Secure data wipe built into iPhone Software v2.0

[AppleInsider]

Responding to concerns over the integrity of the iPhone's data reset methods, Apple has taken the extra step and built a more secure data wipe function into the next version of the handset's software, AppleInsider has learned.

People familiar with the beta versions of iPhone Software v2.0 say the upcoming release will employ a more foolproof method of erasing all personal data and settings from an iPhone. As is the case with the existing version of iPhone software, the function will be accessible by selecting Settings > General > Reset > Erase All Contents and Settings.

Unlike today's iPhone software, however, the revised function will wipe data in similar fashion to the "Secure Empty Trash" function of Mac OS X, by which all data is deleted, unlinked, and then overwritten several times to make it irretrievable by even the savviest of recovery tools.

As such, the new function will take considerably longer to complete -- about an hour for a typical 8GB iPhone. A progress bar appears during the process. During the data wipe, users should connect their iPhone to its power adapter as the process is believed to be CPU intensive.

The updated functionality arrives following reports that an Oregon State detective was able to successfully retrieve personal data -- including emails, photos and financial information -- from a refurbished iPhone sold by Apple.

Jonathan Zdziarski, author of the "iPhone Open Application Development,” noted that Apple's existing erase-and-restore function leaves all of a user's personal data "sitting in the unallocated blocks of the iPhone's NAND memory." And there's no viable, publicly available method for erasing the personal data from the Apple handset, he added.

Data reset panel in iPhone Software v1.1.4 on left, v2.0 on right.

The improvements to the iPhone's data wipe will also arrive at a time when masses of original iPhone owners will be attempting clear information from their handsets and resell them to others after upgrading to an iPhone 3G. iPhone software 2.0 will also include among its many enterprise-ready features a function called "remote wipe" that was designed to protect data stored on iPhones by offering a means to remotely wipe them clear in the event that they are lost or stolen.

According to official statements made by Apple during its developers conference earlier this month, as well as this press release, "iPhone 2.0 software will be available on July 11 as a free software update via iTunes 7.7 or later for all iPhone customers." However, a gold master version may be provided to some Apple employees and partners as early as friday.

[ View this article at AppleInsider.com ]

[SpamSandwich]

My only question... is this as good, or better than what is offered to Blackberry users?

[freeny]

so if my old iphone locks up after switching to the new phone how will one access this function?...

[NOFEER]

they should also have a "find locate" ability, so when one is stolen, apple or att is notified, a wipe is done and connected to wifi OR network, it's located, and a picture is taken something like they have for the mac/ laptops that would put a big negative for stealing this thing. make this ability part of the os, not just be buying software, that way the "black market" would be minimized. i wish ipods had that ability, when an ipod is stolen, it can be located when connected to itunes

[darkopz]

Maybe someone can explain the Remote Wiping in further detail for me. It seems quite easy to bypass. You take someone's iPhone, crack it open and pull out the SIM chip. Now it is no longer on the network and cannot be remote wiped. This can all be done within minutes of losing your phone. It could be that this feature isn't meant to prevent people from stealing company/personal secrets but rather a feel good way of knowing you might be able to wipe your information should you lose your iPhone. Is my assessment correct that the only connection the iPhone has for remote wiping is through the SIM chip?

[edit]
I realize that the iPhone can connect wirelessly to the internet but that is easily stopped also by turning off wireless access. The only identifying feature of the iPhone would be the MAC address at that point. I think it all sounds great in theory but no where near secure enough to prevent someone from taking secrets off an iPhone. The only plausible secure way would be to encrypt all the data on the iPhone and allow access to the data through a password you enter every time you utilize your iPhone. Then if you lost your iPhone and the encryption was strong enough they would be out of luck. You can't crack strong encryption like you can on TV. Then thief's would need to, once again, resort to Social Engineering to obtaining passwords and information.
[/edit]

Thanks,

Andrew

[PG4G]

Remote wipe is done via the unique code of the phone I believe (the ISDN or whatever it is called) and so even with a new sim, it would still send the same code, and would wipe.

