iPhone 3GS Hardware Encryption Considered "Useless", even Harmful

2009-07-28 20:00:00 -0400


We agree with that assessment. When the iPhone 3GS was announced, Apple listed hardware encryption and better security among the new features, aimed at getting a better foothold in the enterprise marketplace where Blackberry tends to be the dominant mobile platform, and where corporate security policies can effectively shut out insecure technologies.

Surprising no one, details from Apple are scant, but based on their carefully worded statements it would appear that full-device hardware encryption (with the key on the device) was being employed to provide fairly scant security features. In fact, it poses the appearance of security with the potential for many considerable attack vectors. At the time of the announcement, Stephen wrote:

While there is no doubt that the encryption features will enhance iPhone device security, it remains to be seen how the practical improvements will compare to the launch hype. I strongly suspect that highly sensitive information storage will still require dedicated security applications.

More information is now coming to light. Brian X. Chen has an article in Wired titled, Hacker Says iPhone 3GS Encryption Is ‘Useless’ for Businesses, further making the case that what Apple is providing isn’t what security-conscious professionals really require:

Apple claims that hundreds of thousands of iPhones are being used by corporations and government agencies. What it won’t tell you is that the supposedly enterprise-friendly encryption included with the iPhone 3GS is so weak it can be cracked in two minutes with a few pieces of readily available freeware. “It is kind of like storing all your secret messages right next to the secret decoder ring,” said Jonathan Zdziarski, an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones. “I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”

Obviously, we have a vested interest in making the case for our own security applications for the iPhone and why we think they are so useful and provide such better security. But the most glaring thing about all this is Apple’s lack of disclosure, and poor implementation with the appearance of security. It’s not suitable for our own personal use, never mind in the enterprise environment.

Zetetic is the creator of the encrypted iPhone data vault and password manager Strip and the open source encryption-enhanced database engine SQLCipher.

blog comments powered by Disqus