informa
/
Risk
News

Apple iPhone Security Weaknesses Exposed On YouTube

Deleted voice mail, e-mail, and other data on the iPhone 3GS is vulnerable to hackers, a security expert claims in two video tutorials.
A security expert has challenged Apple's claims that the iPhone 3GS is security-ready for business and government, posting on YouTube tutorials on how to access all the data stored on the smartphone, even deleted files more that a year old.

In one of the two YouTube videos posted Friday, Jonathan Zdziarski, an iPhone developer and forensics instructor, demonstrates how user-created iPhone password can be easily circumvented. In the other video, Zdziarski shows how a hacker familiar with the iPhone could download a raw disk image that would provide personal information, deleted voice mail and email, information stored in the keyboard cache and an abundance of other data.

"iPhone security is not really enterprise-great, in my opinion," and I sincerely hope Apple fixes these issues," Zdziarski said in one of the tutorials. "At the same time, the consumer really needs to know that the device is not secure and consider that risk when considering whether or not to use this in a business environment or a government capacity."

Apple did not respond to a request for comment in time for this writing. But company executives have claimed that data encryption technology at the hardware level, as well as other security features, make the iPhone 3GS suitable for business or government use.

Timothy Cook, chief operating officer for Apple, told financial analysts this week during an earnings teleconference that hundreds of thousands of iPhones are used today in Fortune 100 and other companies, as well as government organizations and high-education institutions.

While such adoption may be great for Apple, it worries Zdziarski. "Unfortunately, the iPhone is just completely wide open," he said.

In the first video, Zdziarski explains how a hacker could use readily available freeware utilities, such as iRecovery, PurpleRain, and RedSnow, to circumvent the iPhone 3GS's password protection using the backup function in Apple's iTunes software. The whole process is demonstrated in less than a seven-minute video.

In the second tutorial, Zdziarski uses software tools available to law enforcement, but easily recreated by an experienced hacker, to download an unencrypted raw disk image from an iPhone 3GS. "The so-called hardware encryption doesn't actually offer any real encryption, because the iPhone as its sending the disk image automatically decrypts it for you," Zdziarski said. "So it's as if the device has no encryption whatsoever."

Security issues have long plagued the iPhone, despite claims by Apple. In releasing version 3.0 of iPhone software in June, Apple included 46 fixes for security vulnerabilities.


InformationWeek Analytics has published an independent analysis on data-loss prevention. Download the report here (registration required).

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5