×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

iPhone 3Gs Encryption Cracked In Two Minutes

Soulskill posted more than 4 years ago | from the see-it-really-is-fast dept.

Security 179

An anonymous reader writes "In a Wired news article, iPhone Forensics expert Jonathan Zdziarski explains how the much-touted hardware encryption of the iPhone 3Gs is but a farce, and demonstrates how both the passcode and backup encryption can be bypassed in about two minutes. Zdziarski also goes on to say that all data on the iPhone — including deleted data — is automatically decrypted by the iPhone when it's copied, allowing hackers and law enforcement agencies alike access the device's raw disk as if no encryption were present. A second demonstration features the recovery of the iPhone's entire disk while the device is still passcode-locked. According to a similar article in Ars Technica, Zdziarski describes the iPhone's hardware encryption by saying it's 'like putting privacy glass on half your shower door.' With the iPhone being sold into 20% of Fortune-100s and into the military, just how worried should we be with such shoddy security?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

179 comments

Oh, and one more thing... (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#28814293)

you're fucked!

Apple blows. (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#28814301)

Hahahahahahahaha.

Apple sucks!

Re:Apple blows. (4, Insightful)

SomeJoel (1061138) | more than 4 years ago | (#28814345)

I am confused. Does it suck, or does it blow? These are opposites, are they not?

Re:Apple blows. (3, Funny)

Anonymous Coward | more than 4 years ago | (#28814481)

Well, when one has diarrhea, one 'blows' chunks out of their ass. This 'sucks' when it happens. So I guess we can say Apple is 'shit'.

Re:Apple blows. (1)

commodore64_love (1445365) | more than 4 years ago | (#28814657)

The best technique involves both sucking and blowing, in an alternating fashion.

Microsoft could probably patent it since they've been doing both since Windows 1986 (quite literally the worst OS of that year).

Re:Apple blows. (2, Insightful)

ioshhdflwuegfh (1067182) | more than 4 years ago | (#28814725)

I am confused. Does it suck, or does it blow? These are opposites, are they not?

The verb that solves this logical conundrum is: fellate.

On The Bright Side... (3, Funny)

NeverVotedBush (1041088) | more than 4 years ago | (#28814325)

No government will have to strong-arm Apple to give it a back door into the iPhone operating system. ;-)

I know security can be a minefield but for Apple to leave a hole this big is pretty inexcusable.

Re:On The Bright Side... (1, Insightful)

MooseMuffin (799896) | more than 4 years ago | (#28814359)

Lets not leave out the crappy job that the military and these enterprises did with their security audits.

Re:On The Bright Side... (4, Informative)

wealthychef (584778) | more than 4 years ago | (#28814963)

Laugh, but this actually is the new feature as designed. This encryption was added to make it possible to remotely wipe an iPhone in seconds. (Delete the encryption key that is on the phone, no more reading the data off of it.) Apparently the intent was not to protect the data on the phone from a real attacker, I don't think anyone at Apple that worked on this would expect that to be the case with the encryption key on the device. (stolen from an AC because it's interesting)

On the editor side (0)

goombah99 (560566) | more than 4 years ago | (#28814645)

The story blurb was an interesting one aside from the gratuitous flamebait question at the end. Don't the editors do any editing at all. if not we need a new name for the slashdot editors. They seem to have the same no-added value functionality of the men's room attendants who are there to hand you a towel as thought you could not get one yourself.

Re:On the editor side (1)

ColdWetDog (752185) | more than 4 years ago | (#28814887)

Not that I disagree with you, but you must go to different rest rooms than I do.

I'm luck to get a paper towel dispenser these days.

Re:On the editor side (4, Funny)

Architect_sasyr (938685) | more than 4 years ago | (#28815269)

They seem to have the same no-added value functionality of the men's room attendants who are there to hand you a towel as thought you could not get one yourself.

I disagree - the mens room attendant acts like moderators around here do, they keep people from pissing all over the walls.

The editors, on the other hand, seem to encourage that sort of behaviour!

No worry here (0, Offtopic)

Anonymous Coward | more than 4 years ago | (#28814327)

Steve Jobs cast no shadows, and his followers commit no crimes. There is nothing to worry about here.

I put privacy glass . . . (0)

Anonymous Coward | more than 4 years ago | (#28814329)

I put privacy glass on the bottom half of the shower door so I don't have to look at the people watching me, which seems to be the same kind of privacy I can expect on my iPhone 3G.

Re:I put privacy glass . . . (5, Funny)

frosty_tsm (933163) | more than 4 years ago | (#28814385)

I put privacy glass on the top half of the shower door so I don't have to look at the people watching me, which seems to be the same kind of privacy I can expect on my iPhone 3G.

Fixed it for you.

Re:I put privacy glass . . . (1)

solanum (80810) | more than 4 years ago | (#28815155)

What are you taking about, don't you shower standing on your head like the rest of us?

Re:I put privacy glass . . . (1)

HTH NE1 (675604) | more than 4 years ago | (#28814697)

"Which half of her swimsuit did she wear?"
"The left half."

I think that was from Bewitched, regarding Samantha's twin sister's visit to a public beach.

But... (5, Funny)

thePsychologist (1062886) | more than 4 years ago | (#28814335)

This is a feature. Cracking is yet another thing about the iPhone that Just Works. I believe Steve Jobs would be proud.

Re:But... (4, Funny)

mdwh2 (535323) | more than 4 years ago | (#28814457)

Indeed, it doesn't matter that other phones have been cracked - Apple were the first ones to make it work Out Of The Box.

It's all about the implementation. With the iPhone 3gS, your credit card details are integrated perfectly with crackers, thieves, and Steve Jobs.

Re:But... (1, Interesting)

Anonymous Coward | more than 4 years ago | (#28814465)

Laugh, but this actually is the new feature as designed.

This encryption was added to make it possible to remotely wipe an iPhone in seconds. (Delete the encryption key that is on the phone, no more reading the data off of it.)

Clearly the intent was not to protect the data on the phone from a real attacker, I don't think anyone at Apple that worked on this would expect that to be the case with the encryption key on the device.

Re:But... (1)

FooAtWFU (699187) | more than 4 years ago | (#28815389)

So you're saying that he's not attacking the encryption, he's attacking how it's used? Sounds like... pretty bog-standard procedure, really. :)

I cracked my iPhone way faster... (3, Funny)

tbischel (862773) | more than 4 years ago | (#28814635)

This is a feature. Cracking is yet another thing about the iPhone that Just Works. I believe Steve Jobs would be proud.

I Cracked my iPhone the first time I dropped it, 30 seconds flat. But if you read the fine print, it turns out Apples warranty doesn't cover the screen.

Re:I cracked my iPhone way faster... (1)

Steffan (126616) | more than 4 years ago | (#28815559)

I Cracked my iPhone the first time I dropped it, 30 seconds flat. But if you read the fine print, it turns out Apples warranty doesn't cover the screen.

On the off chance that you're not trolling, why would you think the warranty would cover accidental damage? If I run my car into a tree during the first 5/50, they're not going to give me a new car because the car was defective.

I think Apple would happily replace the screen if something happened that was a manufacturing defect. If you can convince someone that dropping your phone is the latter, then you have far better debating skills than I.

So what.... (1)

TechnoChatter69420 (1605189) | more than 4 years ago | (#28814369)

The king is dead, all hail the king. Stevey thinks we don't know any better, but I think we've already seen the card that he keeps up his sleeve.....

The same F500 and military that use Windows? (5, Informative)

gig (78408) | more than 4 years ago | (#28814387)

Until the Fortune 500 and the military stop using Microsoft products, I won't lose a blink of sleep over them using Apple products. This guy had to have physical access to the iPhone to crack it, and even then the iPhone did not start sending its data out over the Internet along with a virus payload that formed a massive botnet that crippled Internet bandwidth.

My understanding is that the encryption in the 3GS is not meant to prevent a user with physical access to the device from accessing the data. It's to make Remote Wipe instant instead of taking 1 hour per gigabyte because the Remote Wipe only has to destroy the decryption keys, not every bit of data on the disk. When you Remote Wipe an iPhone 3G it takes 1 hour per gigabyte to destroy the data. With a 3GS, it takes a few seconds.

In this case, the hacker not only had the iPhone in his physical possession, but it was not Remote Wiped, so he also had the keys in his possession. How is it at all surprising that he was able to get in?

