Developer Says iPhone 3GS Encryption Useless - HotHardware
Developer Says iPhone 3GS Encryption Useless

Developer Says iPhone 3GS Encryption Useless

One of the iPhone 3GS's new features is hardware encryption. This should make it more suitable for business, but as its purportedly in hardware, it's unavailable to other iPhone models. It can also be cracked in two minutes, using nothing more than freeware, according to Jonathan Zdziarski, an iPhone developer and hacker.

Zdziarski said:
"It is kind of like storing all your secret messages right next to the secret decoder ring. I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”
To grab data, one simply has to jailbreak the iPhone 3GS, then install an SSH client to port the iPhone 3GS's disk image across to a computer. As the data begins transferring, according to Zdziarski, the 3GS decrypts it automatically.

Of course, perhaps its just that corporations don't care as much as we might think.

During the fiscal Q3 earnings call, COO Tim Cook said, when asked about enterprise adoption of the iPhone:
[...] we are seeing growing interest with the release of the 3GS and iPhone OS 3.0, due in part to the new hardware encryption and the improved security policies.

The phone is particularly doing well with small business and with large organizations that allow people to purchase the phones for individual use, and this is both in corporate and government settings.

Specifically, to give you some numbers, almost 20% of the Fortune 100 have purchased at least 10,000 units or more and there’s now multiple corporations and government agencies who have purchased in excess of 25,000 each.
It should be clear by now, though, that the iPhone is such an attractive device to users, that even without encryption of any type until the 3GS model, it's still made serious inroads into the Enterprise.

Let's face it, when your CEO comes in with an iPhone, you're not going to turn him down; you're going to enable ActiveSync for him. And as more corporations move to a personal liability model, where employees bring in their own mobile device to be enabled on the company network, it's harder and harder to turn it down.

As Zdziarski said, it's up to developers to "not trust Apple" in terms of security.
“If they’re relying on Apple’s security, then their application is going to be terribly insecure. Apple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but it’s entirely useless toward security.”
+ -

Apple is and always will be living by security by obscurity till they become enough of a target for hackers to really mess with. That time is inching closer and it is way past time for apple to address its horrid shortcomings.

+ -

Drago remember this Apple is the new cool thing, this guy "Jonathan Zdziarski, an iPhone developer and hacker." why in the world he said something about it before? oh wait maybe because he really does not care about developing a better security oh wait no one else care...

My question is always have been these, why when there is a software release they really don't care about closing the loopholes they are in?

and if they are such a great developers why do they let those loopholes open?

Login or Register to Comment
Post a Comment
Username:   Password: