PINcept.com: There's Encryption, and Then There's the iPhone 3GS

There's Encryption, and Then There's the iPhone 3GS

The day I saw the Apple commercial depicting an individual entering their credit card number into an iPhone I cringed.

Of course I do the same thing every time I think about someone "typing" their numbers into a box on a website.

Last Friday ago in a post entitled: "In Two Weeks Your iPhone Will Be Hacked" I talked about the threats exposed at the Black Hat Conference in Las Vegas. Now I read that the iPhone 3GS is tantamount to writing your credit card number on a post it note and hanging it on your computer screen. (which is essentially the same thing as typing it into a box on a website...

All I can do is continue to repeat our mantra: "Don't Type...Swipe! (and remind you that you can't say I didn't didn't tell you so!)

(Excerpts Taken From ZDNET and Wired)

"Apple claims that hundreds of thousands of iPhones are being used by corporations and government agencies. What it won’t tell you is that the supposedly enterprise-friendly encryption included with the iPhone 3GS is so weak it can be cracked in two minutes with a few pieces of readily available freeware. “It is kind of like storing all your secret messages right next tothe secret decoder ring,” said Jonathan Zdziarski, an iPhone developerand a hacker who teaches forensics courseson recovering data from iPhones. “I don’t think any of us [developers]have ever seen encryption implemented so poorly before, which is whyit’s hard to describe why it’s such a big threat to security.”

"The encryption functionality of the iPhone 3GS is so easy to crack that it is essentially "broken" when it comes to protecting sensitive personal data such as credit card numbers, according to a forensics expert and iPhone developer."

"I don't think any of us [developers] have ever seen encryption implemented so poorly before, which is why it's hard to describe why it's such a big threat to security," Jonathan Zdziarski told Wired.

With physical access to an iPhone 3GS and some free software, data can be extracted within two minutes and an image of the entire raw disk in about 45 minutes, he said. The iPhone decrypts the data on its own once the extraction has begun, Zdziarski explained in a video demonstration.

Zdziarski added that there are other weaknesses with the iPhone: Pressing the Home button, and even zooming in on a screen, automatically creates a screenshottemporarily stored in the iPhone’s memory, which can be accessed later.

And then there’s the keyboard cache: key strokes logged in a file onthe phone, which can contain information such as credit card numbers orconfidential messages typed in Safari. Cached keyboard text can berecovered from a device dating back a year or more, Zdziarski said.

Apple has been touting the encryption and other features to entice corporate users to the device. Nearly 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones per company, the company said on its financial results conference call on Tuesday."

Click here to read the article at Wired in it's entirety.

Posted by John B. Frank Thursday, August 6, 2009

There's Encryption, and Then There's the iPhone 3GS

0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Learn More About Us

Translate This Blog

Blog Archive

Profile

PIN Debit Blog Live

All Top Banking

Visits Since July 2009