Re:The same F500 and military that use Windows? (5, Insightful)

nxtw (866177) | more than 4 years ago | (#28814429)

In this case, the hacker not only had the iPhone in his physical possession, but it was not Remote Wiped, so he also had the keys in his possession. How is it at all surprising that he was able to get in?

Because if that same hacker had a Blackberry in his possession with encryption enabled, he would not be able to get in.

FIPS (0)

Anonymous Coward | more than 4 years ago | (#28814797)

In this case, the hacker not only had the iPhone in his physical possession, but it was not Remote Wiped, so he also had the keys in his possession. How is it at all surprising that he was able to get in?

Because if that same hacker had a Blackberry in his possession with encryption enabled, he would not be able to get in.

RIM has taken the trouble to get FIPS certification for various parts of the Blackberry infrastructure (devices, server software, etc.):

http://na.blackberry.com/eng/ataglance/security/certifications.jsp

While it won't handle Secret (or even Confidential), it shows some initiative and effort to protect sensitive information. It should be suitable for most business data (unless government-sponsored corporate espionage is occurring).

Re:The same F500 and military that use Windows? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#28815055)

Is that actually true? I'd like to see some evidence.

Why can't the hacker get in? (0, Offtopic)

YesIAmAScript (886271) | more than 4 years ago | (#28815249)

Did you ask yourself that? If that Blackberry is just sitting there, even asking for a passcode, is it still receiving and storing data? It is, it can receive SMSes for example. It knows how to decrypt everything on itself with the information it has. The only difference between it and an iPhone in this case is the hacker doesn't know how to get the data off, not that it is impossible to do so.

Maybe a Blackberry has a hardened mode, where it goes inert when you lock it, where it won't receive data because it has forgotten the key to its own storage.

Either way, if you only have to enter a 4-digit number to get in, then even if the device slows down accepting PINs after a while, if you could pry it open and get the data off, all you need to do is try 10,000 combinations and you'll find one that decrypts the internal key needed to view the data on it.

Re:Why can't the hacker get in? (4, Informative)

nxtw (866177) | more than 4 years ago | (#28815305)

If that Blackberry is just sitting there, even asking for a passcode, is it still receiving and storing data?

Yes. But the BlackBerry doesn't store the encryption key in-the-clear like the iPhone 3G S does, and you can't run arbitrary code on a BlackBerry just by plugging it in to a PC.

Maybe a Blackberry has a hardened mode, where it goes inert when you lock it, where it won't receive data because it has forgotten the key to its own storage.

In fact, it does. BlackBerries even have an option to not encrypt the address book so you can have names appear on caller ID while the device is locked.

Either way, if you only have to enter a 4-digit number to get in, then even if the device slows down accepting PINs after a while

No; the BlackBerry (or even the iPhone!) would be configured to wipe the device after a few invalid password attempts. My (corporate managed) BlackBerry wipes the device after 10 invalid password attempts, and my password is longer than 4 characters (and includes non-digits.)

Re:Why can't the hacker get in? (2, Informative)

afidel (530433) | more than 4 years ago | (#28815323)

The Blackberry allows real passwords not 4 digit pins and it has policies to wipe the device after so many bad password attempts. Since the data is all in the corporate email system and can easily be re-uploaded to a new device there's no downside to this, this is very different from the consumer oriented iphone.

Re:The same F500 and military that use Windows? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#28814451)

ok...so you are telling me that it is trivial and you CAN do this with a BlackBerry too?...

Re:The same F500 and military that use Windows? (0)

Anonymous Coward | more than 4 years ago | (#28814593)

"Until the Fortune 500 and the military stop using Microsoft products, I won't lose a blink of sleep over them using Apple products. This guy had to have physical access to the iPhone to crack it, and even then the iPhone did not start sending its data out over the Internet along with a virus payload that formed a massive botnet that crippled Internet bandwidth."

haha. All of you anti-Apple weenies can eat it. Because Gates is gone and Ballmer is running a low profile, your next target naturally has to be Jobs.

Re:The same F500 and military that use Windows? (5, Insightful)

Anonymous Coward | more than 4 years ago | (#28814689)

My understanding is that the encryption in the 3GS is not meant to prevent a user with physical access to the device from accessing the data. It's to make Remote Wipe instant instead of taking 1 hour per gigabyte because the Remote Wipe only has to destroy the decryption keys, not every bit of data on the disk. When you Remote Wipe an iPhone 3G it takes 1 hour per gigabyte to destroy the data. With a 3GS, it takes a few seconds.

