iPhone encryption proven to be 'useless'

We’re sorry, this feature is currently unavailable. We’re working to restore it. Please try again later.

Advertisement

This was published 14 years ago

iPhone encryption proven to be 'useless'

By Asher Moses
Updated

A hacker has demonstrated how it is possible to crack the encryption on the iPhone 3GS within two minutes using free software, allowing access to all of the data on the device - even photos and emails that have long been deleted.

The iPhone 3GS is the first iPhone model to include built-in encryption technology, which Apple believes allows it to rival the BlackBerry for business users.

The company claims hundreds of thousands of the devices are being used by companies and government organisations around the world.

But Jonathan Zdziarski, in an interview with Wired, demonstrated how it was just as easy to copy data - such as credit card details and passwords - from the new iPhone as it was on previous models, which didn’t feature encryption.

He has also published YouTube clips showing the processes required to remove the iPhone’s PIN lock and back-up encryption and then transfer videos, contacts, pictures, email and other personal data to a computer.

Even emails and photos that have been deleted a year ago can be accessed.

‘‘I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security,’’ said Zdziarski, an iPhone app developer, who also specialises in iPhone forensics.

He said the iPhone strangely decrypts the data automatically once one begins extracting the information from the phone using the Red Sn0w and Purple Ra1n software tools.

In an interview with geek website Ars Technica, Zdziarski likened the iPhone’s encryption to ‘‘putting privacy glass on half your shower door’’.

The ease with which the iPhone’s encryption can be broken is a stark contrast to that of the BlackBerry, which was built from the ground up as a secure business device and which entered the mainstream consumer market only much later.

Advertisement

Indeed, BlackBerry devices long lacked a built-in camera to prevent corporate secrets from being leaked.

One advanced security feature on the BlackBerry is the ability to erase all of its data automatically if it has not connected to the network for a certain amount of time.

The iPhone’s MobileMe service offers a similar feature, as well as the ability to pinpoint the location of a stolen iPhone, but both are rendered useless if the thief removes the SIM card and disables WiFi.

Apple claimed during its most recent earnings announcement that 20 per cent of Fortune 100 companies in the US had bought more than 10,000 iPhones each, while several Government organisations and other corporations bought 25,000 iPhones each.

Apple chief operating officer Tim Cook identified the new hardware encryption feature and other security enhancements as the iPhone’s biggest selling points for businesses.

But Zdziarski warned developers who were making business-oriented applications for the iPhone - such as one allowing tradies to accept credit card transactions in real time - that they could not fall back on Apple’s security systems.

‘‘If they’re relying on Apple’s security, then their application is going to be terribly insecure,” Zdziarski told Wired.

“Apple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but it’s entirely useless toward security.”

Zdziarski is the author of the book iPhone Forensics: Recovering Evidence, Personal Data and Corporate Assets.

Alan Hashem, director of Sydney-based IT consultancy Insight IT, has provided iPhones to about 12 of the company’s 15 staff, four of whom have the new iPhone 3G S model. They use the devices to access clients’ computers remotely and fix technical support issues.

Hashem said he was concerned about the iPhone’s security vulnerabilities but did not think there was a high chance that someone with the skills to perform Zdziarski’s hack would steal his employees' iPhones.

Loading

He said the handset’s features and third-party applications made it worth the risk.

‘‘We’re at a lot more risk with computers and desktops,’’ he said.

Most Viewed in Technology

Loading