointless.

All of these tools are easily available. He mentions numerous times that any one that looks for them can find them.

The encryption on the 3GS is a completely useless. Regardless of how you do it, it takes 30 seconds to REMOVE the password protection on an iPhone 3GS and you then have access to the "encrypted" data on it.

The problem is that Apple does not use the system password that is set by the user as part of the encryption process. This means there will always be away around the encryption until Apple changes the way they do it. The funny thing is, even if they did it could only be 4 numbers, so it would still be easy to decrypt via brute force!

The BlackBerry and Windows Mobile do not suffer from this weakness. Their encryption is based on the device password, without this, the data is safe and cannot be accessed. And with their management software you can set password size requirements to strengthen your deployed devices.

Here is a YouTube demonstrating how he bypassed the device password on the 3GS.

http://www.youtube.com/watch?v=5wS3AMbXRLs&eurl=http%3A%2F%2Fwww.wired.com%2Fgadgetlab%2F2009%2F07%2Fiphone-encryption%2F&feature=player_embedded

[rapier1]

Actually, the person who steals or find the phone jailbreaks it. It doesn't have to be jailbroken in advance. However, that would certainly make things easier.

[jaguar717]

Not really a convenient way to punch out a 20-character or so pass phrase (impossible to brute force).
I guess they could make the number pad work like a cell phone and let people sit there iTap-ing it out every time they want to unlock their phones. That would be a riot.

Hey maybe if it had a keyboard you could enter actual pass phrases! Let the flaming begin...

[M C]

Yep, basically promo for Jonathan Zdziarski here - but don't expect that to stop non-critical thinkers like the first commenter to eat it up with a spoon.

[Lerianis3]

Actually, I am a 'critical thinker' and after two minutes searching, I could find these tools VERY easily.

[SenorFrog]

Google the guy - he's an uber-geek and he plays the bass guitar. I think I've got a man-crush :-)

[chimei2]

Check http://digg.com/apple/Hacker_Says_iPhone_3GS_Encryption_Is_Useless_for_Business

[kswartz26]

I discovered last night that Jonathan Zdziarski has published a book for O'Reilly and Associates called iPhone Forensics. It goes into elaborate detail on how to circumvent the device password. It really is as easy as he says, and no, the device does not need to be jailbroken. I think the misunderstanding comes from the fact that once you obtain the phone, you have to jailbreak it to install the forensics recovery software he uses to bypass the passcode and decrypt the data.

I only skimmed the book because I found it very curious, but I think ibeetle's posting is definitely inaccurate here, and the author has some pretty strong evidence to back up this claim, and waaaaaay too much documentation for my tastes. :)

[Zippy-T-Pinhead]

Holy crap. If the brain trust among you are calling yourselves "critical thinkers", or implying the same, the bar has just been set pretty damned low. Oh, and if any of you have advanced degrees floating about (doubtful), if you didn't get them from Phoenix Online, you may want to get your money back...

[lkrupp]

When will people finally "get it" that a rational, civil discussion of Apple products on C|net is simply not possible? Positive article about Apple... the Apple bashing trolls come out in droves to discredit the article. Negative article about Apple... the Apple apologist trolls come out in droves to debunk the article. In either type of article the name calling and FUD from both sides quickly ensues to drive the thread to the bottom of the barrel. No discussion, no rationality, no civility, no give and take, just poo flinging at each other like a bunch of chimpanzees at the zoo.

[baconstang]

Yeah! that's what MS articles are for.

[Hokulea]

Rational and logical discussions are not possible in any comment thread period, regardless of subject material. To be rational, logical, and objective requires a moderately high level of intelligence and education. People who posses those attributes usually have better things to do than reply to childish inane comments posted by Apple acolytes, Linux evangelists, or MS haters.

I prefer reading tech news on Ars as I find the articles better written and the stupid comments aren't shown unless accessed by a separate link.

[Nataku4ca]

i think this is why i bother clicking on some of the links... so i could see flaming way lol

[AppleSuxLeo]

Jobs said OSX was secure...like Swiss cheese.

[CrashPad63]

You get what you pay for!!! Apple security is really the worst in the business right now.

[JasonV12]

I think ill stick with my blackberry. I use Voltage securemail for blackberry so I know my email is always safe! Check it out: http://www.voltage.com/products/blackberry.htm

[exNewt]

You have to have an iPhone - jailbroken - with SSH installed, SSH active and Root password not changed for this exploit to work.

What amazes me is the angst corporate IT put us through over a freaking phone. If you have it set to get e-mail every 15 minutes and that you have to enter the e-mail password, no one will get your e-mails.

What about laptops?!!!??

Why does not IT buy laptops with location aware (IP address tracking) software running with remote wipe? My IT group - who is so secure they have temporarily "banned" iPhones from using Activesync - has one of the default XP passwords for our "secure" laptops.