[caliminius]

Is this the same or different than the remote erase that was mentioned for the 2.0 software? I've never used a Blackberry so I don't know how their security works, but I was under the impression that the 2.0 software provided the ability to submit a request over the cell network to erase all data on the phone. Or is that just a feature for enterprise customers because it seems like it could be useful for regular consumers as well if the phone were lost or stolen. This version seems to require access to the phone which seems to defeat most of the purpose. And what happens if the process is halted because the battery dies before completion? Will it continue the process after charging?

[SpamSandwich]

Quote:

Originally Posted by darkopz

Maybe someone can explain the Remote Wiping in further detail for me. It seems quite easy to bypass. You take someone's iPhone, crack it open and pull out the SIM chip. Now it is no longer on the network and cannot be remote wiped. This can all be done within minutes of losing your phone. It could be that this feature isn't meant to prevent people from stealing company/personal secrets but rather a feel good way of knowing you might be able to wipe your information should you lose your iPhone. Is my assessment correct that the only connection the iPhone has for remote wiping is through the SIM chip?

Thanks,

Andrew

Seems that if more companies insisted on passwords to secure their company phones, less of this would be an issue. People are lazy, inattentive and easily distracted. This is why remote wiping is important.

[solipsism]

Quote:

Originally Posted by darkopz

Maybe someone can explain the Remote Wiping in further detail for me. It seems quite easy to bypass. You take someone's iPhone, crack it open and pull out the SIM chip. Now it is no longer on the network and cannot be remote wiped. This can all be done within minutes of losing your phone. It could be that this feature isn't meant to prevent people from stealing company/personal secrets but rather a feel good way of knowing you might be able to wipe your information should you lose your iPhone. Is my assessment correct that the only connection the iPhone has for remote wiping is through the SIM chip?

[edit]
I realize that the iPhone can connect wirelessly to the internet but that is easily stopped also by turning off wireless access. The only identifying feature of the iPhone would be the MAC address at that point. I think it all sounds great in theory but no where near secure enough to prevent someone from taking secrets off an iPhone. The only plausible secure way would be to encrypt all the data on the iPhone and allow access to the data through a password you enter every time you utilize your iPhone. Then if you lost your iPhone and the encryption was strong enough they would be out of luck. You can't crack strong encryption like you can on TV. Then thief's would need to, once again, resort to Social Engineering to obtaining passwords and information.
[/edit]

Hopefully it can work with the IMEI that is specific to each device. However, there are a great many thieves that aren't smart enough to know this. Every few months I read about a large cellphone heist that is foiled because they turned them on.

• Stupid crook of the month

Quote:

Originally Posted by SpamSandwich

My only question... is this as good, or better than what is offered to Blackberry users?

I'm being told by a BB user that they can remotely lock the device, disable the device, or disable and wipe (format) the device. I'm guessing lock is if you left it out at around friends, family member or workmates who won't steal it but may go snooping.

Quote:

Originally Posted by PG4G

Remote wipe is done via the unique code of the phone I believe (the ISDN or whatever it is called) and so even with a new sim, it would still send the same code, and would wipe.

I think it's the IMEI, I hope someone can give us some insight into how robust it is.

[Virgil-TB2]

@SpamSandwich & @caliminius

This would make the wiping features of the iPhone *greater* than those of the Blackberry. They both have remote secure wipe (or will have with iPhone 2.0), but the iPhone now has a "local" version of the same thing (as described in the article).

I'm fairly certain that the BlackBerry can't do a "local wipe" in the same way, but the two phones could be seen as "feature identical" if turns out I am wrong on that. So either this is "as good" as Blackberry" or (most likely) "better."

[Stuart Kirby]

Umm... didn't Apple announce this feature when they announced the SDK, like... months ago?

[solipsism]

Quote:

Originally Posted by SpamSandwich

Seems that if more companies insisted on passwords to secure their company phones, less of this would be an issue. People are lazy, inattentive and easily distracted. This is why remote wiping is important.

I think the 4 digit PIN is too weak. It's a touch-screen interface and not a number pad so i would like to have the option for using a PIN length of my choice or a proper password of my desired length.

[Ireland]

Quote:

Originally Posted by SpamSandwich

My only question... is this as good, or better than what is offered to Blackberry users?

You love your Blackberry! Admit it Spam

[Ireland]

Quote:

Originally Posted by Stuart Kirby

Umm... didn't Apple announce this feature when they announced the SDK, like... months ago?

They announced remote wipe, not local wipe. That's new.

