Maybe not such a massive security hole

| Comments (2) | SYSSEC
Wired complains about a "massive iPhone security hole", namely that the keyboard lock does not work as expected:
You're a smart, safety conscious iPhone user, right? You keep the phone set to require a 4-digit passcode every time it wakes up, so if you ever lose your baby, all your personal information is safe. But if you are running v2.0.2 of the iPhone operating system, you might as well not bother. A simple hack will get anybody past your PIN code with free access to all your mail, contacts and bookmarks. Ouch!

Acting on a tip from the Mac Rumors forums, Gizmodo's Jesus Diaz whipped up a video of the exploit in action, a ridiculously easy two-step process:

1. Tap emergency call.

2. Double tap the home button.

This drops you into the iPhones "favorites" section. From here you can make calls or send e-mail, and with a few steps you can browse to the Address Book and then on to Mail, Safari or the SMS application.

I'm not saying this is the best designed feature I've ever seen. Obviously, if you have a PIN lock on your phone you'd prefer to not have it be easily bypassed. That said, it's important to be realistic about what a PIN-based lock like this can do, even in principle, remembering that this person has your phone in hand. There are two things you might want to secure:

  • People making phone calls with your account.
  • Your data.

As far as people making phone calls, your account information is embedded in the SIM card, which an attacker can just pop out and cram into their phone. You can block this by installing a SIM PIN (the iPhone supports this) which needs to be entered every time you power on your phone, but it's not built into the keyboard/screen lock.

With regard to your personal data, remember that the iPhone stores it on the flash memory somewhere. In principle, it could be encrypted (though I don't think it is), but unless there is a hardware security module, the only source of keying material entropy is the PIN, and if someone takes an image of the flash memory, they can mount a dictionary attack on the PIN. Based on the iPhone breakdowns I've seen, there doesn't seem to be an HSM anyway. Interestingly, you don't seem to be able to extract the data from the iPhone by syncing to it, at least not the trivial way: iTunes prompts you for a PIN before syncing. Of course, I don't know if that's enforced on the phone or just in iTunes. If the latter, then you should be able to write your own program that sucks the data off without asking you for a PIN.

The bottom line here is that the iPhone isn't some sort of vault for your data. If you want it protected, use strong encryption or keep it on a device you don't plan to lose.

2 Comments

This is another overblown hyped article from Wired that only exists because the subject matter is the iPhone. Mobile devices are lost. Regardless of the type of device (blackberry, windows mobile device, iPhone, etc) the assumption is that once that device is out of owners hands and into another that the data is exposed. Which is why "remote erase" exists for all these devices.

Getting an image of the flash memory is not easy. The traditional way to do this is to get access to the JTAG, which was found in the original iPhone underneath one of the chips (I think the radio chip) -- so you had to remove a chip, thus wrecking the phone. Apple may have made this harder on the iPhone 3G.

Otherwise, you're left with only a couple of options. You can remove the flash (which is really hard to do without destroying it) and remount it on a custom board, or you can buy some extraordinarily expensive equipment to do logic analysis on the bus and start injecting faults.

Of course you're right that if it's not encrypted then you are not safe in assuming someone can't access your data, but the reality of the matter is that it is still really hard for a snooper to do. This vulnerability lowers the bar for data compromise of an unattended iPhone from highly sophisticated to trivial. That is pretty much the definition of a critical security vulnerability.

For what it's worth, the Blackberry does natively support password-based encryption of all data, but it has to be enabled by the user or an IT administrator (presumably for performance reasons).

Leave a comment