The problem with using the passcode for encryption is that most people don't use them to lock their iPhones. I agree that this is serious but the solution is not as simple as you think.
If you do not use a passcode to lock your phone, you obviously do not care. The issue is for people who have chosen a lockscreen password and even those who have chosen to enable device encryption. I am all for having a choice on what security level a user wants, but when someone chooses to turn on the security features, they should work.
If you have MobileMe account, all the more reason to use Find My Phone feature to erase it remotely as soon as you realize it's lost or stolen. You can always restore it if you get it back.
Not much chance that a randomly lost phone would find its way into the hands of someone with jailbreaking "tools" in hand within 6 minutes of loss. The only real risk would be from a thief who has this in mind and is ready to jailbreak and extract what they want before you can get to the web to find and erase your phone.
The only real risk would be from a thief who has this in mind and is ready to jailbreak and extract what they want before you can get to the web to find and erase your phone.
Except that all the thief has to do to defeat remote wipe is to keep the phone from having a data connection.
If you do not use a passcode to lock your phone, you obviously do not care. The issue is for people who have chosen a lockscreen password and even those who have chosen to enable device encryption. I am all for having a choice on what security level a user wants, but when someone chooses to turn on the security features, they should work.
I do use a passcode to lock my iPhone. However, I understand that a passcode is just a way to buy time until you initiate a remote wipe. Like Dennis Huges said:
Quote:
The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one
If you have MobileMe account, all the more reason to use Find My Phone feature to erase it remotely as soon as you realize it's lost or stolen. You can always restore it if you get it back.
Not much chance that a randomly lost phone would find its way into the hands of someone with jailbreaking "tools" in hand within 6 minutes of loss. The only real risk would be from a thief who has this in mind and is ready to jailbreak and extract what they want before you can get to the web to find and erase your phone.
Turning off the phone or removing the sim card from current GSM iPhone 4 blocks out the option to remote wipe. It would be nice if Apple would give the option to require a passcode to turn off the phone so it stays on till passcode is entered.
Except that all the thief has to do to defeat remote wipe is to keep the phone from having a data connection.
It depends on whether the hacker immediately shuts it off in time to prevent the command from reaching the phone. Most thefts involve wiping and reselling, not lifting data or accessibility from the contents.
For the record, does any other smartphone offer native enhanced encryption (which the user does not have to turn-on) to offer protection against this?
If you do not use a passcode to lock your phone, you obviously do not care. The issue is for people who have chosen a lockscreen password and even those who have chosen to enable device encryption. I am all for having a choice on what security level a user wants, but when someone chooses to turn on the security features, they should work.
And what happens in your idealized world when someone has a passcode on their phone, and then they remove it? I know you think security is trivial to implement, but I don't think you've thought through even a tiny percentage of the possible scenarios where issues with your "solution" can arise and have to be dealt with.
And, again, as has been pointed out, if you don't physically secure the device, it's not going to be secure.
It depends on whether the hacker immediately shuts it off in time to prevent the command from reaching the phone. Most thefts involve wiping and reselling, not lifting data or accessibility from the contents.
I thought the keychain was an encrypted file, so not sure how they're doing this.
Think about this:
When your mail app checks for mail, does it always ask for your mail password?
When you re-visit a site you logged into yesterday (via http security) does it ask for your password?
No, it doesn't. Therefore, the key to decrypt the keychain must be stored on the device somewhere. The thief then jailbreaks your phone, and reads the key, and then decrypts your keychain.
On a desktop, it's usually tied to your login. There's no login on a phone so it must use a password it already knows.
This is a classic tradeoff between security and convenience. Users don't want to have to type in their password all the time, and they want their mail to check automatically, so the system has to know the password. If it asked the user every time, they'd get annoyed and switch to a different phone.
When your mail app checks for mail, does it always ask for your mail password?
When you re-visit a site you logged into yesterday (via http security) does it ask for your password?
No, it doesn't. Therefore, the key to decrypt the keychain must be stored on the device somewhere. The thief then jailbreaks your phone, and reads the key, and then decrypts your keychain.
On a desktop, it's usually tied to your login. There's no login on a phone so it must use a password it already knows.
This is a classic tradeoff between security and convenience. Users don't want to have to type in their password all the time, and they want their mail to check automatically, so the system has to know the password. If it asked the user every time, they'd get annoyed and switch to a different phone.
Ultimately the issue will lie with AT&T activating stolen phones. With Verizon, the phone's ESN has to match what's in the servers. With AT&T, you pop in a new sim, and AT&T lets you activate it (while charging the victim full price for a replacement.)
