Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

iPhone Security (Insecurity) Redux

December 14, 2009

The last post about the iPhone caused such a stir (I was astonished that the ABA Journal picked it up) that our Inboxes have been full of questions and comments. I asked John to try to address the issues raised and so, herewith, are further observations from John regarding the iPhone:

"Now that Apple’s iPhone insecurity secret has become public, there have been several questions about the iPhone and the data that it preserves. I’ll attempt to address those questions.

What I’ve attempted to do is summarize (in one location) the various issues dealing with the iPhone, especially since they have become so popular. As a computer forensics company, we are very interested in the evidentiary value of electronic information, including the data on a cellular phone. As we’ve previously identified, the PIN on the iPhone is easily bypassed, therefore there is essentially no protection against an attack. Some have pointed out that you can configure a PIN on the iPhone so that it automatically wipes the phone after a set number of invalid attempts. So what? If you can bypass the PIN by immediately putting it into recovery mode, you haven’t even made a single invalid PIN attempt. Game over.

Some have commented that bypassing the PIN is sophisticated hacker action. Really? We don't see this same flaw on a BlackBerry, Windows Mobile, Symbian or other cell phone and there are many available free tools to unlock the iPhone PIN depending on the installed firmware version.

Others have pointed out that you can remotely wipe the phone via the MobileMe service. Don’t get me going about AT&T’s ability to know where the iPhone is at all times. You call that privacy? The bottom line is that you have to be connected to the network for the remote wipe to work. All you have to do is remove the SIM card from the phone to take it off the network, which will prevent the remote wipe. If you believe Verizon’s commercials, you can just get a map for those places you can’t connect.

Also, most users are not aware that the iPhone conveniently creates a screenshot and saves it as a temporary file on the phone. Wired has an article that explains the how and why and is available at http://www.wired.com/gadgetlab/2008/09/hacker-says-sec/. The end result is that there is a very complete "audit trail" of activity that is done on an iPhone, even if the user doesn't save any data. As an example, you can open a message that contains personally identifiable information and then immediately delete it. Guess what? All of that private data is on the phone until it is overwritten, which could be some time. As we mentioned in the article, the iPhone is an "evidence rich" device. These recoverable screenshots are one reason why and we've verified the existence of them through a ton of real world investigations. We've never seen this type of activity on any other phone.

There have been reports (such as those from CNET and InfoWorld) that the iPhone has been "lying" to Exchange servers up until the release of the 3.1 firmware. We have no personal experience with this and haven't tested it since we don't run Exchange 2007. Even Apple says that the 3.1 firmware now properly reports encryption status to the Exchange 2007 server. This update was released so that e-mail administrators could enforce secure communication with an Exchange server by requiring that the originating phone have on-device encryption. The 3 GS has such a feature and will work with Exchange 2007. Some have mentioned that their iPhones (non 3 GS) are still syncing with an Exchange 2007 after the update. This means that the administrator has not configured Exchange to accept only secure-device connections.

Does all of this mean that the iPhone is the ONLY insecure cellular phone on the market? Obviously not, but it is at the top of our list, especially considering the hundreds of phones we get each year for evidence analysis. Any smartphone with a browser is subject to the same attacks and infection as any Internet user. We know many iPhone users are saying that security is the issue and is not unique to the iPhone. Perhaps the truth hurts. Security is a major issue for any law firm, but using a device that does not enforce PIN integrity is a little crazy in my book. I wouldn't want to make that argument to a malpractice carrier."

**********************

Bear in mind – we don't sell smartphones – we have no dog in this hunt. But we do advise law firms on security issues. And as you can tell, we don't recommend iPhones.

E-mai: Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

iPhone Security (Insecurity) Redux

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer