There's Encryption, and Then There's the iPhone 3GS

There's Encryption, and Then There's the iPhone 3GS

Posted by John B. Frank Thursday, August 6, 2009

The day I saw the Apple commercial depicting an individual entering their credit card number into an iPhone I cringed.

Of course I do the same thing every time I think about someone "typing" their numbers into a box on a website.

Last Friday ago in a post entitled: "In Two Weeks Your iPhone Will Be Hacked" I talked about the threats exposed at the Black Hat Conference in Las Vegas. Now I read that the iPhone 3GS is tantamount to writing your credit card number on a post it note and hanging it on your computer screen. (which is essentially the same thing as typing it into a box on a website...

All I can do is continue to repeat our mantra: "Don't Type...Swipe! (and remind you that you can't say I didn't didn't tell you so!)

(Excerpts Taken From ZDNET and Wired)

"Apple claims that hundreds of thousands of iPhones are being used by corporations and government agencies. What it won’t tell you is that the supposedly enterprise-friendly encryption included with the iPhone 3GS is so weak it can be cracked in two minutes with a few pieces of readily available freeware. “It is kind of like storing all your secret messages right next tothe secret decoder ring,” said Jonathan Zdziarski, an iPhone developerand a hacker who teaches forensics courseson recovering data from iPhones. “I don’t think any of us [developers]have ever seen encryption implemented so poorly before, which is whyit’s hard to describe why it’s such a big threat to security.”

"The encryption functionality of the iPhone 3GS is so easy to crack that it is essentially "broken" when it comes to protecting sensitive personal data such as credit card numbers, according to a forensics expert and iPhone developer."

"I don't think any of us [developers] have ever seen encryption implemented so poorly before, which is why it's hard to describe why it's such a big threat to security," Jonathan Zdziarski told Wired.

With physical access to an iPhone 3GS and some free software, data can be extracted within two minutes and an image of the entire raw disk in about 45 minutes, he said. The iPhone decrypts the data on its own once the extraction has begun, Zdziarski explained in a video demonstration.

Zdziarski added that there are other weaknesses with the iPhone: Pressing the Home button, and even zooming in on a screen, automatically creates a screenshottemporarily stored in the iPhone’s memory, which can be accessed later.

And then there’s the keyboard cache: key strokes logged in a file onthe phone, which can contain information such as credit card numbers orconfidential messages typed in Safari. Cached keyboard text can berecovered from a device dating back a year or more, Zdziarski said.

Apple has been touting the encryption and other features to entice corporate users to the device. Nearly 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones per company, the company said on its financial results conference call on Tuesday."

Click here to read the article at Wired in it's entirety.

0 comments

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

All Top Banking