iPhone security issue

[racedog]

Looks like Apple may have some explaining to do. After reaming MS (deservedly so) for so long it appears that the iPhone may have some serious security concerns of its own.

iPhone security “broken” - business users take note

R

 

[wickedwahine11]

I'm nervous enough about using eBay on the iPhone. I think my banking will not be done that way...

 

[racedog]

I am a business user so the article is a major concern to me. I guess what really bothers me is the apparent lack of concern here on these forums. Security doesn't seem to be of any concern. Had this been discovered on another cell platform I suspect people would have been jumping all over it.

R

 

[snakes2003g]

i am sure that this will get looked at by apple and the 3.1 update will patch most if not all of these concerned areas in the code.

 

[whmurray]

I'm nervous enough about using eBay on the iPhone. I think my banking will not be done that way...

Not much to go on but the vulnerability in question does not appear to impact applications. Rather, it exposes data stored on the phone to someone who finds or steals it. While one might not want to store state secrets on it, for individuals and most data it is a vulnerability without a threat. An enterprise with hundreds or thousands might want to multiply this small risk by the number of its devices.

My understanding from Security Now with Steve Gibson is that the guy that developed the attack plans to demo it at a hacker conference this week. A source said the demo will be against 2.0 and that it is not known if 3.0 is vulnerable to the same attack.

Watch this space but do not over-react.

 

[whmurray]

Watch this space but do not over-react.

Okay. Additional report on Crave confirms that this attack is against poorly implemented crypto ["Crypto is harder than it looks." --Bruce Schneier. "People do not break crypto; they bypass it." -- Adi Shamir.] intended to protect data stored on the iPhone from someone who has possession of it. While the details of this attack will eventually leak and will be available to someone who targets data on a particular iPhone, it does not mean that just anyone who finds your iPhone will be able to recover your contact list.

There is a secondary mechanism intended to resist recovery of such data. This measure is intended to permit one to remotely erase the data on a lost or stolen iPhone by sending it an "emergency erase message." However, this mechanism can be defeated by removing the SIM chip before the message is sent. Therefore, if your phone is lost do not wait to send the message; you will only lose data entered on the iPhone since your last sync.]

[Note to developers. "There are an infinite number of ways to implement crypto, most of them weak." --Jonathon Oseas. Implementing crypto is not a job for amateurs. If Apple cannot do it, neither can you. Get help from a lab that specializes in crypto and enjoys a reputation among cryptographers.]