ENISA smartphone cyber security report

Posted on December 14, 2010February 4, 2011 by Bernd

ENISA, the European Network and Information Security Agency [1], released their latest EU’s cyber-security agency report which highlights risks, opportunities and recommendations for users of smartphones.

I am glad that part of my work towards more secure smartphones was mentioned and referenced in this latest update.

Given the growing importance of smartphones for EU businesses, governments and citizens, we consider it essential to assess their security and privacy implications.

says Prof. Dr.Udo Helmbrecht, Executive Director of ENISA.

Smartphones are a goldmine of sensitive and personal information – it’s vital to understand how to maintain our control over this data. We’ve designed our recommendations to plug into a typical security policy

says Dr. Giles Hogben, co-author of the report.

The full story

Reference:

[1] http://en.wikipedia.org/wiki/European_Network_and_Information_Security_Agency or http://tinyurl.com/237ac8h

Apple iPhone

Making phone calls with locked iOS 4.1

Posted on October 26, 2010February 4, 2011 by Bernd

I came an article across which describes how to make a phone call from a locked iPhone with iOS 4.1. The web link refers to a Mac Forum where a member explains how to produce the hack:

When you iPhone is locked with a passcode tap Emergency Call, then enter a non-emergency number such as ###. Next tap the call button and immediately hit the lock button. It should open up the Phone app where you can see all your contacts, call any number, etc.

I tried it out and it doesn’t work for me on iPhone 3GS (Model MC 132B) with iPhone 4.1 (8B117).(* see update)

The person who discovered the flaw mentioned that he used a jailbroken phone but some people claimed that they could reproduce it on non jailbroken versions.

I am now wondering if the flaw depends on specific hardware parameters(* see update ) like processor speed etc. and it currently can only be practised on the more powerfull iPhone 4.

*Update: Confirmed to be working on iPhone 3GS with iOS 4.0 (8A293) (model MC131B) and if you are quick enough it also works on iPhone 3GS (Model MC 132B) with iPhone 4.1 (8B117).

Apple iPhone

Apple iOS4 iPhone update

Posted on June 24, 2010February 4, 2011 by Bernd

Apple says U p d a t i n g i s e a s y. But if you care about security it’s not:

I strongly recommend following update procedure for iOS4:

Upgrading your iPhone to the latest version is the normal procedure, however if you read the installation notes during the software update very carefully you will note as mentioned:

Apple: * Better data protection using the device passcode as an encryption key* (Requires full restore)

What this means is that unless you go through the Full Restore process you will not gain any data protection improvement promised by Apple.

iOS4 Update flowchart

1.) Make sure your PC system is connected to a reliable power source.

2.) Get iTunes up to date, use the built in update function (Help -> Check for Updates)

3.) Make a backup of your iPhone data: Connect your iPhone to the computer system and open iTunes. Under ‘Devices’ on the left hand side of the window, right-click on the name you assigned your iPhone and first select ‘Sync’. Once this has been completed follow the same procedure, only this time select ‘Back Up’. Again, once this is finished right click on your iPhone and finally select ‘Transfer Purchases’. Once this has been done your iPhone would be fully backed up onto iTunes locally.

4.) iPhone iOS4 installation Phase 1:

Once you have fully backed up your iPhone go onto ‘Summary’ and select ‘Check for Updates’. The option to update to the latest version (4.0) will appear, select the update option and leave the iPhone to run its system update. The iPhone will require restarting.

Apple iOS 4 update is disabling your security settings: After the update Apple iOS4 leaves you with no passcode protection and “Erase Data” feature disabled even when you have set this up before the update.

After the iOS4 update make sure under Settings – General – Passcode Lock On:

– Require Passcode is set to “Immediately”

– Simple Passcode is set to “OFF” , I recommend at least 6 characters (numbers and or letters with at least one special character included). This is very important as the passcode will be used to generate your encryption key during the full restore procedure .

– Erase Data is set to “ON”

5.) iPhone iOS4 installation Phase 2:

Note: If a Backup is available you should not lose any data at all.

Once the iPhone has completed its updates, select ‘Restore’ in the ‘Summary’ section of iTunes. If you have already backed up your iPhone with all the latest changes you’ve made to it (New songs, pictures etc) you won’t need to update the iPhone again, just allow it to run its System Restore, this will reset the iPhone back to its factory settings. Once the process is completed the device will restart and the Apple logo will appear on the screen. After the restore, the iPhone displays the “Connect to iTunes” screen. Keep your device connected until the “Connect to iTunes” screen goes away or you see “iPhone is activated.” If iTunes does not have an Internet connection, you cannot complete this step.

