An Apple expert and hacker has shown that the iPhone, in all its various forms and moltings, is child’s play to compromise. This comes despite assurances from Apple regarding the 3GS’s encryption feature. Bad news for businesspeople of the 21st century, who have glommed onto the iPhone and its service halo like no other device. The wonder-phone has certainly changed the way smartphones and other devices are made, but this isn’t the first time Apple’s security measures have been described as being seriously lacking.
It seems that with a little creative coding, or access to an insecure computer, the iPhone can be cracked wide open. The encryption doesn’t really even enter into the equation, since you can just have the phone read off the information you want. There hasn’t been much of a reason to hack iPhones yet — you might get a few Facebook passwords, or some contact info, but now that the phone is gaining traction in the business world, there may actually be something worth stealing on them. And it’s not very hard to do. I like this quote: “I don’t think any of us have ever seen encryption implemented so poorly before.”
The vulnerability lies… well, I can’t tell you exactly. “A little bit of free software” is what Jonathan Zdziarski used in a demonstration for Wired, and I assume it’s not being described exactly for the same reason you don’t print the components of napalm in the Sunday paper. Regardless, it’s a quick and easy process (involving jailbreaking and installing a SSH client) once you know how to do it, with specific data available in just a few minutes and a full disk image in under an hour. If a large business has deployed thousands of iPhones as their official device (which is certainly happening), you can bet there are trade secrets and company files on there somewhere.
Whether the risk is worth the convenience of an all-iPhone business network is up to you. But if I had my powerpoints and investors’ balance sheets on a device proven to have a, shall we say, porous perimeter, I’d reassess — not that I’d ever keep my critical information on any current phone, with the possible exception of the President’s. Personally, I’ll stick with Sneakernet 1.0 for my highly secure data mobilization needs.
Apple’s unprecedented success with the iPhone has increased their liability and their vulnerable surface area. Zdziarski isn’t a black hat, so I’m sure he’s talked with Apple about this, but the fact that he’s going public with a serious security issue just days after the earnings call that launched a thousand posts suggests that Apple isn’t taking it seriously enough.
A little update: Fellow hacker Sean Morrissey suggests:
I would use geohot’s purplera1n to get access the phone which doesn’t replace the OS. Then image the phone.
That means jailbreaking isn’t necessary, though I don’t know the specifics. He also mentions he’s working on a sort of zero-impact solution for investigators — so the G-men will have a kill switch of their own. Thanks, Sean.
most iphone users don’t care. they just want farts.
btw, how do you know adoption of the iphone in business is growing?
True ignorance. If you knew anything about the iPhone you’d realize from a sys admin point of view, its a dream come true. Thousands of real world apps, not just ‘fart apps’ for managing MS-SQL, MySQL, Remote desktop to SSH, Linux, XP, Visita, with pinch and squeeze, multitouch gestures (i.e. two finger tap to right-click), three to switch tasks -you don’t get that on WinMo phones! Its pretty pathetic when even the native platform (Windows) is manager faster and better on a non-native application.
That’s even scarier. No security yet you pop admin apps on the iPhone so anyone can managed your work environment. Where do you work again?
That’s funny. People say the same thing about Windows, yet it’s the most used OS. So I guess you’re using FreeBSD for its security track record.?
There have been bugs and hacks for every OS released. That’s what updates are for!
mostly on the beach, cafe, park, home, plane, train, car, its called a VPN and I can work from anywhere. Great thing this ‘Internet’ . How’s that cubical?
why use WinMo or the iPhone for SysAdmin?
Blackberry and Rove’s Mobile Admin: Secure, Authenticated, Fast, manages an ENTIRE enterprise infrastructure…
Granted they have a web interface to play with on the iPhone and any WinMo… but sounds like more homework should be done.
“how do you know adoption of the iphone in business is growing?”
Same question.
I do not doubt there is a good chance it is increasing in business. It certainly has taken off in academia, at least from what I seen.
But I would be interested in any studies or reports about the uptake of the iphone however and use in various sectors. If anyone knows any publically available data I would be interested in it.
Academia != Business. Academia is probably as far from real life as it gets.
I’d consider it something like common knowledge that it’s “growing,” no citation necessary – but by any significant amount compared to RIM or WinMo is a different story. I make no claims there, only say what is stated elsewhere, that some businesses are deploying them in the thousands (certainly not the case two years ago).
I spoke with our global at&t rep and at&t is counting personal liable iPhones sales they do to corporate employees as BUSINESS growth.
There is no tracking or stats released on actual enterprise sales or how many personal liable are even allowed to connect to said corporations Exchange servers.
good to know that there is no virus
All your data are belong to us!
Good. People should check this apple’s claim that their are rock solid, no virus, 100% proof claim.
go go bloomberg application!
“Bad news for businesspeople of the 21st century, who have glommed onto the iPhone and its service halo like no other device.”
Umm.. is this an article about blackberry in disguise? Or am I completely wrong in reading that this is making a case for the iPhone as THE device for businesspeople?
I don’t…. think so? What is your reasoning?
I hope they didn’t hire you to write more iPhone articles. We already have Siegler for that.
oh lord, no. This was more along the lines of business, security, and new platforms. I’m not a big iPhone guy.
From what I understand of what you said, this requires physical access to the phone, e.g. hacking into a stolen phone via USB or Wi-fi on a local network. Wouldn’t that be foiled by the remote wipe functionality?
you can remove the sim to prevent remote wipe. And I’d say you only need virtual access to the phone – so a compromised machine.
Wait a second, are you saying there’s a vulnerability where someone can remotely hack a non-jail broken iPhone to access the disc image without ever having to physically modify the phone?
