WARNING: iPhone 3GS Encryption Places Enterprise Data At Risk
by Bill French on 29/07/09 at 9:57 pm
Bill French is an information architect specializing in Internet applications. He is also the co-founder of MyST Technology Partners and Senior Editor for iPhoneCTO.
It’s good to be skeptical of just about everything these days. While we’re sold on the ability of iPhone to reshape mobile computing in the enterprise, we’re also skeptics especially when it comes to security. If something doesn’t work as advertised, we say it.
iPhone 3GS encryption is weak and extremely vulnerable.
There, I said it. By definition, all encryption methodologies are vulnerable in some way, but [apparently] unlike iPhone, most encryption methodologies are not as weak.
Jonathan Zdziarski, in a Wired Magazine interview, demonstrates how the iPhone 3GS (the first iPhone with encryption) can be attacked and cracked with simple tools, all but erasing enterprise-level security progress that Apple has celebrated with the new “enterprise friendly” iPhone 3GS launch.
iPhone is defenseless in the hands of a hacker who is familiar with free and popular jail-breaking tools. In this PIN-defeating exercise, a hacker need only place the iPhone in restore mode while injecting a new custom kernel. This opens the door to access through SSH to grab the phone’s raw disk image – and before you know it, Bob’s your uncle, or a guy named “Bob” has your corporate login.
Of course, there’s the remote kill-switch ready to brick the device, but that assumes you can get to the phone before the hackers do. This is just one small part of a never-ending arms race. I recommend that businesses insist on security-centric applications that raise the bar and mitigate the likelihood of security breaches. Many security-minded application developers are aware of these problems and have taken direct steps to avoid risky designs by using secure data fields that prevent key-stroke logging.
Prediction: Encryption Weaknesses Will Not Slow The Business Adoption Rate of iPhone 3GS
While there’s no debate that iPhone encryption is fluff at best, businesses are demonstrating that business itself trumps security fear. This is not surprising – the iPhone is seductive – it represents the single biggest opportunity for mobile operational efficiency since perhaps the invention of the ball-point pen and the brief-case.
Frank Castle
Jul 30th, 2009
Funny I guess iPHONE CTO needs to get eductaed on the encryption regulation set to take effect 1/1/2010 that MA is enforcing that applies to any company that deals with consumer data. Encryption matters and security / enforcement is not something that can be an after thought. You accept that risk – then accept the $5,000 per record fine when an iPhone is stolen / lost and you have to report what expose said incident caused.
It seems no one on iPhone CTO has ever dealt with HIPAA, FINRA, SEC regulatory reporting.
This is a major failure on Apple's part and further shows how disconnected they are with what is required for enterprise mobility.
Trust Digital Dan – I'd love feedback on if your product does anything to prevent this glaring weakness?
billfrench
Jul 30th, 2009
Frank:
Excellent comments – I agree with you. My objective in this article was to call attention to one of many security issues that exist with iPhone.
“Funny I guess iPHONE CTO needs to get eductaed on the encryption regulation set to take effect 1/1/2010 that MA is enforcing that applies to any company that deals with consumer data.”
We're always looking for help, especially in topics of regional compliance. Feel free to continue to call out issues that impact your world. I can be reached at bfrench@iphonecto.com.
“Encryption matters and security / enforcement is not something that can be an after thought.”
Yes, this is a success factor these days for all Internet products and services.
“It seems no one on iPhone CTO has ever dealt with HIPAA, FINRA, SEC regulatory reporting.”
I can't speak for all authors, but it's pretty difficult for us to stay on top of multiple industry regulatory agencies. I have a background in accounting and finance so I'm pretty comfortable with FINRA and SEC issues. But the purpose of this article is to report the news as we understand it. Perhaps we can dive into deeper aspects of your comments in a future article.
dandearing
Jul 31st, 2009
Issues with security enforcement on the iPhone are squarely things only Apple can solve. That being said, Trust Digital EMM does give IT the tools they need to monitor user compliance (i.e. they are using smartphones approved by IT and according to corporate policy) and track smartphone assets. That provides IT with an accurate picture of their smartphone population so that they can “plan and not panic” when these types of issues surface.
Many in IT might say, just avoid the issue and use Blackberry. I don’t believe that’s a viable strategy given user pull for non-Blackberry devices such as the iPhone and the Palm Pre. I believe that most will view this as a point in time problem. So, I agree with Bill’s prediction that usability will trump fear. That helped Blackberry overcome IT frustrations about availability back in 2007 You can imagine Microsoft’s Schadenfreude over the Blackberry NOC outages that at one point left 5M users without service for 12 hours. Microsoft had a PR heyday, but in the end Blackberry solved these point in time problems.
deusextechnica
Aug 3rd, 2009
Apple addressed this issue on July 31st with iPhone OS 3.0.1, available free to all owners of iPhone, iPhone 3G, and iPhone 3GS.
mack123
Aug 13th, 2009
Help me chose one please…
http://www.puremobile.com/Nokia/Nokia-N97-3G-NA...
or
http://www.puremobile.com/Apple/Apple-iPhone-3G...
thank you.
hard disk recovery
Jun 13th, 2010
Still iPhone 3G is new for users so users are not familiar with this phone.
hard disk recovery
Jun 13th, 2010
Still iPhone 3G is new for users so users are not familiar with this phone.