Content stored on an iPhone 3GS with passcode protection can be accessed without the passcode simply by attaching the device to a computer running the latest version of Ubuntu or a Windows or OSX system running off the shelf software such as iPhone Explorer. This flaw was discovered by Bernd Marienfeld, an information security professional and blogger, last week. Recently, the enterprise has seen a steep increase in the adoption of the iPhone and iPad. But Apple will need to aggressively address security concerns such as these in order to gain and hold market share.
Typically, an iPhone attached to a Windows, OSX, or pre-10.04 Ubuntu system grants access to the DCIM folder only. However, by connecting a powered-off iPhone to a computer running Ubuntu 10.04 (“Lucid Lynx”) and powering the iPhone back on, Marienfeldt was able to gain read-write access to the complete contents of four different non-jailbroken iPhone 3GS phones. Each phone ran a different version of the iPhone operating system, had passcode-protection enabled immediately, and had never been connected to a PC before.
Marienfeldt could access photos, videos, audio, and the Google safe-browsing database, all without leaving any evidence that he had accessed the phone at all. He points out that write-access could also make the phones vulnerable to a buffer overflow attack.
The vulnerability is not a flaw in Ubuntu, but a problem with the way the iPhone handles authentication when attached to a computer. The tech blog Sukimashita reported Windows or OSX systems using applications such as iPhone Explorer could also access protected iPhone 3GS data if the device was powered off when first attached.
According to Marienfeldt, Apple has reproduced the issue but has not issued a statement as to when the vulnerability will be patched.
As we have reported, security experts criticize Apple’s lack of emphasis on security for its mobile devices. Yet 4 of 10 iPhones are sold to enterprise users. Corporate users likely expect their data to be secure and encrypted. According to Apple’s own iPhone in Business Security Overview document:
iPhone can securely access corporate services and protect data on the device. It provides strong encryption for data in transmission, proven authentication methods for access to corporate services, and for iPhone 3GS, hardware encryption for all data stored on the device. iPhone also provides secure protection through the use of passcode policies that can be enforced and delivered over-the-air.
Trust Digital, which was acquired by McAfee last week, offers a third-party security solution for iPhone OS, Android, Web OS, Windows Mobile, and Symbian mobile operating systems.
iPhone passcode image via Apple; Ubuntu screenshot via Bernd Marienfeld.