iPhone 3GS and BlackBerry (In)securities
- Tuesday, July 28, 2009, 11:46
- Threat Research
This week’s (potential) major fail goes to Apple for the iPhone 3GS security. As reported by Wired and others, it seems the new 3GS encryption touted by Apple in their “iPhone Security Overview” isn’t so secure after all.
The official description of the new feature sounds pretty good:
iPhone 3GS offers hardware-based encryption. iPhone 3GS hardware encryption uses
AES 256 bit encoding to protect all data on the device. Encryption is always enabled,
and cannot be disabled by users.
“iPhone 3GS offers hardware-based encryption. iPhone 3GS hardware encryption uses AES 256 bit encoding to protect all data on the device. Encryption is always enabled, and cannot be disabled by users.”
But this excellent 2nd video demonstration by Jonathan Zdziarski shows plainly that there could be something very flawed about it.
Jonathon shows one of the architectural limitations of mobile platforms – you need the device to have a fail-safe hardware recovery mechanism (otherwise you could kill the hardware with bad software), but that opens the door to exploiting loader hacks, in his case, his subversion of the boot loader recovery mechanism to zero out the password (continue reading...)