iPhone encryption "broken"

Posted:
in iPhone edited January 2014
According to data forensics expert Jonathan Zdziarski, the new encryption features on the iPhone are largely ineffective:



http://arstechnica.com/apple/news/20...hack-proof.ars

Comments

  • Reply 1 of 7
    vineavinea Posts: 5,585member
    Quote:
    Originally Posted by JavaCowboy View Post


    According to data forensics expert Jonathan Zdziarski, the new encryption features on the iPhone are largely ineffective:



    http://arstechnica.com/apple/news/20...hack-proof.ars



    Seems like to fix these issues they'll have to kill jailbreaking. Which is okay by me but I can hear the screaming already.
  • Reply 2 of 7
    bbwibbwi Posts: 812member
    Law #3 in the Immutable Laws of Security



    The language can be adapted to mobile devices...



    If a bad guy has unrestricted physical access to your computer, it's not your computer anymore



    If you travel with a laptop, it's absolutely critical that you protect it. The same features that make laptops great to travel with – small size, light weight, and so forth—also make them easy to steal. There are a variety of locks and alarms available for laptops, and some models let you remove the hard drive and carry it with you. You also can use features like the Encrypting File System in Microsoft Windows to mitigate the damage if someone succeeded in stealing the computer. But the only way you can know with 100% certainty that your data is safe and the hardware hasn't been tampered with is to keep the laptop on your person at all times while traveling.



    And Law #7



    Law #7: Encrypted data is only as secure as the decryption key



    Many operating systems and cryptographic software products give you an option to store cryptographic keys on the computer. The advantage is convenience – you don't have to handle the key – but it comes at the cost of security. The keys are usually obfuscated (that is, hidden), and some of the obfuscation methods are quite good. But in the end, no matter how well-hidden the key is, if it's on the computer it can be found. It has to be – after all, the software can find it, so a sufficiently-motivated bad guy could find it, too. Whenever possible, use offline storage for keys. If the key is a word or phrase, memorize it. If not, export it to a floppy disk, make a backup copy, and store the copies in separate, secure locations.



    Blackberry's aren't much safer either
  • Reply 3 of 7
    MarvinMarvin Posts: 14,803moderator
    Quote:
    Originally Posted by vinea View Post


    Seems like to fix these issues they'll have to kill jailbreaking. Which is okay by me but I can hear the screaming already.



    In the video, the guy used a custom Ram disk loaded remotely onto the phone to reset the password, but said common jailbreak software could achieve the same goal. I don't think Apple can remove this feature without breaking the ability to restore your phone after a bad update.



    What I don't get is that clearly this is important for Apple to get right if they are to be taken seriously in certain enterprise applications - even their own. Imagine if someone found and hacked Steve's iphone and found details of a 4th generation one. It's a life and death situation. So why don't they get security developers who know how to do this properly like the guy in the video himself?



    Fortunately, encryption can be changed at the software-level so an update could protect users' data properly but Apple are just getting lazy with this kind of thing in all their products.
  • Reply 4 of 7
    vineavinea Posts: 5,585member
    Quote:
    Originally Posted by bbwi View Post


    Law #3 in the Immutable Laws of Security

    ...



    What are the other laws?
  • Reply 5 of 7
    vineavinea Posts: 5,585member
    Quote:
    Originally Posted by Marvin View Post


    In the video, the guy used a custom Ram disk loaded remotely onto the phone to reset the password, but said common jailbreak software could achieve the same goal. I don't think Apple can remove this feature without breaking the ability to restore your phone after a bad update.



    Mmmm...maybe if they forced a zero'd wipe after a bad update before restoring? Any tampering forces a wipe with the expectation that the backup is both up to date (heh) and secure.



    Quote:

    What I don't get is that clearly this is important for Apple to get right if they are to be taken seriously in certain enterprise applications - even their own. Imagine if someone found and hacked Steve's iphone and found details of a 4th generation one. It's a life and death situation. So why don't they get security developers who know how to do this properly like the guy in the video himself?



    Fortunately, encryption can be changed at the software-level so an update could protect users' data properly but Apple are just getting lazy with this kind of thing in all their products.



    Well, step 1 is the physical security of the device. Finding Steve's phone is hopefully a non-trivial exercise.



    I wonder how secure LockBox is on the iPhone.
  • Reply 6 of 7
    djsherlydjsherly Posts: 1,031member
    I'm surprised this wasn't news on the front page of this site? It seems to have made the major dailies here in some form.



    eg,



    http://www.smh.com.au/digital-life/m...0727-dyfv.html
  • Reply 7 of 7
    Quote:
    Originally Posted by JavaCowboy View Post


    According to data forensics expert Jonathan Zdziarski, the new encryption features on the iPhone are largely ineffective:



    http://arstechnica.com/apple/news/20...hack-proof.ars



    This will render jailbroken iPhones virtually handicapped. Apple should patch this flaw ASAP and get this done in a software update soon.
Sign In or Register to comment.