BLOGS: iPhones and security – or lack of…
Bernd Marienfeldt has a running blog on a security flaw in the iPhone. Basically, the security don’t work. He has been able to bypass the encryption, exposing data, on non-jailbroken iPhones.
The newly uncovered vulnerability shows that the Apple’s iPhone 3GS authentication model is somehow or other broken. The iPhone vulnerability was covered in SANS webcast “iPhone Insecurity” by Jim Herbeck: Webcast audio excerpt of iPhone vulnerability.
Apple could not at first reproduce this vulnerability, but now can:
Apple could reproduce the as described serious issue and believes to understand why this can happen but cannot provide timing or further details on the release of a fix.
The issue here is Apple’s claim
iPhone 3GS offers hardware-based encryption. iPhone 3GS hardware encryption uses AES 256 bit encoding to protect all data on the device. Encryption is always enabled, and cannot be disabled by users.
merely provides a false sense of security. Businesses hand out iPhones to staff believing the encryption keeps data safe and staff within the data protection laws. But iPhones are very easily lost or stolen. And at this moment they are not secure in the hands of a hacker.