Finally, to restore your device from the previous backup you should be able to see a set of options in iTunes, stating that “An iPhone has been previously synced with this computer” with a list of synced devices, select the backup from which you want to restore your settings and select the continue button to complete the devices restoration.

Thank You

Appendix:

Apple iOS4 Software Update Release Notes:

iOS 4 Software Update

This update contains over 100 new features, including the following:

* Multitasking support for third-party apps*
– Multitasking user interface to quickly move between
apps
– Support for audio apps to play in the background
– VoIP apps can receive and maintain calls in the
background or when device is asleep
– Apps can monitor location and take action while
running in the background
– Alerts and messages can be pushed to apps using
push and local notifications
– Apps can complete tasks in the background
* Folders to better organise and access apps
* Home screen Wallpaper*
* Mail improvements
– Unified inbox to view emails from all accounts in one
place
– Fast inbox switching to quickly switch between
different email accounts
– Threaded messages to view multiple emails from the
same conversation
– Attachments can be opened with compatible third-
party apps
– Search results can now be filed or deleted
– Option to select size of photo attachments
– Messages in the outbox can be edited or deleted
* Support for iBooks and iBookstore (available from the
App Store)
* Photo and Camera improvements
– 5x digital zoom when taking a photo**
– Tap to focus during video recording**
– Ability to sync Faces from iPhoto
– Geo-tagged photos appear on a map in Photos
* Ability to create and edit playlists on device
* Calendar invitations can be sent and accepted wirelessly
with supported CalDAV servers
* Support for MobileMe calendar sharing
* Suggestions and recent searches appear during a web
search
* Searchable SMS/MMS messages**
* Spotlight search can be continued on web and Wikipedia
* Enhanced location privacy
– New Location Services icon in the status bar
– Indication of which apps have requested your location
in the last 24 hours
– Location Services can be toggled on or off for
individual apps
* Automatic spellcheck
* Support for Bluetooth keyboards*
* iPod out to navigate music, podcasts and audiobooks
through an iPod interface with compatible cars
* Support for iTunes gifting of apps
* Wireless notes syncing with IMAP-based mail accounts
* Persistent Wi-Fi connection to receive push notifications*
* New setting for turning on/off mobile (cellular) data only**
* Option to display the character count while composing
new SMS/MMS**
* Visual Voicemail messages can be kept locally even if
they have been deleted from the server**
* Control to lock portrait orientation*
* Audio playback controls for iPod and third-party audio
apps*
* New languages, dictionaries and keyboards
* Accessibility enhancements*
* Bluetooth improvements
* Better data protection using the device passcode as an
encryption key* (Requires full restore.)
* Support for third-party Mobile Device Management
solutions
* Enables wireless distribution of enterprise applications
* Exchange Server 2010 compatibility
* Support for multiple Exchange ActiveSync accounts
* Support for Juniper Junos Pulse and Cisco AnyConnect
SSL VPN apps (available from the App Store)
* More than 1,500 new developer APIs
* Bug fixes

Products compatible with this software update:
* iPhone 3G
* iPhone 3GS
* iPhone 4
* iPod touch 2nd generation
* iPod touch 3rd generation (late 2009 models with 32GB
or 64GB)

* Requires iPhone 3GS, iPhone 4 or iPod touch 3rd generation.
** Requires iPhone 3G, iPhone 3GS or iPhone 4. SMS/MMS messaging and Visual Voicemail require support from your wireless carrier.

For feature descriptions and complete instructions, see the user guides for iPhone and iPod touch at:
<http://support.apple.com/manuals/iphone>
<http://support.apple.com/manuals/ipodtouch>

For more information about iPhone and iPod touch, go to:
<http://www.apple.com/uk/iphone>
<http://www.apple.com/uk/ipodtouch>

To troubleshoot your iPhone or iPod touch, or to view additional support information go to:
<http://www.apple.com/uk/support/iphone>
<http://www.apple.com/uk/support/ipodtouch>

For information on the security content of this update, please visit this website:
<http://support.apple.com/kb/HT1222>

Apple iPhone

iPhone Advice

Posted on June 24, 2010February 4, 2011 by Bernd

Be aware of that Apple iOS 4 update is disabling your security settings, see Update 24/06/2010 below

Do not store any sensitive or confidential data on your iPhone and follow the iOS4 update procedure described.

