iPhone encryption "broken"
According to data forensics expert Jonathan Zdziarski, the new encryption features on the iPhone are largely ineffective:
http://arstechnica.com/apple/news/20...hack-proof.ars
http://arstechnica.com/apple/news/20...hack-proof.ars
Comments
According to data forensics expert Jonathan Zdziarski, the new encryption features on the iPhone are largely ineffective:
http://arstechnica.com/apple/news/20...hack-proof.ars
Seems like to fix these issues they'll have to kill jailbreaking. Which is okay by me but I can hear the screaming already.
The language can be adapted to mobile devices...
If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
If you travel with a laptop, it's absolutely critical that you protect it. The same features that make laptops great to travel with – small size, light weight, and so forth—also make them easy to steal. There are a variety of locks and alarms available for laptops, and some models let you remove the hard drive and carry it with you. You also can use features like the Encrypting File System in Microsoft Windows to mitigate the damage if someone succeeded in stealing the computer. But the only way you can know with 100% certainty that your data is safe and the hardware hasn't been tampered with is to keep the laptop on your person at all times while traveling.
And Law #7
Law #7: Encrypted data is only as secure as the decryption key
Many operating systems and cryptographic software products give you an option to store cryptographic keys on the computer. The advantage is convenience – you don't have to handle the key – but it comes at the cost of security. The keys are usually obfuscated (that is, hidden), and some of the obfuscation methods are quite good. But in the end, no matter how well-hidden the key is, if it's on the computer it can be found. It has to be – after all, the software can find it, so a sufficiently-motivated bad guy could find it, too. Whenever possible, use offline storage for keys. If the key is a word or phrase, memorize it. If not, export it to a floppy disk, make a backup copy, and store the copies in separate, secure locations.
Blackberry's aren't much safer either
Seems like to fix these issues they'll have to kill jailbreaking. Which is okay by me but I can hear the screaming already.
In the video, the guy used a custom Ram disk loaded remotely onto the phone to reset the password, but said common jailbreak software could achieve the same goal. I don't think Apple can remove this feature without breaking the ability to restore your phone after a bad update.
What I don't get is that clearly this is important for Apple to get right if they are to be taken seriously in certain enterprise applications - even their own. Imagine if someone found and hacked Steve's iphone and found details of a 4th generation one. It's a life and death situation. So why don't they get security developers who know how to do this properly like the guy in the video himself?
Fortunately, encryption can be changed at the software-level so an update could protect users' data properly but Apple are just getting lazy with this kind of thing in all their products.
Law #3 in the Immutable Laws of Security
...
What are the other laws?
In the video, the guy used a custom Ram disk loaded remotely onto the phone to reset the password, but said common jailbreak software could achieve the same goal. I don't think Apple can remove this feature without breaking the ability to restore your phone after a bad update.
Mmmm...maybe if they forced a zero'd wipe after a bad update before restoring? Any tampering forces a wipe with the expectation that the backup is both up to date (heh) and secure.
What I don't get is that clearly this is important for Apple to get right if they are to be taken seriously in certain enterprise applications - even their own. Imagine if someone found and hacked Steve's iphone and found details of a 4th generation one. It's a life and death situation. So why don't they get security developers who know how to do this properly like the guy in the video himself?
Fortunately, encryption can be changed at the software-level so an update could protect users' data properly but Apple are just getting lazy with this kind of thing in all their products.
Well, step 1 is the physical security of the device. Finding Steve's phone is hopefully a non-trivial exercise.
I wonder how secure LockBox is on the iPhone.
eg,
http://www.smh.com.au/digital-life/m...0727-dyfv.html
According to data forensics expert Jonathan Zdziarski, the new encryption features on the iPhone are largely ineffective:
http://arstechnica.com/apple/news/20...hack-proof.ars
This will render jailbroken iPhones virtually handicapped. Apple should patch this flaw ASAP and get this done in a software update soon.