Prev: Monitor often fails to wake from monitor sleep.
Next: Adding ACL for a non-network user to a file
From: Priam on 27 May 2010 22:59
"Do you have a PIN code on your iPhone? Well, while that might protect
you from someone making a call or fiddling with your apps, it doesn�t
prevent access to your data � as long as the person doing the snooping
around is using Ubuntu �Lucid Lynx� 10.04.

Security experts Bernd Marienfeldt and Jim Herbeck discovered something
really interesting when they hooked up a non-jailbroken, fully
up-to-date iPhone 3GS to a PC running Lucid Lynx �

I uncovered a data protection vulnerability [9], which I could
reproduce on 3 other non jail broken 3GS iPhones (MC 131B, MC132B) with
different iPhone OS versions installed (3.1.3-7E18 modem firmware
05.12.01 and version 3.1.2 -7D11, modem 05.11.07) , all PIN code
protected which means the vulnerability bypasses authentication for
various data where people most likely rely on data protection through
encryption and do not expect that authentication is not in place.

This is what you get via an auto mount without any PIN request:

See picture at:

<http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424>


This data protection flaw exposes music, photos, videos, podcasts,
voice recordings, Google safe browsing database, game contents� by in my
opinion the quickest compromising read/write access discovered so far,
without leaving any track record by the attacker. It�s about to imagine
how many enterprises (e.g. Fortune 100) actually do rely on the
expectation that their iPhone 3GS�s whole content is protected by
encryption with an PIN code based authentication in place to unlock it.

This, quite honestly, is a staggering flaw. It basically allows anyone
capable of driving a Linux PC to copy data off of an iPhone without the
owner of the phone having any idea whatsoever that this has happened.

What�s more worrying is that Marienfeldt and Herbeck think that write
access to the iPhone is only a buffer overflow away, which means serious
access."

From: nospam on 28 May 2010 14:28
In article <slrnhvvu0r.2jqc.g.kreme(a)ibook-g4.local>, Lewis
<g.kreme(a)gmail.com.dontsendmecopies> wrote:

> > how many enterprises (e.g. Fortune 100) actually do rely on the
> > expectation that their iPhone 3GS�s whole content is protected by
> > encryption with an PIN code based authentication in place to unlock it.
>
> What 'expectation' of encryption?

the expectation is because apple said it has hardware encryption.
From: Priam on 28 May 2010 15:40
On 05/28/2010 01:06 PM, Lewis wrote:
> In message <htnbd7$ncd$1(a)news.eternal-september.org> Priam
> <priam(a)notsosure.com> wrote:
>> "Do you have a PIN code on your iPhone? Well, while that might protect
>> you from someone making a call or fiddling with your apps, it doesn't
>> prevent access to your data … as long as the person doing the snooping
>> around is using Ubuntu “Lucid Lynx” 10.04.
>
> Erm. Or any OS. The pin code is NOPT an encryption key to your data.
> Never has been.
>
>> I uncovered a data protection vulnerability [9], which I could
>> reproduce on 3 other non jail broken 3GS iPhones (MC 131B, MC132B)
>> with different iPhone OS versions installed (3.1.3-7E18 modem firmware
>> 05.12.01 and version 3.1.2 -7D11, modem 05.11.07) , all PIN code
>> protected which means the vulnerability bypasses authentication for
>> various data where people most likely rely on data protection through
>> encryption and do not expect that authentication is not in place.
>
> An 'expert' who is confusing a password with encryption?

I agree that the wording is confusing but access to data should be
impossible.

> I see no evidence these people are capable of thinking.

I see no evidence you are capable of thinking the most basic
consequences of this security breach. Do you have any idea of how many
iPhones are lost every year? Do you really believe it's OK that all the
data on those phones can be shared with whoever found the phone?

If this doesn't show how little Apple cares about security, what does?
From: Priam on 28 May 2010 15:41
On 05/28/2010 02:28 PM, nospam wrote:
> In article<slrnhvvu0r.2jqc.g.kreme(a)ibook-g4.local>, Lewis
> <g.kreme(a)gmail.com.dontsendmecopies> wrote:
>
>>> how many enterprises (e.g. Fortune 100) actually do rely on the
>>> expectation that their iPhone 3GS�s whole content is protected by
>>> encryption with an PIN code based authentication in place to unlock it.
>>
>> What 'expectation' of encryption?
>
> the expectation is because apple said it has hardware encryption.

�And your data is secure with support for encrypted data in
transmission, hardware encryption for data at rest, and encrypted
backups in iTunes.�

<http://www.apple.com/iphone/business/integration/>

Great security, Apple!


 | 
Pages: 1
Prev: Monitor often fails to wake from monitor sleep.
Next: Adding ACL for a non-network user to a file