Shutdown your iPhone only in the locked state and keep it in locked state when not in use: Intending to shutdown your iPhone from the unlocked state (thats when you see the App icons) press the top right button once. Wait a second and then keep pressing the button again until the slide to power off appears and then shutdown your iPhone.

Please do also use the “encryption” feature with iTunes for your Backup. Click on your phone device under iTunes and under Summary -> Options Select “Encrypt iPhone Backup” and use a strong password.

Ideally Do store your Backup only on a PC with an encrypted storage.

Apple will release iOS 4 which might fix the massive security vulnerability for the iPhone 3G and iPhone 3GS. Please update asap. According to Apple the release date will be on the 21st of June 2010.

Apple released today (21st June 2010) a newer version of the iPhone software (version 4.0-8A293). If you want to update the phone please make sure to get iTunes also updated to its latest version 9.2.0.61 before attempting the software update.

After the first tests done, please bear in mind that I need further investigations followed to provide a more reliable conclusion. So far it turns out that the time-of-check-to-time-of-use (TOCTTOU) bug (race condition) seems to be patched in iOS4. The flaw is for me no longer reproducible in the way described.

However, I would not call the issue as cleared off for the time being:

Apple security release notes can be found here and Apple is not mentioning anything about the security improvements towards better authentication and/or encryption.

If you read the installation notes during the software update very carefully you will note:

“* Better data protection using the device passcode as an encryption key* (Requires full restore)”

What this means is that unless you go through the Full restore process you will not gain any data protection improvement promised by Apple.

Update 22/06/2010:

Apple hasn’t pointed this out so far but I would strongly recommend following update procedure for iOS4:

Upgrading your iPhone to the latest version is the normal procedure, however if you read the installation notes during the software update very carefully you will note as mentioned:

Apple: * Better data protection using the device passcode as an encryption key* (Requires full restore)

What this means is that unless you go through the Full Restore process you will not gain any data protection improvement promised by Apple.

1.) Make sure your PC system is connected to a reliable power source.

2.) Get iTunes up to date, use the built in update function (Help -> Check for Updates)

4.) iPhone iOS4 installation Phase 1:

Added 24/06/2010

After the iOS4 update make sure under Settings – General – Passcode Lock On:

– Require Passcode is set to “Immediately”

– Erase Data is set to “ON”

5.) iPhone iOS4 installation Phase 2:

Note: If a Backup is available you should not lose any data at all.

Update 24/06/2010:

After the iOS4 update make sure under Settings – General – Passcode Lock On:

– Require Passcode is set to “Immediately”

– Erase Data is set to “ON”

If you had to change from Simple Passcode “ON” to a more complex passcode follow again the “iPhone iOS4 installation Phase 2” described above. This will generate a new stronger encryption key.

To make it easier, I summarized the iOS4 iPhone update.

Thank You.

Apple iPhone

iPhone business security framework

Posted on March 22, 2010February 4, 2011 by Bernd

Overview:

I recently had the chance to look into Apple’s iPhone [11] security model specifically for the 3G and 3GS version. As the iPhone acts as a small computing device my concerns are related to the integrity of the device, communication and the security of data stored locally. Apple provides an “iPhone Security Overview” [1] which is a good start to find out more about:

Apple iPhone mobile device security features:

Apple Enterprise Management and Security:

Supports standards-based servers for mail, calendar and contacts integration. Syncing with IMAP mail servers and search the mail server from the iPhone.

CalDAV-compliant calendar servers like iCal Server, Oracle Beehive, Kerio and Zimbra.

iPhone 3GS protects data through encryption of information in transmission, at rest on the device, and when backed up to iTunes.

Provides secure methods to prevent unauthorised use of the device through passcode policies and restrictions.

In the event of a lost or stolen iPhone, you can even clear all data and settings by issuing a remote wipe command from Microsoft Exchange.

Network communications stay secure with Cisco IPSec VPN, WPA2 Enterprise Wi-Fi and SSL/TLS on iPhone.

Microsoft Exchange users can enforce complex passcodes, camera restrictions and other policies on iPhone to protect corporate data.