[wilco]

Quote:

Originally Posted by Stuart Kirby

Umm... didn't Apple announce this feature when they announced the SDK, like... months ago?

Umm...like no.

[Lafe]

Why so long? 8GB = an hour?

Also, do you need to overwrite flash memory multiple times the way you do
on a magnetic disk?

I use Secure Empty Trash on my MBA with SSD, but I wonder if it's necessary
as much as it would be on a traditional HDD.

[solipsism]

Quote:

Originally Posted by Ireland

They announced remote wipe, not local wipe. That's new.

Both are new to the iPhone. What I think Stuart is referring to is the SDK event where Apple announced that Exchange support for v2.0 will offer remote wipe. Of course, that relies upon ActiveSync being set up on your handset.

[solipsism]

Quote:

Originally Posted by Lafe

Why so long? 8GB = an hour?

Also, do you need to overwrite flash memory multiple times the way you do
on a magnetic disk?

I use Secure Empty Trash on my MBA with SSD, but I wonder if it's necessary
as much as it would be on a traditional HDD.

I've read plenty of times that writing 1's more than once is pointless as there are no known devices that are sensitive enough to read past one secure wipe. But better to be safe than sorry.

As for the time, that is about how long it takes when you use iTunes to restore a full 8Gb to a clean device. The processor speed and slow write speed of NAND seems to be the issue.

Quote:

Originally Posted by PG4G

Remote wipe is done via the unique code of the phone I believe (the ISDN or whatever it is called) and so even with a new sim, it would still send the same code, and would wipe.

More info...

"The IMEI number is used by the GSM network to identify valid devices and therefore can be used to stop a stolen phone from accessing the network. For example, if a mobile phone is stolen, the owner can call his or her network provider and instruct them to "ban" the phone using its IMEI number. This renders the phone useless, regardless of whether the phone's SIM is changed."

"When mobile equipment is stolen or lost, the operator or owner will typically contact the Central Equipment Identity Register (CEIR) which blacklists the device in all operator switches so that it will in effect become unusable, making theft of mobile equipment a useless business.
The IMEI number is not supposed to be easy to change, making the CEIR blacklisting effective. However this is not always the case: IMEI may be easy to change with special tools and some operators may even flatly ignore the CEIR blacklist."

• http://en.wikipedia.org/wiki/IMEI

Note: ZiPhone, which is used to jailbreak and unlock iPhones, has an option to input a user created IMEI. This can not be helped. HW has to be represented in software at some point. Even MAC addresses are only the software representation of the BIA (burned-in address) and can be altered very easily. Your router at home probably has this option available.

[PG4G]

Actually it isn't so much it takes iTunes that long (it doesn't, it takes several minutes) but it would be because of the wiping process, and yes, the slow write speeds and such. It would be "US Department of Defence 5220-22 M standard" which is 7 pass over the drive - this would have to do with the army guy who spoke at the WWDC keynote, and how with the military using them, with their data, they need that standard of wipe

When reinstalling OS X, you get the option to US DOD security erase the drive, also in disk utility.

[JeffDM]

Quote:

Originally Posted by PG4G

Actually it isn't so much it takes iTunes that long (it doesn't, it takes several minutes) but it would be because of the wiping process, and yes, the slow write speeds and such. It would be "US Department of Defence 5220-22 M standard" which is 7 pass over the drive - this would have to do with the army guy who spoke at the WWDC keynote, and how with the military using them, with their data, they need that standard of wipe

But the question that was raised was whether many passes are really necessary with flash memory.

[kresh]

I wonder how many hackers are working on exploits to do unauthorized remote wipes on iPhones, just to screw with Apple and make a name for themselves.

I hope that remote wipe can be disabled for iPhones bought by individuals for personal use.

[icfireball]

Quote:

Originally Posted by darkopz

Maybe someone can explain the Remote Wiping in further detail for me. It seems quite easy to bypass. You take someone's iPhone, crack it open and pull out the SIM chip. Now it is no longer on the network and cannot be remote wiped. This can all be done within minutes of losing your phone. It could be that this feature isn't meant to prevent people from stealing company/personal secrets but rather a feel good way of knowing you might be able to wipe your information should you lose your iPhone. Is my assessment correct that the only connection the iPhone has for remote wiping is through the SIM chip?