Isn't the point of remote wipe to prevent unauthorized access to the data on the physical device? So, it doesn't matter how long it takes to do the remote wipe if the keys can be broken in 2 minutes since that leaves only a small window of time to do the wipe. Especially if the attacker can copy the entire contents of the iPhone to a remote storage device and do it offline.

Disk encryption, especially mobile and laptop, should be designed specifically to prevent data retrieval when physical possession is obtained by an attacker.

Mod parent up (1, Redundant)

Gnavpot (708731) | more than 4 years ago | (#28815023)

For this:

Disk encryption, especially mobile and laptop, should be designed specifically to prevent data retrieval when physical possession is obtained by an attacker.

Re:The same F500 and military that use Windows? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#28815179)

There is no time window for remote wipe at all:

  1. Steal iPhone
  2. Turn off
  3. Remove SIM, disabling remote wipe
  4. Turn on and spend as long as you like (or 2 minutes) decrypting contents
  5. Steal data
  6. Profit

(OT, but why don't my list numbers look like numbers?)

Re:The same F500 and military that use Windows? (2, Insightful)

erroneus (253617) | more than 4 years ago | (#28815385)

Indeed, let's state this more simply so that people can use it in other places as well:

1. Security through obscurity is not security
2. If security relies on an attacker not to be smart enough, it is not secure

Re:The same F500 and military that use Windows? (3, Insightful)

thedak (833551) | more than 4 years ago | (#28814735)

.. I won't lose a blink of sleep over them using Apple products. This guy had to have physical access to the iPhone to crack it, and even then the iPhone did not start sending its data out over the Internet along with a virus payload that formed a massive botnet that crippled Internet bandwidth.

That is because they are completely different cases with completely different mechanisms to prevent them. You're talking about the ability to load a spambot or something on a mobile device. The encryption is there to ensure your address book is safe, your calendar is safe, any photos and other data are safe. Not to ensure the device does not run arbitrary code. The problem with the data encryption being crackable within an arbitrary length of time is a large issue, as it is meant to be protection regardless of where the device lies, in hands or not.

My understanding is that the encryption in the 3GS is not meant to prevent a user with physical access to the device from accessing the data

That is exactly the purpose of encryption.

enÂcrypt (Än-krÄpt) tr.v. enÂcryptÂed, enÂcryptÂing, enÂcrypts

1. To put into code or cipher.
2. Computer Science To alter (a file, for example) using a secret code so as to be unintelligible to unauthorized parties.
http://dictionary.reference.com/browse/encryption [reference.com]

So yes, it is a major issue, as it circumvents what the encryption is meant to accomplish.

Re:The same F500 and military that use Windows? (4, Interesting)

Sir_Lewk (967686) | more than 4 years ago | (#28814785)

My understanding is that the encryption in the 3GS is not meant to prevent a user with physical access to the device from accessing the data. It's to make Remote Wipe instant

Perhaps I'm missing something here, but what's the point of doing a remote wipe of your iphone, if not to prevent someone that has physical access from accessing your data?

Re:The same F500 and military that use Windows? (1)

SoupIsGoodFood_42 (521389) | more than 4 years ago | (#28815403)

To prevent most thieves from getting access to your data? I'm not sure Apple has ever advertised this as high-grade protection. The only reference I can find on their site is to remote wiping. Maybe I'm not looking in the right place?

WTF? (0)

Anonymous Coward | more than 4 years ago | (#28815259)

Only in Apple land, this is +5 informative.
For fuck sake, the whole point of encrypting your goddamn fucking jesus phone is that if it gets stolen, your data is still not available to anybody else.

Apple fucking whoring mods, at least don't make your mods too blatant that people stop reading any and every apple story out there.

Fucking apple whores.

interesting (4, Interesting)

Sir_Lewk (967686) | more than 4 years ago | (#28814411)

Ok, I just watched the linked demonstration and what I noticed was he only placed his "private data" on the phone after he removed the pincode. I'd be interested to see a demonstration of him pulling data off the phone that was present before he reset the pin, to demonstrate that resetting the pin didn't just revert it back to factory defaults and remove all previous data.

