The encryption functionality of the iPhone 3GS is so easy to crack that it is essentially "broken" as far as protecting sensitive personal data like credit card and social security numbers, according to a forensics expert and iPhone developer.
"I don't think any of us [developers] have ever seen encryption implemented so poorly before, which is why it's hard to describe why it's such a big threat to security," Jonathan Zdziarski told Wired.
With physical access to a 3GS iPhone and some free software data can be extracted within two minutes and an image of the entire raw disk in about 45 minutes, he said. The iPhone decrypts the data on its own once the extraction has begun, he explains in a video demonstration.
Apple has been touting the encryption and other features to entice corporate users to the device. And it seems to be working. Nearly 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones per company, the company said on its financial results conference call on Tuesday.
While on vacation in San Francisco last week, my family and I happened to stop by the Apple Store in Union Square. The buzz within was overwhelming--foreign tourists looking for cheap iPods, college students grabbing MacBooks, and business folks lining up for the 3G iPhones.
All of this activity isn't lost on large organizations. It seems that Apple is sitting pretty, ready for a backdoor entrance into the enterprise market with Macs and iPhones over the next few years.
The market certainly appears headed in this direction, but ironically, Apple may be its own worst enemy. Why? With its culture of secrecy, the company isn't willing to work with open standards, or lots of systems and security management companies, preferring instead to cut one-off deals and ignore the masses.
In a recent tour through Silicon Valley, I ran into a few examples of Apple's top-secret culture. The OpenSEA Alliance, an industry standards body focused on building an open 802.1X supplicant, reached out to Apple to work on a Mac-compatible version. With little communication, Apple declined, in spite of the fact that the academic community (one of Apple's biggest markets) is wholeheartedly supporting the open-source effort.
In another case, Apple has yet to announce a strategy for encrypting the data on its iPhones. Why is this important? Because confidential data needs to be protected at endpoints like iPhones, and many enterprise organizations use tools from Check Point Software Technologies (PointSec), McAfee (SafeBoot), PGP, and Utimaco Safeware to do so. Regardless of how Apple decides to encrypt iPhones, it will need to work with these management vendors.
My little post won't have much impact on Steve Jobs and Co., but enterprise CIOs certainly will. These guys demand this type of openness and cooperation. Hewlett-Packard, IBM, Microsoft, and Oracle have their own private agendas, yet they have to work with competitors, standards, and management vendors to service their customers. Despite its newfound market panache, I don't see Apple getting a pass here.
- prev
- 1
- next