Once again, we’re reminded that physical security of a device is at least of equal importance to it’s network security. As far as we know, the poor encryption only becomes an issue when your device falls into the wrong hands.
Not downplaying the poor encryption, but if you’ve got top-secret business info on a device, then make damn certain you don’t lose it.
I love how a CEO will get fuming mad at a poor IT manager when their networks are under attack, but the same PHB will be the first to leave his laptop, which confidential information on it, at the first class lounge at the airport.
Gasoline and Styrofoam are what I always used as a kid.
You’re ging to have a big fistfight with MG Siegler over this…
If apple has a kill switch to kill apps. couldnt that same hole be used to compromise the phone itself?
North of the border the offices at RIM broke out into laughter.
There is no growing enterprise for iPhone – we have no desire to support it and stuff like this puts more nails into the coffin.
Fantastic consumer device – yes
Enterprise ready – not even close
And FYI ActievSync policy can be removed / disabled in less then 10 mins on iPhone so yes Remote Kill via Exchange will not protect your data.
Yeah, RIM’s been doing this stuff for years. I’d be afraid in the consumer sector but in businesses where real security and functionality is demanded…. not really.
iPhones are more secure and enterprise ready than BBs. That’s why you’re starting to see small to midsized companies switching over to iPhones.
Large companies are still using IE6 and BBs – exactly.
“iPhones are more secure and enterprise ready than BBs”
You can’t be serious.
I think he is, wow..
As serious as these delusional comments:
“There is no growing enterprise for iPhone…”
“Enterprise ready – not even close…”
and my favorite
“…more nails into the coffin…”
This security breach needs access to the physical device. This kind of “data recovery” is certainly also available on any BB and WinMo device.
I agree this is a very important part of device security, but you just took a headline and wrote some words around it and missed the full context.
There is an app for this.
Itake.
I was deleting the spam and accidentally deleted a real comment, sorry to whoever.
yeah right, you can hack the iphone if you have it, but remotely, I don’t think so.
Security is an illusion. Twitter had uber-secure multi-million dollar servers from multiple services protecting their trade secrets, corporate/personal contact information, financial projections, etc – and it was hacked by a 23 year old kid from France.
All smart phones are hackable… all gadgets are hackable. Sure they have varying degrees of hackability, but I’ll be crapping as much amount of bricks over a lost BB as I would over a lost iPhone with sensitive information in them.
This is a classic scare tactic from an iPhone competitor.
It’s not a scare tactic if it’s a serious problem. The difference between “hackable” and “hackable with widely available tools and encryption is a non-issue” is a meaningful one.
To prove my point, take your article and replace “iPhone” with “Black Berry”, and “Apple” with “RIM”, and it’ll strike an equally objective tone.
Believing one is more secure than another when lost would not only be illogical but also foolish.
It’s not just when it’s lost… the platform itself is more vulnerable. And when it’s lost the BB is more secure since its wipe mechanism is more reliable.
Umm twitter’s ubber secure severs were protected by using ‘password’ on the master account.
Somehow I don’t think they understand the meaning of security.
Those who understand mobile security know this is bad news for Apple and those who don’t are likely consumers who could careless until you lose your iPhone.
Enterprise have regulatory obiligations to meet and in some states risk $5,000 fine PER lost customer data so yeah the thought of an iPhone being used for corporate data just went out the window if this proves out and Apple does not respond to a means to correct it. (which they won’t as they don’t care about enterprise support)
Their whole enterprise model is get -
Get consumers to buy it and bring devices into work to force IT to support it.
Hmm. If its software fixable, Apple will more then likely respond. Unlike some other software un-operating systems that I can think of, you are paying dearly on an Apple Premium price for software -not hardware. Looking at their desktop PCs line this holds true. You get last years hardware with this years drivers that actually work. Next year, you get optmized ones. This can’t be said for other major OS makers where its *not* about the software, but instead what works good enough on the latest gear (nevermind its bloatware). It just has to be ‘good enough’ (but never great) to get the consumer dollar combined with a fix-it-later approach. If this does pan out to be a flaw or threat to iPhone consumer -you can bet they’ll address it.
Can’t you make napalm by dissolving styrofoam in gasoline?
Shhhh!
This supposes that other devices and communication is also secure? WTF? I saw it on a couple other posts, but it’s not a device problem, we’re not a secure society. We are not wired to be a secure society. We leave computers open, hand credit cards for a cup of joe and in our email which contains probably a healthy percentage of secure data for any single person isn’t secure,(either) we’re going to Google docs, etc. We’re not secure. Don’t pretend that we live in a secure society.
re the “I don’t think any of us have ever seen encryption implemented so poorly before.”
ah so he never worked with WAP phones back in the day then. I once got sent by BT to a WAP seminar and was staggered at the ineptitude.
I skipped the expensive lunch and went to the Pub next door in case I acidentaly said anything to upset Cellnet.
My Summary report was WAP is CRAP
If one software(Windows) or a site(Twitter) or a device(iphone) is more popular, they always face some serious security issues.
Thanks for sharing. It’s nice to see that Apple is in some cases no better than Microsoft.
They are so smug and holier than thou. However, this makes me wonder about a lot of Apple’s products anymore. Are people under a false sense of security anymore with anything they write?
There will always be security issues nice to identify and equally nice to resolve the problems :-)
*Stop spreading lies, this is all in your head, return to what you were previously doing before reading this, apple products are perfectly safe*
What are the metrics you used to determine relative security “broken”-ness?
Who cares? I’m an American, i’m in dept up to my eyeballs. The only thing they can steal from me is bills.
go home, dad. you’re drunk.