That said, I'll take his word for it now, it's quite interesting in the least. I have to wonder if this is an intentional "feature".

Re:interesting (3, Interesting)

Sir_Lewk (967686) | more than 4 years ago | (#28814471)

I'd like to add that anyone that thinks a 4 digit pin was ever going to provide any sort of strong protection, particularly for "sensitive data", is an idiot.

At the worst it'd take less than an hour to brute force it manually.

Re:interesting (0)

Anonymous Coward | more than 4 years ago | (#28814537)

...unless you've got it set to delete all data on your phone after 10 incorrect attempts.

Re:interesting (0)

SomeJoel (1061138) | more than 4 years ago | (#28814619)

...unless you've got it set to delete all data on your phone after 10 incorrect attempts.

That would make sabotaging someone's phone pretty easy. Just pick it up, make ten wild ass guesses at a PIN, and rest assured their precious data is now gone.
As an added bonus, if one of your wild ass guesses is right, you can look at the data before you trash it.

Re:interesting (5, Informative)

PnjDbq (1240308) | more than 4 years ago | (#28814769)

The iPhone starts injecting time delays into the login/wipe process, I believe after the first 5 incorrect attempts. First one minute, then 5 minutes, and I have never had the patience to watch much beyond that. You can still sabotage the phone, but it's not fast.

Re:interesting (2, Informative)

Minupla (62455) | more than 4 years ago | (#28815123)

That's how my work Blackberry is configured - if I enter my PIN wrong too many times, it self wipes. All my data is gone. Until I either plug it in to my workstation at work, and it restores form the backup, or I call in and get a new activation pin assigned and do a wireless sync. It's a bit of a pain in the butt when it happens, but seems like a reasonable trade off. Of course the BB has a good keyboard, so i don't mistype often :)

That being said, I do lust after an Iphone for personal use, but I would not at this point recommend we use them for corporate work, too much risk. My personal data is less valuable, as I don't carry around sensitive emails.

Min

backups (0)

Anonymous Coward | more than 4 years ago | (#28815285)

...unless you've got it set to delete all data on your phone after 10 incorrect attempts.

That would make sabotaging someone's phone pretty easy. Just pick it up, make ten wild ass guesses at a PIN, and rest assured their precious data is now gone.

Your e-mail is on the server, your contacts are sync'd with Outlook / Address Book / whatever regularly, your photos are in Picassa / iPhoto, your music is in iTunes / whatever.

What's the big deal? Restore from backups.

It's a temporary DoS until the owner can resync. Inconvenient and annoying yes? Sure, but hardly devastating.

Re:interesting (0)

93 Escort Wagon (326346) | more than 4 years ago | (#28814681)

...unless you've got it set to delete all data on your phone after 10 incorrect attempts.

Hi,

Please stop injecting inconvenient facts into this debate.

Thanks!

Re:interesting (1)

Sir_Lewk (967686) | more than 4 years ago | (#28814711)

So that takes care of low tech brute force attempts but the fact remains that in cryptography a 4 digit secret is pretty damned worthless.

Also, with that sort of security system I sure as hell hope you keep backups...

Re:interesting (2, Informative)

Gnavpot (708731) | more than 4 years ago | (#28815069)

...unless you've got it set to delete all data on your phone after 10 incorrect attempts.

You are assuming that the attacker does not use his own software for extracting and decrypting the data?

That assumption is usually one of the first and most obvious traps people fall into when they try to invent a new protection method.

But perhaps the assumption will hold in this particular case. I don't know if it is possible to extract the encrypted data from an iPhone and decrypt them elsewhere.

4 digit PINs and auto-wiping (0)

Anonymous Coward | more than 4 years ago | (#28815167)

I'd like to add that anyone that thinks a 4 digit pin was ever going to provide any sort of strong protection, particularly for "sensitive data", is an idiot.

At the worst it'd take less than an hour to brute force it manually.

Four digits means 10,000 possible combinations. Blackberrys (also four digit PINs) can be configured to wipe themselves after the tenth incorrect PIN entry. So you therefore have a 1 / 1000 of guessing and getting in (assuming the PIN is somewhat random, and not the year of birth of a loved one).

