Educause Security Discussion mailing list archives
Re: Implications of Jail breaking ipod/iphones
From: "Doty, Timothy T." <tdoty () MST EDU>
Date: Fri, 24 Jul 2009 08:39:19 -0500
I can't say that I care for the article. A good bit of fear mongering going on. If you read the comments someone (parplin) tries to straighten it out. The Wired author tries to prove the fear mongering claim with a quote from WWDC which he even admits doesn't support his claims. There's quite a bit of strawman argument in the article. What does the encryption achieve? It allows fast wipe by removing the key instead of having to wipe the entire device. What does Apple say that it does? They say it improves security by allowing a fast wipe and because backups are encrypted (by implication without the key, it remaining on the iPhone). Can the protection be bypassed? To give a proper answer you have to consider what is being protected. If I use a lock that is trivial to pick then if I lock something with it there is no significant increase in protection. If I lock my breakables in a wooden crate and someone shoots it up -- well, there was never any protection against that attack. I wouldn't say protection was bypassed or ineffective, I'd say there wasn't any protection against that attack. With the iPhone 3GS it does NOT provide protection against someone with physical access imaging your phone. Should Apple provide such? IMO, yes, but that is not what they are claiming to provide. Is Apple's protection better than the competition?
From what I gather it isn't better or worse, it is different. Blackberry provides an automatic wipe when off network for too long. Apple doesn't, but if you issued a remote wipe and your iPhone connects at all (over the cell network, or over wireless) then it wipes. Blackberry doesn't offer a remote wipe over wireless, and the time for the remote wipe is very likely too long to have any impact. Apple provides GPS tracking which is handy for recovery. If you lost it rather than it being stolen it is conceivable that you will recover it before someone does a theft of opportunity. I don't believe Blackberry offers this.
Is Apple's protection sufficient? That depends on your needs and risk analysis. How does Apple's encryption affect iPhone forensics? Not at all. The same exact procedure as was used previously (jailbreak, use ssh to remotely access and image) still works. Note that whatever "security" you have on your iPhone is of no consequence -- someone who knows how to get a forensics image will not try and unlock it ten times and risk triggering a wipe. They would most likely keep the iPhone in a foil bag (which prevents remote wipe or GPS tracking). This is standard procedure in cellphone forensics. Remember, security isn't a product. Security isn't a state. Security is a process. Tim Doty Systems Security Analyst Missouri S&T
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam Carlson Sent: Thursday, July 23, 2009 6:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Implications of Jail breaking ipod/iphones Just thought I would follow-up with this new article which appears to be the best analysis thus far of the 3GS encryption scheme: http://www.wired.com/gadgetlab/2009/07/iphone-encryption I think these quotes unfortunately sum it up: "I don't think any of us [developers] have ever seen encryption implemented so poorly before, which is why it's hard to describe why it's such a big threat to security.”" "If they're relying on Apple's security, then their application is going to be terribly insecure," he said. "Apple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but it's entirely useless toward security." So basically, it sounds like if you lose your 3GS and have encryption enabled, your data can still be accessed (which is usually what you try to prevent with encryption). I had very much hoped that Apple would beef up it's security, but this article talks about why many of Apple's security features are still severely lacking. I know that those who want iPhones are going to use iPhones regardless of the security issues, but hopefully this will help administrators argue that it should be used for less and never used to store sensitive data. -Adam Russell Fulton wrote:On 22/07/2009, at 12:41 PM, Russell Fulton wrote:I have had several people ask me about this and I have triedgooglingaround the area but most the stuff I have found consists of lists of dos and don'ts with little or no background info. The basic question is what are the security implications of jail breaking your iphone?Thanks very much to all of you who took the time to share yourthoughton this one. By and large you have confirmed what I had expected: 1/ Apple overstates the issue (of course). 2/ the built in security model does provide some real and useful protection. 3/ a jail broken iphone in the hands of someone who is careful andknowwhat they are doing is not much different to a PC. 4/ an incautious novice can very easily shoot them selves in the both feet (hmm... that isnt much different to a PC either ;). So I think my advice will be: don't jailbreak your phone unless: a/ you have a really good reason to (i.e. it gets you something thatoutweighs the increased risk) b/ you know what you are doing and are both tech and security savy. Thanks again for all the wonderful input. Russell-- Adam Carlson Chief Security Officer Information Technology Residential and Student Service Programs Tel: 510-643-0631 Email: ajcarlson () berkeley edu "Most of the things worth doing in the world had been declared impossible before they were done." ~Louis D. Brandeis
Attachment:
smime.p7s
Description:
Current thread:
- Implications of Jail breaking ipod/iphones Russell Fulton (Jul 21)
- <Possible follow-ups>
- Re: Implications of Jail breaking ipod/iphones Anderson, Sherry (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Rick Holland (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Guy Pace (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Adam Carlson (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Russell Fulton (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Adam Carlson (Jul 23)
- Re: Implications of Jail breaking ipod/iphones Doty, Timothy T. (Jul 24)
- Re: Implications of Jail breaking ipod/iphones Adam Carlson (Jul 24)
- Re: Implications of Jail breaking ipod/iphones Doty, Timothy T. (Jul 24)
- Re: Implications of Jail breaking ipod/iphones Adam Carlson (Jul 24)