With this news out, I'd hold my iphone a little tighter if I were y'all..
So you're saying this was designed this way? What if someone's iphone has naked photos, or business secrets? Shouldn't they be alarmed that their password can be considered useless if the phone gets stolen?
I bet you would find this is possible with most phones, but because of the iphone's popularity, it gets the attention from people looking to do such things. Kind of like how Windows gets all the attention from virus makers.
Well I would assume by keychain, they meant passwords stored in the system itself. Anyone writing an application could have their own method of encrypting data and possibly storing passwords. OS X does come with a system wide keychain, but it's an opt-in feature.
Hardly analogous to the issues Windows faced, which was largely due to being able to access the system remotely. If I was going to be a jerk and wanted to do this, the impact would be extremely minimal as I would have to gain access to someone's phone.
I can break into a Mac that has a password lock screen too. You just need the Snow Leopard install disk. You boot from there and use the utilities to reset the password for any user.
You can reset the login password but you cannot reset the keychain password on a Mac.
On a desktop, it's usually tied to your login. There's no login on a phone so it must use a password it already knows.
And what stops Apple from linking the password to the iPhone's keychain to the unlock-code for those users that have set an unlock-code in exactly the same way as it does it on Macs?
I can break into a Mac that has a password lock screen too. You just need the Snow Leopard install disk. You boot from there and use the utilities to reset the password for any user. That is one thing that can be done with Mac or Linux, but actually retrieving the existing password is much worse because that password may be used for other things like email or banking etc. The passwords should at least be shadowed.
On the Mac, you can set a password to prevent the use of that Snow Leopard disk...
No I think the method is something like this: You buy one copy of the software then redistribute it to your friends who also have JB phones.
Except that you can do this on any iPhone. Simply go into settings and change the iTunes login info on that account to yours, download again from the app store, and voila. Jailbreaking doesn't enable this. Sure you can't do it an unlimited number of times but if you trust enough people, and use gift cards in iTunes you can share many apps that way.
Ultimately the issue will lie with AT&T activating stolen phones. With Verizon, the phone's ESN has to match what's in the servers. With AT&T, you pop in a new sim, and AT&T lets you activate it (while charging the victim full price for a replacement.)
With this news out, I'd hold my iphone a little tighter if I were y'all..
This is about stealing your passwords and other data. It has nothing to do with activating the stolen phone on a carrier.
If you look at here under Keychain Item Accessibility Constants you can specify different levels of security for keychain items. So were the contents these guys retrieved everything? Does the keychain use different keys for different accessibility levels or did they just use items stored with the kAttrAlways attribute.
Even if Apple does store items with the attribute kSecAttrAccessibleWhenUnlocked encrypted to the passcode the default passcode only gives 1000 different keys. Pretty easy to brute force. Ideally the keychain would have a watchdog app to check for jailbreaking and wipe the keychain and also wipe after unlocking fails 3 times.
And what happens in your idealized world when someone has a passcode on their phone, and then they remove it? I know you think security is trivial to implement, but I don't think you've thought through even a tiny percentage of the possible scenarios where issues with your "solution" can arise and have to be dealt with.
And, again, as has been pointed out, if you don't physically secure the device, it's not going to be secure.
Why discuss something you don't understand?
If the user sets a passcode, you use that passcode to encrypt decrypt. If they don't, you don't encrypt. When they remove the passcode, anything that was encrypted with it gets unencrypted. This is not rocket science or something new, this has been done on various devices for more than 2 decades. This path has been well blazed and the industry has accumulated some pretty good collective knowlege over the years on different scenarios, benefits and shortcomings, loopholes etc.
If you look at here under Keychain Item Accessibility Constants you can specify different levels of security for keychain items. So were the contents these guys retrieved everything? Does the keychain use different keys for different accessibility levels or did they just use items stored with the kAttrAlways attribute.
Even if Apple does store items with the attribute kSecAttrAccessibleWhenUnlocked encrypted to the passcode the default passcode only gives 1000 different keys. Pretty easy to brute force. Ideally the keychain would have a watchdog app to check for jailbreaking and wipe the keychain and also wipe after unlocking fails 3 times.
1) Read their paper on what they accessed and why. This was just an example of what they could get.
2) The iphone now supports stronger lock passwords if you want
3) You can set it to wipe the entire phone on 10 failed attempts
You can't check for jailbreaking if you don't know what the next jailbreak method is going to be. There are also other security flaws that do not involve jailbreaking. The jailbreak was probably used because there are simple and quick to use tools already developed for it, but the Dev-Team's jail break(s) is by no means necessary to gain root access to an iphone.
