7

My primary goal is to protect Activesync-based communication from being copied or stolen from an offline device.

In that context how effective is iPhone 3GS and 4 encryption?

makerofthings7
  • 50,488
  • 54
  • 253
  • 542
  • UPDATE 05/25/2011 -- iPhone 3GS/4 encryption broken !!! -- http://www.h-online.com/security/news/item/ElcomSoft-cracks-iOS-encryption-system-1250526.html – atdre May 25 '11 at 20:04

4 Answers4

6

If you write the application, then you have various options for protecting the files stored on the device. I gave a presentation on this at Voices That Matter this year, but to summarise:

  • NSFileProtection API lets you use the same device key as the filesystem encryption, but ensure that the files are protected when the device is locked by additionally deriving a second key from the user's passcode;
  • CommonCrypto and OpenSSL are a bit harder to use, but still fairly straightforward, you control the encryption and can use the keychain for key management;
  • writing your own encryption implementation would be a bad choice.
  • 1
    when is writing your own encryption implementation ever a good choice? – Casey Dec 11 '10 at 14:04
  • 1
    @casey the only real answer I can come up with is if there's no implementation already for your environment. These days that probably isn't a common occurrence. –  Dec 11 '10 at 20:06
5

I've been looking at this recently and the answer appears to be that the protection may not be great.

First thing is that iOS 4.x devices may not have Apples "data protection" feature enabled on them by default. Data protection is intended to give extra protection to e-mail data and attachments. if the device has been upgraded from iOS 3.x then data protection is not enabled until the device gets a full restore, the details are in this Apple Tech Doc.

The base apple encryption on iOS 4.x devices can be bypassed relatively easily. Booting the device into DFU mode and loading a custom version of the OS (via the limera1n exploit), you can get an SSH connection over the iDevice cable, then mounting the user data partition, give you access to most information stored there in the clear. At the moment I've not found a doc. explaining exactly how apples hardware encryption works, but I guess in some way the mount command must provide the key.

Rory McCune
  • 61,541
  • 14
  • 140
  • 221
  • 2
    as I wasn't so familiar with DFU, here is a link to clarify that http://osxdaily.com/2010/06/24/iphone-dfu-mode-explained-and-how-to-enter-dfu-mode-on-your-iphone/ – Phoenician-Eagle Mar 13 '11 at 15:31
  • Protection is pretty good - probably as good as it can be given a user remembered secret - if data protection is on and the app is written to use the protection features. – frankodwyer Apr 26 '11 at 05:49
  • I am trying to follow the exact steps you mentioned. So far, I have jailbreaked my iOphone with greenpois0n. The SSH client on windows is WinSCP and on the Iphone i tried BigBossPrefs. Unfortunately the iPhone BigBrossPrefs fails to start! so i am unable to connect to the iOS. My intention is to simulate that my mobile is lost (I have added PIN on purpose) and try to see what data the attacker can have access to. Any help on this would be great. – Phoenician-Eagle May 15 '11 at 20:35
  • I wouldn;t mind having my question as a new question if you want. – Phoenician-Eagle May 15 '11 at 20:36
3

The key is available from the device, so an unlocked device (or guessable/brute-forceable) will elicit the key. The key is also on any synced iTunes apps. By sending remote kill (if possible, which should never be relied upon since RF blocking handkerchiefs/bags are well known tools used by adversaries), this can delete the key, disabling recovery of the key and filesystem, and providing "fast wipe" functionality.

It is otherwise extremely awesome, given these very realistic limitations (i.e. no TPM). BlackBerry can't do this sort of thing without a BES (although BES Express is available for free if you have Exchange or SBS/etc server). Android relies on third-party, which is unreliable and insecure at best.

There are two books that cover this, Enterprise Mac Administrator's Guide and the iPhone Forensics book. The former mentions http://www.cellebrite.com for Security ID recovery.

atdre
  • 18,945
  • 6
  • 59
  • 108
  • What (if anything) above changes with a jailbroken device? – makerofthings7 Nov 20 '10 at 20:24
  • Don't jailbreak your device if you are serious about security. Other than that -- I have no idea – atdre Nov 20 '10 at 20:57
  • @atdre: it's not necessarily @MakerOfThings7 that jailbreaks the device. It might be the app's user. Or the attacker. –  Nov 20 '10 at 21:35
  • This is not true if data protection is on and a pin / password is set. In this case the (master) key is not on the device. – frankodwyer Apr 26 '11 at 05:47
  • @frankodwyer: Encryption doesn't work without keys, so where is the key if not on the device? – atdre Apr 26 '11 at 17:03
  • 1
    @atdre - the master key is derived from the users password and so it is not stored on the device when the device is locked – frankodwyer Apr 26 '11 at 21:20
  • @frankodwyer: Ok, it's not stored on the device, but it's available to someone who has control of the device at runtime (i.e. while on). To me, this means stored on the device. To you, it means you are the mayor of crazytown – atdre Apr 27 '11 at 01:32
  • @atdre the user has to provide the password to unlock the device every time. It (still) isn't stored when the device is locked. – frankodwyer Apr 27 '11 at 11:55
  • 1
    @frankodwyer: Just like I explained in my original answer, the device has to be unlocked to get the master key -- or access to the iTunes the iPhone has synced with. If the code to unlock the phone is brute-forced, then it is also game-over-time – atdre Apr 27 '11 at 16:22
  • @atdre - what you say in your original answer is that the key is on the device, it is the opening few words of your answer. And that is (still) incorrect. The key is NOT on the device when it is locked. – frankodwyer Apr 27 '11 at 16:58
  • @frankodwyer: Thanks, I edited and changed the first part of my answer – atdre Apr 27 '11 at 23:42
  • @atdre: "If the code to unlock the phone is brute-forced" the key derivation function uses both the unlock code and the hardware key, which means that brute-forcing the *code* must be done on the device. It includes significant timing delays to thwart this attack: by the time you get to your sixth guess, it already waits over ten minutes before returning to the lock screen. And users can configure to have the device wiped after a number of failed guesses. –  Apr 28 '11 at 21:27
  • What happens when you plug an iPhone into USB? What happens when you scrape the DRAM? Don't tell me it's not possible, because it is. Get over it. – atdre Apr 29 '11 at 06:09
  • Looks like the cat is out of the bag -- http://www.h-online.com/security/news/item/ElcomSoft-cracks-iOS-encryption-system-1250526.html – atdre May 25 '11 at 20:04
  • Per comversation with Apple security developers the iPhone/iPad has an Apple TPM equivalent the same as Blackberry has a TPM equlivant. – zaph Sep 24 '11 at 00:56
  • @CocoaFu: Then why is it so broken that anyone can get in? – atdre Jan 13 '12 at 08:28
  • The Apple TPM equivalent has not been compromised, that is different from a "jailbreak". See the comment by @Graham Lee. – zaph Jan 13 '12 at 11:22
0

In consensus with Rory McCune's answer, that you can bypass encryption I want to add what goal the encryption in iOS devices has:

It is mainly for data loss prevention. Everything is stored encrypted. This means, that a remote lock-mechanism can force the device to forget the encryption/decryption key and shutdown. This allows you to make an arbitrary amount of data useless, without having to remove or overwrite every byte on disk.

freddyb
  • 511
  • 3
  • 9