Certificate-based authentication enables iPhone to connect with corporate servers via Exchange as well as VPN On Demand, making network communications seamless and secure.

Security Configuration Profiles:

Establish corporate passcode policies and settings with configuration profiles created and distributed via USB or over the air.

With configuration profiles, you can remotely configure your company’s VPN, email and wireless network settings, ensuring that each iPhone is secure and ready for business.

For users, installing a configuration profile is as easy as tapping a secure web link or receiving an email with the configuration profile attached. Configuration profiles can be signed and encrypted – and once installed, individual users can be restricted from removing these profiles from their iPhones.

Framework:

This is the outcome of the overview and more research on various details matched against the security requirements which I would like to see implemented, so an iPhone can become a reasonable secure mobile network device:

Platform Protection
OS Patch Management
Antivirus Protection
Network Traffic Filtering
Application Security
Data Storage Protection
Communication Encryption
Wireless Security
Manageability of Acceptable Use

Platform Security:

Requirement:	iPhone3G(S):	Comment:
Application Security:	– Runtime Protection (Sandboxing) – Mandatory Code signing	Separates local Data stored by applications and the code itself from each other and protects from third-party applications. Code signing binds your application framework to Apple).
OS Patch Management	Build in update feature for iPhone OS	Similar to OS X the phone can fetch automatic updates when connected to a network.
Antivirus Protection	None built in.	Apple claims no need for this. Jailbreaking [2] would make a need for it.
Manageability of Acceptable Use	– Password Management and Enforcement – Remote and local wipe – Restriction management of: iTunes Store medias, Use of Safari, Use of YouTube, Use of App Store, Installations of Applications, Use of the camera	This is mostly to restrict the use of the device through a policy. Most of the sync profile updates can only be synced automatically using a Microsoft Exchange server. However profiles can also be manually applied via email attachment or through a download from a website.

Network Security:

Requirement:	iPhone3G(S):	Comment:
Network Traffic Filtering	A built in firewall is not claimed	A host based firewall solution is not available through Apples App store.
Communication Encryption	– Common Crypto APIs – SSL/TLS	Solid SSL/TLS support promised.
VPN	– Cisco IPSec – L2TP/IPSec – PPTP	Solid VPN support promised but I am missing the OpenVPN standard.
Authentication	– Password (MSCHAPv2) – RSASecurID – CRYPTOCard – x.509 Digital Certificates – Shared Secret – X.509 certificates with RSA keys	Common Authentication schemas are supported RSASecureID capability can make the phone becoming a one time security token for 2 and more factor authentication.
Wireless Security	– WPA – WPA2 shared key – WPA2 Enterprise mode	Solid Authentication and Encryption support for 802.11 b/g wireless networks.

Local Data:

Requirement:	iPhone3G(S):	Comment:
Data protection	– Encrypted configuration – Encrypted i-Tunes backup	Encrypted profiles can be only read by an Admin. Broken authentication model [9]
Data encryption	– Hardware based Full DIsk Encryption (FDE).	Iphone3GS offers hardware-based- encryption and uses AES 256 bit encoding to try to protect all data on the device. Encryption is always enabled and cannot be disabled by users. However the encryption renders pointless by the FDE key implementation flaw [4]
Password storage	Keychain Services	Local passwords and logins are stored in an encrypted local safe.

Outcome:

Mobile computing and storage devices are easily lost or stolen, presenting a high risk for unauthorized access and introduction of malicious software to a network [3].

These risks should be mitigated to acceptable levels. A portable -computing device and -electronic storage media that contains confidential, personal, or sensitive information should use encryption or equally strong measures to protect the data while they are in transit or stored.

The Apple iPhone can’t fully satisfy the requirements. People should understand that the iPhone 3GS fails to provide full disk encryption (FDE) which renders useless by how the phone manages the protection of the encryption key [4] and that the authentication model for the FDE is also broken.[see recent update]. Most of automatic sync and update features are built around Microsofts Exchange Server however important security profile management and updates can be achieved by manual interaction of the user without using Exchange.

The iPhone’s operating system is designed to only run software that has an Apple-approved cryptographic signature. This should protect from malicious third-party applications but it certainly leaves authority and actual security management fully in the hand of Apple. There is no open Source code involved and applications can only be chosen from Apples apps store. Apples recent removal of random content and apps [5] makes users wonder if the trust in Apple is justifiable.