Re:interesting (1)

newcastlejon (1483695) | more than 4 years ago | (#28815371)

You mean like the code you use on your luggage? Or the code you use at the ATM? Or the code for the alarm system in your home?

Re:interesting (1, Insightful)

Anonymous Coward | more than 4 years ago | (#28814573)

I have to wonder if this is an intentional "feature".

Indeed. Most people really don't want real security. It would be a support nightmare for Apple because the common person is an idiot and will forget their password or whatever. Then all they want is their data back and they expect Apple to give it to them. If the device was really truly secure then their data would be permanently gone.

Fortunately there are third party products that provide real security for people who really need it. Too bad it's not always well integrated into the system though. I am glad this market exists though because that's how I make my living.

has it been 2 minutes already? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#28814419)

I could have sworn it was no more than 15-20 seconds since the iPhone 3G S came out. Oh wait, no, more like a month. So how about "in 30 days" instead of "in 2 minutes"?

No security is the unwritten rule (0)

Anonymous Coward | more than 4 years ago | (#28814435)

I know this seems a little conspiritorial ...I have always had the feeling all mainstream mobile platforms are intentionally insecure.

Anything having to do with voice communications is broken severly from a security perspective. Entire voice oriented protocol stacks such as SIP have piss poor security properties or get shit wrong enough that they can be easily be circumvented.

I know that trust and key management are hard problems and very difficult to get right but mainstream mobile platforms have not even so much as tried to get it right. Maybe there just isn't any market value in it?

security theatre (4, Insightful)

drDugan (219551) | more than 4 years ago | (#28814445)

security theatre: (1) security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security, usually resulting from political absurdity, poor engineering, the need to present an image of security more than real security, or some combination of these factors. (2) The real mission of the Transportation Security Administration.

Examples: airport screening, "No-Fly" lists, random searches on subway systems, 1950's "duck and cover" drills in U.S. public schools

Security Professionals (3, Informative)

Yeorwned (1233604) | more than 4 years ago | (#28814467)

Apple with poor security? No way! Oh wait, their operating system does have almost 4 times the number of critical vulnerabilities that M$ XP has, every single year since it's release. Impressive record.

It actually makes me feel better. (0)

Anonymous Coward | more than 4 years ago | (#28814511)

Apple has never been one to sit still when the evil green spotlight of bad publicity is pointed on them. I'm sure that there are teams mobilizing even now... even if those teams are probably mostly lawyers.

Were the backups encrypted? (4, Interesting)

diamondsw (685967) | more than 4 years ago | (#28814555)

It should be noted that iTunes does not encrypt backups by default, but you can enable that with a checkbox in the iPhone preferences. So the real question is - with a PIN set and encryption on, can it still be hacked?

Re:Were the backups encrypted? (0)

Anonymous Coward | more than 4 years ago | (#28814771)

Yes. More questions?

The Real Question is... (1, Redundant)

Nom du Keyboard (633989) | more than 4 years ago | (#28814581)

The real question is whether or not you should be storing sensitive material on your iPhone in the first place?

If the answer is: What kind of idiot are you? Of course my iPhone is the center of my universe and the repository of everything that will ever matter to me right at my finger tips, then there's a huge opportunity just waiting for some programmer at the Apps Store who can code faster than I can to supply a cheap App that actually provides true security...

...provided that Apple and the government will let them.

Re:The Real Question is... (0)

Anonymous Coward | more than 4 years ago | (#28814603)

I love your sig.

Re:The Real Question is... (1)

bertoelcon (1557907) | more than 4 years ago | (#28814685)

Government might, Apple will not unless it randomly falls into a list of auto-approved apps that doesn't exist.

Re:The Real Question is... (1)

AmberBlackCat (829689) | more than 4 years ago | (#28814747)

I think if you have some data you just have to keep, and there are people willing to break into your home to take it from you, you might be better off with the data in your iPhone than something bigger.

Re:The Real Question is... (2, Insightful)

PuckSR (1073464) | more than 4 years ago | (#28815131)

Ummm...no

Who would store "sensitive" data on a cell phone?
Well, consider that most companies, agencies, etc consider their email "sensitive". Why do you think most businesses purchase 'smartphones'? TO ACCESS COMPANY EMAIL
It isn't just a matter of company email carrying sensitive data, it carries normal data that would be highly beneficial to a bit of social engineering.