[edit]
I realize that the iPhone can connect wirelessly to the internet but that is easily stopped also by turning off wireless access. The only identifying feature of the iPhone would be the MAC address at that point. I think it all sounds great in theory but no where near secure enough to prevent someone from taking secrets off an iPhone. The only plausible secure way would be to encrypt all the data on the iPhone and allow access to the data through a password you enter every time you utilize your iPhone. Then if you lost your iPhone and the encryption was strong enough they would be out of luck. You can't crack strong encryption like you can on TV. Then thief's would need to, once again, resort to Social Engineering to obtaining passwords and information.
[/edit]

Thanks,

Andrew

As a few other people have already touched on, the SIM card manages access to the network for the customer, preventing the customer from using a cell network if they don't have a plan with the carrier. While a lack of SIM card renders the phone useless to the customer, the phone can still allow the carrier to communicate with the phone through the network.

Also, now that the iPhone has GPS (which can be used independent from cell network access), there is one more way of tracking a phone.

The remote wipe feature is not really intended to protect against people who are stealing your phone for the purpose of stealing information. Rather, the remote wipe feature is intended to clear data so that if the phone is lost, or stolen by someone who wants the phone for the electronics, not for the data, the stealer can't wander upon personal data.

[dfiler]

Quote:

Originally Posted by JeffDM

But the question that was raised was whether many passes are really necessary with flash memory.

Not required.

The many passes thing has to do with slop in writing/reading magnetic media. If the head is slightly off from the exact location of the previous write for a particular bit, the previous write will still be readable.

That is, it is still readable if you take the drive platters out and put them into a mind-bogglingly expensive and precise machine that can read the margins between bits of magnetically stored data.

Incidentally, the same thing used to be true of magnetic tape and analog recordings.

Flash media has no "between the bits" or "between the tracks".

[noirdesir]

Remote wiping probably is not a secure delete. Or should the iPhone display a message saying, "Please connect the iPhone to a power source so we can start a secure wipe"?

Maybe remote wipe has a secure delete of some key data like the address book.

Secure wipe and remote wipe are two different things, they might share some elements but one isn't the superset of the other.

[dagamer34]

Quote:

Originally Posted by freeny

so if my old iphone locks up after switching to the new phone how will one access this function?...

You're old phone isn't going to lock up. You're just only going to have one valid SIM card at a time. Unlike other phones, the iPhone allows you to boot the phone without a valid SIM card. It will not automatically relock itself.

[solipsism]

Quote:

Originally Posted by JeffDM

But the question that was raised was whether many passes are really necessary with flash memory.

It seems that it's not necessary to write more than once to any drive.

According to the Center for Magnetic Recording Research, "Secure erase does a single on-track erasure of the data on the disk drive. The U.S. National Security Agency published an Information Assurance Approval of single pass overwrite, after technical testing at CMRR showed that multiple on-track overwrite passes gave no additional erasure."

• http://cmrr.ucsd.edu/people/Hughes/D...onTutorial.pdf

Quote:

Originally Posted by kresh

I wonder how many hackers are working on exploits to do unauthorized remote wipes on iPhones, just to screw with Apple and make a name for themselves.

I hope that remote wipe can be disabled for iPhones bought by individuals for personal use.

I was thinking of that. Could you send out a broadcast wipe to all devices or do it have to do a secure handshake first to determine source and some special code?

[Mac-sochist]

Quote:

Originally Posted by kresh

I hope that remote wipe can be disabled for iPhones bought by individuals for personal use.

Amen! Am I the only one that feels that any function built into software or hardware will occasionally happen inadvertently, maliciously, or just plain spontaneously? (I've known two people who had their airbags go off in their face just driving down the road....)

[dfiler]

Quote:

Originally Posted by solipsism

It seems that it's not necessary to write more than once to any drive.

True... if you're only trying to prevent an average schmoe from getting your data. (or even an above average schmoe i suppose)

But the NSA (and other 3 letter agencies) are more than capable of reading single-pass erased data. It just requires some really expensive hardware and software that pretty much nobody has.

Not that any of us have data that the feds want that bad.

[Rot'nApple]

Quote:

Originally Posted by SpamSandwich

People are lazy, inattentive and easily distracted.

And yet are allowed to vote!