Restrictions can be overcome by “jailbreaking” the device [2], which involves replacing the iPhone’s firmware with a slightly modified version that does not enforce the signature check. Jailbroken phones are at risk for an iPhone worm and system compromise through malicious applications.

By the time writing there is no way to directly encrypt or sign your email and although there are some more (non security related) caveats like: Java and Flash aren’t supported and the fact Apple iTunes software latest version is only running on Windows and Apple platforms, the iPhone still can be used in an efficient way if people understand that there is no secure FDE available and a appropriate policy is in place to cover these facts.

Having this said, iPhone security really only applies with having a sensible trust in Apples business model, being the gatekeeper for your own security needs, and when user’s attitude takes into account that the iPhones Hard Disk encryption and Authentication model is useless towards storage protection.

Update 17/05/2010: Apple’s iPhone 3GS broken authentication model:

I uncovered a data protection vulnerability [9], which I could reproduce on 3 other non jail broken 3GS iPhones (MC 131B, MC132B) with different iPhone OS versions installed (3.1.3-7E18 modem firmware 05.12.01 and version 3.1.2 -7D11, modem 05.11.07) , all passcode (4 digits) protected which means the vulnerability bypasses authentication for various data where people most likely rely on data protection through encryption and do not expect that authentication is not in place.

To clarify, the given file access is read and write !

This is what you get via an auto mount without any PIN (passcode 4 digits) request:

The unprotected iPhone 3GS mounting is “limited” to the DCIM folder under Ubuntu < 10.04 LTS, Apple Macintosh, Windows 2000 SP2 and Windows 7. The way Ubuntu Lucid Lynx handles the iPhone 3GS [6,7,8] allows to get more content (please do make sure that the native Ubuntu system is fully up to date, e.g. “apt-get update, “apt-get upgrade” – any virtualization based solution will not work as described). I used the Alternate CD with x86 and AMD64 on different hardware.

The “Libimobiledevice” [6] developers probably done just their best to make some content available under Linux but nevertheless I would still expect that the iPhone 3GS takes ownership and requests an authentication challenge when in the process to be mounted.

Copied contents file structure:

bernd@isopiece:~/Desktop/phonecontents$ ls -R
.:
ApplicationArchives com.apple.itunes.lock_sync Downloads Photos PublicStaging Recordings
com.apple.itdbprep.postprocess.lock DCIM iTunes_Control Podcasts Purchases Safari

./ApplicationArchives:
com.occamygames.motoxmayhem.zip

./DCIM:
100APPLE

./DCIM/100APPLE:
IMG_0433.JPG IMG_0435.JPG IMG_0436.JPG IMG_0437.JPG IMG_0438.JPG IMG_0439.JPG img_1974.jpg

./Downloads:
manifest.plist

./iTunes_Control:
Artwork Device iTunes Music Ringtones

./iTunes_Control/Artwork:
ArtworkDB F3001_1.ithmb F3002_1.ithmb F3003_1.ithmb F3005_1.ithmb F3006_1.ithmb F3007_1.ithmb F3012_1.ithmb

./iTunes_Control/Device:
HashInfo SysInfoExtended Trainer

./iTunes_Control/Device/Trainer:
Workouts

./iTunes_Control/Device/Trainer/Workouts:
Empeds

./iTunes_Control/Device/Trainer/Workouts/Empeds:
4H0047X7VSX linkData

./iTunes_Control/Device/Trainer/Workouts/Empeds/4H0047X7VSX:
bests.plist calibration.xml lastWorkout.xml latest preferences.xml settings.plist

./iTunes_Control/Device/Trainer/Workouts/Empeds/4H0047X7VSX/latest:
2010-04-19 18;07;04.xml 2010-04-20 17;50;49.xml 2010-04-20 18;02;57.xml 2010-04-21 18;01;51.xml

./iTunes_Control/iTunes:
IC-Info.sidb iTunesApplicationIDs iTunesControl iTunes Library.itlp iTunesMovies iTunesPrefs Rentals.plist VoiceMemos.plist
IC-Info.sidv iTunesCDB iTunesDB iTunesMoviePlaylists iTunesPlaylists iTunesPrefs.plist Ringtones.plist

./iTunes_Control/iTunes/iTunes Library.itlp:
DBTemp Dynamic.itdb Extras.itdb Genius.itdb Library.itdb Locations.itdb Locations.itdb.cbk