Still don't understand the whole 'smartphone'/sensitive data issue?
Ask yourself this question. Why won't the secret service let Obama carry a regular blackberry?

If the Iphone is just a regular phone that can browse the internet, then this news is meaningless.
If the Iphone is a 'smartphone' with relevant business applications, then it needs to be capable of quality encryption

curious... (2, Interesting)

sbeckstead (555647) | more than 4 years ago | (#28814625)

Did anybody else read the docs on this feature? It seems that encryption was only done as a means to remotely wipe the phone. Was he able to destroy the keys remotely and then have someone read the data off the phone? I don't understand.

Ding ding ding (4, Insightful)

earnest murderer (888716) | more than 4 years ago | (#28814921)

We have a winner...

The real issue at hand is how much time nerds spend thinking of ways they are right, instead of trying to understand how they might be wrong. iPhone 3gs was never marketed as having strong encryption (http://www.apple.com/iphone/specs.html), the /. crowd simply saw "something" was implemented and decided that the intent was to hide data.

Re:Ding ding ding (0)

stuboogie (900470) | more than 4 years ago | (#28815191)

"The real issue at hand is how much time nerds spend thinking of ways they are right, instead of trying to understand how they might be wrong."

Maybe you should follow your own advice. From the Apple MobileMe Site [apple.com]:

"Protect your privacy with Remote Wipe.

Addresses, phone numbers, email, photos. Your iPhone contains important and personal information -- information you probably don't want in the hands of a stranger. So if you lose your iPhone and displaying a message on it hasn't resulted in its safe return, you can initiate a remote wipe to restore it to the factory settings.* If you eventually find your iPhone, you can restore your email, contacts, and calendars by enabling your MobileMe account on your iPhone. Or connect your iPhone to your computer and use iTunes to restore the data from your most recent iPhone backup."

Sounds to me like they are implying your data is secure until you have a chance to wipe it remotely. Maybe that was the "something" the "/. crowd" saw and jumped to the wild conclusion that their data was actually protected???

Re:Ding ding ding (4, Interesting)

Alrescha (50745) | more than 4 years ago | (#28815315)

"Sounds to me like they are implying your data is secure until you have a chance to wipe it remotely. Maybe that was the "something" the "/. crowd" saw and jumped to the wild conclusion that their data was actually protected???"

You know, I read the paragraph you quoted and even after repeated readings never came to the conclusion that you did. In other words, nowhere does it say your data is protected by encryption. The feature it is touting is 'Remote Wipe' and that feature happens to use some encryption to do its business.

A.

But it can't be BAD; it's BUILT FROM UNIX (0)

Anonymous Coward | more than 4 years ago | (#28814633)

And UNIX as we all know is the be-all, end-all in ... ALL !!

I mean, if this FAILS, what is to keep all UNIX from FAIL ??

Re:But it can't be BAD; it's BUILT FROM UNIX (0)

Anonymous Coward | more than 4 years ago | (#28814923)

A UNIX, ALL !!

I, FAILS, UNIX FAIL ??

Sorry, this is what I read, and it just doesn't seen to make any sense.

Oh, wait! There were other words in your post! ... Nevermind, still doesn't make sense.

Oh Great (3, Funny)

maiotaku (1605209) | more than 4 years ago | (#28814703)

Oh great, now all those secret emails about the money laundering are going to be found by the government because I'm the only major corporate executive who uses an iPhone to talk about all our illegal activities. I thought my data would be so safe, with no other weak links in the chain... like my email server or anything of that sort that could possibly also be hacked...

Encryption is both Complex and Tricky (1)

omb (759389) | more than 4 years ago | (#28814953)

OK, the real problem is expectation and marketing, from the story, the encryption is (egregiously) useless.

If the device is in your hands, you can physically remove the memory, and then examine it breaking the weak encryption on the fly.

The marketing (surprise ... ) misrepresents that.

The trick, instead, is concentrating and protecting important information

That's great, but.... (0)

Anonymous Coward | more than 4 years ago | (#28814975)

That's great, but... if only someone could crack the ipod classic hard drive secrets as easily. rockbox [slashdot.org] needs your help.

Re:That's great, but.... (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#28814983)

That's great, but... if only someone could crack the ipod classic hard drive secrets as easily. rockbox [rockbox.org] needs your help.

