iFail – Apple drops the security ball – again

Apple, you're killing me!

If you ask people in my office what they hate about me, one of the items that is sure to show up on quite a few (long and varied) lists is my stubborn refusal to clear iPhones and iPads as corporate devices.   Well, my stubborness has been vindicated twice over…

First a security researcher found that connecting a stock iPhone 3GS to a system running Ubuntu Linux provides access to get read and write access to much of the content on the phone without having to enter the 4 digit phone PIN.

Now, Apple, in claiming that its flagship product is enterprise ready, tells us that iPhone3GS offers hardware-based- encryption and uses AES 256 bit encoding to try to protect all data on the device. Encryption is always enabled and cannot be disabled by users.   I guess that the Apple version of AES just happens to replave every character with the same exact character…

This morning, the situation developed further… further research by Heise Security in Germany showed that it was possible to gain complete access to all data some iPhone 3Gs and 3GSes by connecting to them from a Windows system.  The trick does not work every time on every phone, and it is still unclear what the exact conditions are which case the vulnerability to manifest itself.  When it does work, this vuln allows the attacker to create an iTunes backup of all of the information on the device.  Not good.

There is some good news… it also appears that making sure your iPhone is locked before you shut it down interferes with this particular attack.  It seems that the problem occurs in the split second when the unlocked phone wakes up, decides it needs to lock itself and locks the device.  If the phone was locked before you put it to sleep, the opportunity is lost.   Of course, how many people take the time to lock their phone before hitting the sleep button?

Yet again, we have proof that the iPhone is not ready for use as a corporate device. Apple has really dropped the ball here – they need to figure out what the problem is and issue a fix.  Now.    I think that they are going to have a really hard time convincing corporate users (especially those in heavily regulated industries) that the iPhone and iPad are safe to store sensitive information on.

So, what does the average iPhone/iPad/iPod touch user do in the mean time?  I’d suggest not storing anything you really want to keep secret on these devices unless the application performs its own encryption.  You might also want to take a few seconds to lock your device before hitting the sleep button – especially if the device is going to be out of your control for any length of time.

As for Apple, you guys really need to decide whether or not you want to be in the corporate space.  If so, get your act together, hire some really good security people and test the hell out of your products before trumpeting their “enterprise readiness!”  And this advice is coming from someone who owns an iMac, 2 iBooks, 2 iPods and an iPad – just think how the non Apple owning IT or Infosec manager is going to digest this news when looking at the iPhone for use at work.  We expect more from you guys…

Leave a Reply