Friday, July 24, 2009

iPhone Encryption Easily Defeated

One of the digs against the use of an iPhone in a corporate environment is the lack of enterprise-level security on the device. With sensitive business and personal information contained within email and documents stored on the phone, it's imperative that there are effective, robust controls in place to keep the data from being breached.

Apple has been touting the encryption solution that's part of the new 3GS model as their answer to those who doubted an iPhone in the enterprise was ready for prime time. It's reported that Apple uses the 448-bit Blowfish encryption algorithm, which provides a measure of cryptographic protection. But does it really keep the bad guys out of your data?

Sadly, it doesn't appear to be very successful. Wired has a report that indicates data can be siphoned off of an encrypted iPhone in minutes using readily-available software, and a complete disk image can be created in less than an hour.

There seems to be a minor issue with the iPhone in that once data starts being extracted, the phone begins decrypting the data on its own. Wow.

This is particularly troubling in light of some recent legislation in Massachusetts and Nevada that requires personal information of state residents be encrypted on any device that is not within the confines of the corporate network. This includes Blackberry devices, smart phones, removable USB drives, and so on. Since it's difficult to discern the legal residence of the customer's data as it gets mixed and mashed with everyone else's data, corporations generally choose to protect all personal information in the same manner, regardless of the domicile.

As a security professional, I would never recommend using the iPhone on a corporate level until Apple matures their security configuration and control environment. It's up to each business to evaluate the level of risk they are willing to accept, and for some, use of the iPhone will fall within acceptable risk parameters. Sooner or later, however, a breach will occur - someone's information will be stolen or use inappropriately - and there will be statutory penalties in addition to the inevitable civil suit.

Apple has an uphill trek to achieve the same security posture as RIM with their series of Blackberry devices. Don't expect Cupertino to reach the peak anytime soon.



No comments:

Post a Comment

Please tell me what you think.