Hm, let's fix the URL above - and this time uncheck "post anon" which automatically got checked for no apparent reason.

Re:That's great, but.... (0)

Anonymous Coward | more than 4 years ago | (#28815177)

It knew about your typo.

Reader Fail (3, Informative)

marshzd (1605229) | more than 4 years ago | (#28815281)

This is a pisspoor attempt at trying to discredit Apple for a CONSUMER product. Spore was hacked two weeks before the game was released. The Sony PSP has been hacked since the beginning of it's formation. The X-Box was not only hacked to put in bigger drives, but also was hacked to put Linux on it (which took a little longer but still) Windows XP is easily hacked by booting up in Safe Mode, you have immediate free admin access to add users and change passwords. Windows Vista/2000(2003) Server are all hackable with a quick linux boot CD, takes about three minutes (I've done this multiple times on many machines). You can either change the password, or just load all the persons files onto an external drive (I usually do this for when someone windows dies but you could easily take all their information unencrypted right off). Every consumer device and software product is usually hacked before it's even released, if not shortly after it's released. The fact that this article was just barely posted actually makes me wonder how stupid they are for failing this long at trying to break a consumer product. I've never seen a single ad for the iPhone, PSP, or X-Box advertising their "security". They generally intentionally have loopholes because they realize that users (like the person who wrote this article) are freaking idiots and are going to lock themselves out. The biggest loophole is having an admin user (:O) reset their password. And getting that password from them is as simple as starting their pubes on fire if not using the previously mentioned boot disk to simply wipe the password and log in. This isn't any sort of fail on Apple's part. They can't handle everything in the universe on their phone. Nor was it PSP's fail when it got hacked. Or windows when it gets hacked. There's BLATANT fails that generally get fixed, but not really any here. Sorry folks, move along.

Why Apple is the backdoor to Socialism (0)

Anonymous Coward | more than 4 years ago | (#28815289)

I keep telling people that Apple is just a closet socialism tool. Nobody believes me. Big brother Steve Jobs makes things for Bigger Brother Obama.

it has failed 5 time on me (0, Offtopic)

Anonymous Coward | more than 4 years ago | (#28815325)

It is not just the security issues i guess ...

I am an Iphone 3G user here in Singapore and the Iphone has failed on me 5 times since i first bought it.

2 x battery issue
1 x unable to power on
1 x unable to get on 3G network on provider Sim card but other works
1 x unable to charge (the port failed)

Each of those time, the telcom which i bought the phone from (Singapore Telecom) replace with an unit and i wonder it is refurbished unit ... or there is some serious QC issue ...

After 5th time, the telcom still wants to replace the same 3G model to me ... i am totally lost confidence ... Sigh i have paid so much to buy it and this is the painful experience since my journey with Iphone ...

A Good Enough Reason (0)

Anonymous Coward | more than 4 years ago | (#28815529)

for Apple to release a patch to . . . re-re-secure devices from Palm?

What, me worry? (4, Insightful)

jc42 (318812) | more than 4 years ago | (#28815657)

With the iPhone being sold into 20% of Fortune-100s and into the military, just how worried should we be with such shoddy security?

Well, as someone who isn't part of any Fortune-100 corporation or military force, I guess my response would be "Not at all."

It's generally understood and widely acknowledged that the secrecy in such organizations functions primarily to keep their inner workings private from their own populations, i.e., us "little people" who pay to keep them running but aren't allowed to look into their inner workings. If they are riddled with holes in their communications because they're using iPhones or MS Windows or whatever, that means that there's a good chance that investigators can find out what they're up to and inform the rest of us.

Consider the last few years of disasters in the American financial industry. It's pretty clear now that the perpetrators knew quite well what they were doing, and were profiting quite well from it all. It's the "little people" who are paying for the collapse, while the officers of the corporations are still taking home huge paychecks and bonuses. The reason it went on for so long was that the companies involved were able to keep their shady dealings secret from the great majority of their investors. If we'd had better security holes to see inside them, maybe some of the disaster could have been avoided.

It's hardly a secret that military security primarily functions to hide their internal corruption (and bungling) from their own citizenry. Making their internal communications available to the citizenry via poor comms security seems like a win for the country as a whole.

(Yeah; I know; "Such a dreamer." ;-)

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...