Comments
The problem with using the passcode for encryption is that most people don't use them to lock their iPhones. I agree that this is serious but the solution is not as simple as you think.
If you do not use a passcode to lock your phone, you obviously do not care. The issue is for people who have chosen a lockscreen password and even those who have chosen to enable device encryption. I am all for having a choice on what security level a user wants, but when someone chooses to turn on the security features, they should work.
Not much chance that a randomly lost phone would find its way into the hands of someone with jailbreaking "tools" in hand within 6 minutes of loss. The only real risk would be from a thief who has this in mind and is ready to jailbreak and extract what they want before you can get to the web to find and erase your phone.
The only real risk would be from a thief who has this in mind and is ready to jailbreak and extract what they want before you can get to the web to find and erase your phone.
Except that all the thief has to do to defeat remote wipe is to keep the phone from having a data connection.
If you do not use a passcode to lock your phone, you obviously do not care. The issue is for people who have chosen a lockscreen password and even those who have chosen to enable device encryption. I am all for having a choice on what security level a user wants, but when someone chooses to turn on the security features, they should work.
I do use a passcode to lock my iPhone. However, I understand that a passcode is just a way to buy time until you initiate a remote wipe. Like Dennis Huges said:
The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one
If you have MobileMe account, all the more reason to use Find My Phone feature to erase it remotely as soon as you realize it's lost or stolen. You can always restore it if you get it back.
Not much chance that a randomly lost phone would find its way into the hands of someone with jailbreaking "tools" in hand within 6 minutes of loss. The only real risk would be from a thief who has this in mind and is ready to jailbreak and extract what they want before you can get to the web to find and erase your phone.
Turning off the phone or removing the sim card from current GSM iPhone 4 blocks out the option to remote wipe. It would be nice if Apple would give the option to require a passcode to turn off the phone so it stays on till passcode is entered.
Except that all the thief has to do to defeat remote wipe is to keep the phone from having a data connection.
It depends on whether the hacker immediately shuts it off in time to prevent the command from reaching the phone. Most thefts involve wiping and reselling, not lifting data or accessibility from the contents.
For the record, does any other smartphone offer native enhanced encryption (which the user does not have to turn-on) to offer protection against this?
If you do not use a passcode to lock your phone, you obviously do not care. The issue is for people who have chosen a lockscreen password and even those who have chosen to enable device encryption. I am all for having a choice on what security level a user wants, but when someone chooses to turn on the security features, they should work.
And what happens in your idealized world when someone has a passcode on their phone, and then they remove it? I know you think security is trivial to implement, but I don't think you've thought through even a tiny percentage of the possible scenarios where issues with your "solution" can arise and have to be dealt with.
And, again, as has been pointed out, if you don't physically secure the device, it's not going to be secure.
It depends on whether the hacker immediately shuts it off in time to prevent the command from reaching the phone. Most thefts involve wiping and reselling, not lifting data or accessibility from the contents.
..
Or you get lucky and this guy steals your iPhone
Not if it's 256 bit encrypted with a strong password.
Then they'll just read the password off the sticky note on the monitor that the computer was attached to.
I thought the keychain was an encrypted file, so not sure how they're doing this.
Think about this:
When your mail app checks for mail, does it always ask for your mail password?
When you re-visit a site you logged into yesterday (via http security) does it ask for your password?
No, it doesn't. Therefore, the key to decrypt the keychain must be stored on the device somewhere. The thief then jailbreaks your phone, and reads the key, and then decrypts your keychain.
On a desktop, it's usually tied to your login. There's no login on a phone so it must use a password it already knows.
This is a classic tradeoff between security and convenience. Users don't want to have to type in their password all the time, and they want their mail to check automatically, so the system has to know the password. If it asked the user every time, they'd get annoyed and switch to a different phone.
Think about this:
When your mail app checks for mail, does it always ask for your mail password?
When you re-visit a site you logged into yesterday (via http security) does it ask for your password?
No, it doesn't. Therefore, the key to decrypt the keychain must be stored on the device somewhere. The thief then jailbreaks your phone, and reads the key, and then decrypts your keychain.
On a desktop, it's usually tied to your login. There's no login on a phone so it must use a password it already knows.
This is a classic tradeoff between security and convenience. Users don't want to have to type in their password all the time, and they want their mail to check automatically, so the system has to know the password. If it asked the user every time, they'd get annoyed and switch to a different phone.