[Ireland]

Quote:

Originally Posted by solipsism

Both are new to the iPhone. What I think Stuart is referring to is the SDK event where Apple announced that Exchange support for v2.0 will offer remote wipe. Of course, that relies upon ActiveSync being set up on your handset.

Yeah, that's what I meant.

[SpamSandwich]

Quote:

Originally Posted by Ireland

They announced remote wipe, not local wipe. That's new.

To paraphrase the old saying..."All wipes are local".

[SpamSandwich]

Quote:

Originally Posted by Rot'nApple

And yet are allowed to vote!

Ain't that a peach!

[SpamSandwich]

Quote:

Originally Posted by Ireland

You love your Blackberry! Admit it Spam

Heh, heh. I do have Blackberry functionality available on my phone, but I don't use the service.

[a_greer]

Quote:

Originally Posted by SpamSandwich

My only question... is this as good, or better than what is offered to Blackberry users?

As someone who uses BB Enterprise services every day, I can tell you that secure wipe has been present on the handheld for at least 5 years, and van be done from the server side via Blackberry ent. aervices for I think every version of the server

Truth be told, I assumed that it would have been availible on iphone 1.0 at launch, it doesnt need hype, it is a standard, hyping this is like saying CHRGER INCLUDED....everyone just assumes that with a high end smart phone.

[a_greer]

Quote:

Originally Posted by kresh

I wonder how many hackers are working on exploits to do unauthorized remote wipes on iPhones, just to screw with Apple and make a name for themselves.

I hope that remote wipe can be disabled for iPhones bought by individuals for personal use.

Fear not, it would requier teathering to an enterprise environment, which is a 2 step process, the admin sets access permissions on your network account, nd you run the enterprise setup tools on the phone...so long as you do not run those tools and successfully tie into a corprate network, they cant do remote wipe.

[dfiler]

Quote:

Originally Posted by a_greer

...so long as you do not run those tools and successfully tie into a corprate network, they cant do remote wipe.

Possibly. But just speculation at this point. That is, unless you know that the bits of code, which perform the wipe, are an optional install on the iPhone.

If the functionality is present, a hacker could potentially utilize it even without involving a corporate network. Granted, if a hacker has gained access to the system, they could just delete everything anyway.

[solipsism]

Quote:

Originally Posted by a_greer

Truth be told, I assumed that it would have been availible on iphone 1.0 at launch, it doesnt need hype, it is a standard, hyping this is like saying CHRGER INCLUDED....everyone just assumes that with a high end smart phone.

On the one hand, it was released as a consumer device. I don't know of a single handset that offers that as an option for the average user. On the other hand, the complete vCard syncing, bookmarks, and calendars does offer more info than the average phone. I hadn't even though to remove personal account data from the notes section of AddressBook until just now!

Quote:

Originally Posted by a_greer

Fear not, it would requier teathering to an enterprise environment, which is a 2 step process, the admin sets access permissions on your network account, nd you run the enterprise setup tools on the phone...so long as you do not run those tools and successfully tie into a corprate network, they cant do remote wipe.

Apple is the Enterprise setup. They are the ones offering Secure Wipe and monitoring which apps you wish to receive info from via their Notification Server. This is a consumer branded Secure Wipe that does not require a connection to RiM or Exchange in any way to function.

[JeffDM]

Quote:

Originally Posted by dfiler

Not that any of us have data that the feds want that bad.

I think they can get it other ways if they wanted it.

[ravedog]

Quote:

Originally Posted by NOFEER

they should also have a "find locate" ability, so when one is stolen, apple or att is notified, a wipe is done and connected to wifi OR network, it's located, and a picture is taken something like they have for the mac/ laptops that would put a big negative for stealing this thing.

All would be a good idea, except the picture would most likely be of their feet. "Calling all cars, calling all cars; be on the look out for a suspect wearing black pants, and white hi-tops."

[dstranathan]

Quote:

Originally Posted by ravedog

All would be a good idea, except the picture would most likely be of their feet. "Calling all cars, calling all cars; be on the look out for a suspect wearing black pants, and white hi-tops."

Exactly. LOL.

BUT: Someday the iPhone may be able to scan the hands/fingers of the thief and register DNA information into some database in the cloud. And you thought Apple's DRM was a bitch!