Dev-Team Member 'NerveGas' Says 3GS Encryption Is Useless, Easy To Break

Edward Kirk · July 23rd, 2009, 05:36 PM

Jonathan Zdziarski is back, and now he says Apple's encryption on the iPhone for business users is not as good as it should be, and could potentially put company data at risk. According to him, the encryption is so weak that it could be cracked in two minutes using nothing more than some easily available freeware.

"It is kind of like storing all your secret messages right next to the secret decoder ring,” said Jonathan Zdziarski, an iPhone developer and a hacker known for his work on recovering forensic information from iPhones. “I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”

The iPhone 3GS is the first device to officially feature encryption, but Zdziarski says sensitive information like credit card numbers and social security digits on a 3GS are just as easy to access as they were on the 3G and first generation iPhone.

The tools he uses? Simply Red Sn0w and Purple Ra1n, which he uses to install a custom kernel on the device, after which he can install an SSH client and port the raw disk image across SSH onto his computer.

[via Wired]

Eurisko · July 23rd, 2009, 07:55 PM #2

I'll say this, the kids got one hell of an ego

rameeti · July 24th, 2009, 12:06 PM

I don't see 99.9% of users needing the kind of encryption that the cracker is suggesting should be there. Users do not want lost iPhones leaking information. The user is describing the level of encryption that a high level executive would need if they had their iPhone stolen. People who find phones want to use the phone. They might also enjoy using data that they find on the phone but they don't have the technical knowledge to do what the cracker suggests can be done.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Edward Kirk WrAdminterizer Join Date: Apr 2007 Location: Illinois, USA Posts: 3,088 Thanks: 19 Thanked 26 Times in 25 Posts	Dev-Team Member 'NerveGas' Says 3GS Encryption Is Useless, Easy To Break - July 23rd, 2009, 05:36 PM #1
	<script language="JavaScript" src="http://adserver1.backbeatmedia.com/servlet/ajrotator/13894/222/viewJScript?pool=13886&type=3158&pos=20&zone=5000"></script> Jonathan Zdziarski is back, and now he says Apple's encryption on the iPhone for business users is not as good as it should be, and could potentially put company data at risk. According to him, the encryption is so weak that it could be cracked in two minutes using nothing more than some easily available freeware. "It is kind of like storing all your secret messages right next to the secret decoder ring,” said Jonathan Zdziarski, an iPhone developer and a hacker known for his work on recovering forensic information from iPhones. “I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.” The iPhone 3GS is the first device to officially feature encryption, but Zdziarski says sensitive information like credit card numbers and social security digits on a 3GS are just as easy to access as they were on the 3G and first generation iPhone. The tools he uses? Simply Red Sn0w and Purple Ra1n, which he uses to install a custom kernel on the device, after which he can install an SSH client and port the raw disk image across SSH onto his computer. [via Wired] __________________ About my iPhone: iPhone & Color: iPhone 3G 16GB White iPhone Version: 3.0 Computer & OS: MacBook Pro 15", Mac OS X 10.5.4 Twitter

Eurisko iPA Fanatic Join Date: Sep 2007 Location: Toronto, Canada Posts: 99 Thanks: 0 Thanked 0 Times in 0 Posts	July 23rd, 2009, 07:55 PM #2
	I'll say this, the kids got one hell of an ego

rameeti Forum Lurker Join Date: May 2009 Posts: 8 Thanks: 0 Thanked 0 Times in 0 Posts	What level of encryption are people looking for? - July 24th, 2009, 12:06 PM #3
	I don't see 99.9% of users needing the kind of encryption that the cracker is suggesting should be there. Users do not want lost iPhones leaking information. The user is describing the level of encryption that a high level executive would need if they had their iPhone stolen. People who find phones want to use the phone. They might also enjoy using data that they find on the phone but they don't have the technical knowledge to do what the cracker suggests can be done.