Ultimately the issue will lie with AT&T activating stolen phones. With Verizon, the phone's ESN has to match what's in the servers. With AT&T, you pop in a new sim, and AT&T lets you activate it (while charging the victim full price for a replacement.)
With this news out, I'd hold my iphone a little tighter if I were y'all..
So you're saying this was designed this way? What if someone's iphone has naked photos, or business secrets? Shouldn't they be alarmed that their password can be considered useless if the phone gets stolen?
I bet you would find this is possible with most phones, but because of the iphone's popularity, it gets the attention from people looking to do such things. Kind of like how Windows gets all the attention from virus makers.
Well I would assume by keychain, they meant passwords stored in the system itself. Anyone writing an application could have their own method of encrypting data and possibly storing passwords. OS X does come with a system wide keychain, but it's an opt-in feature.
Hardly analogous to the issues Windows faced, which was largely due to being able to access the system remotely. If I was going to be a jerk and wanted to do this, the impact would be extremely minimal as I would have to gain access to someone's phone.
I can break into a Mac that has a password lock screen too. You just need the Snow Leopard install disk. You boot from there and use the utilities to reset the password for any user.
You can reset the login password but you cannot reset the keychain password on a Mac.
On a desktop, it's usually tied to your login. There's no login on a phone so it must use a password it already knows.
And what stops Apple from linking the password to the iPhone's keychain to the unlock-code for those users that have set an unlock-code in exactly the same way as it does it on Macs?
I can break into a Mac that has a password lock screen too. You just need the Snow Leopard install disk. You boot from there and use the utilities to reset the password for any user. That is one thing that can be done with Mac or Linux, but actually retrieving the existing password is much worse because that password may be used for other things like email or banking etc. The passwords should at least be shadowed.
On the Mac, you can set a password to prevent the use of that Snow Leopard disk...
No I think the method is something like this: You buy one copy of the software then redistribute it to your friends who also have JB phones.
Except that you can do this on any iPhone. Simply go into settings and change the iTunes login info on that account to yours, download again from the app store, and voila. Jailbreaking doesn't enable this. Sure you can't do it an unlimited number of times but if you trust enough people, and use gift cards in iTunes you can share many apps that way.
Ultimately the issue will lie with AT&T activating stolen phones. With Verizon, the phone's ESN has to match what's in the servers. With AT&T, you pop in a new sim, and AT&T lets you activate it (while charging the victim full price for a replacement.)
With this news out, I'd hold my iphone a little tighter if I were y'all..
This is about stealing your passwords and other data. It has nothing to do with activating the stolen phone on a carrier.
Even if Apple does store items with the attribute kSecAttrAccessibleWhenUnlocked encrypted to the passcode the default passcode only gives 1000 different keys. Pretty easy to brute force. Ideally the keychain would have a watchdog app to check for jailbreaking and wipe the keychain and also wipe after unlocking fails 3 times.
And what happens in your idealized world when someone has a passcode on their phone, and then they remove it? I know you think security is trivial to implement, but I don't think you've thought through even a tiny percentage of the possible scenarios where issues with your "solution" can arise and have to be dealt with.
And, again, as has been pointed out, if you don't physically secure the device, it's not going to be secure.
Why discuss something you don't understand?
If the user sets a passcode, you use that passcode to encrypt decrypt. If they don't, you don't encrypt. When they remove the passcode, anything that was encrypted with it gets unencrypted. This is not rocket science or something new, this has been done on various devices for more than 2 decades. This path has been well blazed and the industry has accumulated some pretty good collective knowlege over the years on different scenarios, benefits and shortcomings, loopholes etc.
If you look at here under Keychain Item Accessibility Constants you can specify different levels of security for keychain items. So were the contents these guys retrieved everything? Does the keychain use different keys for different accessibility levels or did they just use items stored with the kAttrAlways attribute.
Even if Apple does store items with the attribute kSecAttrAccessibleWhenUnlocked encrypted to the passcode the default passcode only gives 1000 different keys. Pretty easy to brute force. Ideally the keychain would have a watchdog app to check for jailbreaking and wipe the keychain and also wipe after unlocking fails 3 times.
1) Read their paper on what they accessed and why. This was just an example of what they could get.
2) The iphone now supports stronger lock passwords if you want
3) You can set it to wipe the entire phone on 10 failed attempts
You can't check for jailbreaking if you don't know what the next jailbreak method is going to be. There are also other security flaws that do not involve jailbreaking. The jailbreak was probably used because there are simple and quick to use tools already developed for it, but the Dev-Team's jail break(s) is by no means necessary to gain root access to an iphone.