./iTunes_Control/iTunes/iTunes Library.itlp/DBTemp:
Backup ddd.itdbm

./iTunes_Control/iTunes/iTunes Library.itlp/DBTemp/Backup:
iTunes_Control

./iTunes_Control/iTunes/iTunes Library.itlp/DBTemp/Backup/iTunes_Control:
iTunes

./iTunes_Control/iTunes/iTunes Library.itlp/DBTemp/Backup/iTunes_Control/iTunes:
iTunes Library.itlp

./iTunes_Control/iTunes/iTunes Library.itlp/DBTemp/Backup/iTunes_Control/iTunes/iTunes Library.itlp:
Dynamic.itdb Extras.itdb Library.itdb Locations.itdb Locations.itdb.cbk

./iTunes_Control/Music:
F00 F02 F04 F06 F08 F10 F12 F14 F16 F18 F20 F22 F24 F26 F28 F30 F32 F34 F36 F38 F40 F42 F44 F46 F48
F01 F03 F05 F07 F09 F11 F13 F15 F17 F19 F21 F23 F25 F27 F29 F31 F33 F35 F37 F39 F41 F43 F45 F47 F49

./iTunes_Control/Music/F00:
AUXM.mp3 BPGL.mp3 CMKZ.mp3 DXEC.mp3 FWQN.mp3 IGUA.mp3 KHDB.mp3 MTCN.mp3 OOZM.mp3 OVLK.mp3 RIDE.mp3 SOAU.mp3 TWFV.mp3 UJHE.mp3 YBIW.mp3
BLXF.mp3 CDIN.mp3 DICJ.mp3 EXLN.mp3 GAZI.mp3 JEXQ.mp3 KYKH.mp3 NEUC.mp3 ORHK.mp3 QWGA.mp3 SNIN.mp3 TAPC.mp3 TZIF.mp3 VTCR.mp3

./iTunes_Control/Music/F01:
ACPV.mp3 BZVB.mp3 DNTQ.mp3 FDZE.mp3 GECU.mp3 IMPV.mp3 KJCP.mp3 KWFT.mp3 LKJF.mp3 MSPV.mp3 NQVB.mp3 TOJU.mp3 WKQU.mp3 XBTL.mp3 YNYH.mp3
BZPH.mp3 CBSB.mp3 EEWN.mp3 GDYD.mp3 GXSW.mp3 JHUJ.mp3 KPSS.mp3 LDKQ.mp3 MLZI.mp3 NKQK.mp3 PHDL.mp3 TVVO.mp3 WYCW.mp3 YLIT.mp3

……

./iTunes_Control/Ringtones:

./Photos:

./Podcasts:

./PublicStaging:

./Purchases:

./Recordings:
20100517 111440.m4a 20100517 111501.m4a 20100519 122148.m4a Recordings.db

./Safari:
goog-phish-shavar.dat_aside

Contents list of disk usage:

bernd@isopiece:~/Desktop/phonecontents$ du -h
4.0K   ./PublicStaging
920K   ./Safari
4.0K   ./iTunes_Control/Ringtones
107M   ./iTunes_Control/Music/F23
133M   ./iTunes_Control/Music/F39
124M   ./iTunes_Control/Music/F29
122M   ./iTunes_Control/Music/F40
136M   ./iTunes_Control/Music/F47
109M   ./iTunes_Control/Music/F11
98M   ./iTunes_Control/Music/F05
174M   ./iTunes_Control/Music/F27
76M   ./iTunes_Control/Music/F07
130M   ./iTunes_Control/Music/F42
167M   ./iTunes_Control/Music/F06
139M   ./iTunes_Control/Music/F44
104M   ./iTunes_Control/Music/F19
116M   ./iTunes_Control/Music/F46
111M   ./iTunes_Control/Music/F21
164M   ./iTunes_Control/Music/F15
141M   ./iTunes_Control/Music/F25
168M   ./iTunes_Control/Music/F37
121M   ./iTunes_Control/Music/F03
140M   ./iTunes_Control/Music/F38
150M   ./iTunes_Control/Music/F45
132M   ./iTunes_Control/Music/F10
67M   ./iTunes_Control/Music/F20
80M   ./iTunes_Control/Music/F41
135M   ./iTunes_Control/Music/F43
148M   ./iTunes_Control/Music/F48
161M   ./iTunes_Control/Music/F24
96M   ./iTunes_Control/Music/F04
1.5G   ./iTunes_Control/Music/F09
127M   ./iTunes_Control/Music/F02
116M   ./iTunes_Control/Music/F22
147M   ./iTunes_Control/Music/F49
132M   ./iTunes_Control/Music/F18
185M   ./iTunes_Control/Music/F26
168M   ./iTunes_Control/Music/F35
130M   ./iTunes_Control/Music/F17
126M   ./iTunes_Control/Music/F33
275M   ./iTunes_Control/Music/F30
146M   ./iTunes_Control/Music/F34
154M   ./iTunes_Control/Music/F08
132M   ./iTunes_Control/Music/F36
226M   ./iTunes_Control/Music/F12
183M   ./iTunes_Control/Music/F00
121M   ./iTunes_Control/Music/F28
234M   ./iTunes_Control/Music/F31
140M   ./iTunes_Control/Music/F14
98M   ./iTunes_Control/Music/F16
182M   ./iTunes_Control/Music/F32
169M   ./iTunes_Control/Music/F01
197M   ./iTunes_Control/Music/F13
8.3G   ./iTunes_Control/Music
94M   ./iTunes_Control/Artwork
4.5M   ./iTunes_Control/iTunes/iTunes Library.itlp/DBTemp/Backup/iTunes_Control/iTunes/iTunes Library.itlp
4.5M   ./iTunes_Control/iTunes/iTunes Library.itlp/DBTemp/Backup/iTunes_Control/iTunes
4.5M   ./iTunes_Control/iTunes/iTunes Library.itlp/DBTemp/Backup/iTunes_Control
4.5M   ./iTunes_Control/iTunes/iTunes Library.itlp/DBTemp/Backup
4.5M   ./iTunes_Control/iTunes/iTunes Library.itlp/DBTemp
9.0M   ./iTunes_Control/iTunes/iTunes Library.itlp
9.4M   ./iTunes_Control/iTunes
20K   ./iTunes_Control/Device/Trainer/Workouts/Empeds/4H0047X7VSX/latest
44K   ./iTunes_Control/Device/Trainer/Workouts/Empeds/4H0047X7VSX
52K   ./iTunes_Control/Device/Trainer/Workouts/Empeds
56K   ./iTunes_Control/Device/Trainer/Workouts
60K   ./iTunes_Control/Device/Trainer
96K   ./iTunes_Control/Device
8.4G   ./iTunes_Control
4.0K   ./Photos
4.0K   ./Podcasts
2.0M   ./Recordings
8.0K   ./Downloads
4.0K   ./Purchases
55M   ./ApplicationArchives
16K   ./DCIM/.MISC
7.3M   ./DCIM/100APPLE/.MISC
18M   ./DCIM/100APPLE
18M   ./DCIM
8.4G   .

This data protection flaw exposes music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents… by in my opinion the quickest compromising read/write access discovered so far, without leaving any track record by the attacker. It’s about to imagine how many enterprises (e.g. Fortune 100) actually do rely on the expectation that their iPhone 3GS’s whole content is protected by encryption with a passcode based authentication in place to unlock it.

The contents sample have been collected off a non jail broken iPhone 3GS (with latest iPhone OS installed, all apps fully up to date and immediately “PIN lock” (passcode, 4 digits) enabled, by simply connecting it powered off via USB to a Linux Lucid Lynx PC (10.04) and then switched back on – being automatically mounted with given insecurity and never been attached to the PC before.

Other exposed contents and OS behavior has to be further investigated. The allowed write access could also lead into triggering a buffer overflow.

We already know that iPhone 3GS encryption is broken by the way the encryption key is handled [4].

The newly uncovered vulnerability shows that the Apple’s iPhone 3GS authentication model is somehow or other broken. The iPhone vulnerability was covered in SANS webcast “iPhone Insecurity” by Jim Herbeck [10]: Webcast audio excerpt of iPhone vulnerability.

Apple iPhone Security Overview [1]:

Data Protection:

Protecting data stored on iPhone is important for any environment with a high level of sensitive corporate or customer information. In addition to encrypting data in trans-mission, iPhone 3GS provides hardware encryption for data stored on the device.

Encryption:

iPhone 3GS offers hardware-based encryption. iPhone 3GS hardware encryption uses AES 256 bit encoding to protect all data on the device. Encryption is always enabled, and cannot be disabled by users.

Update 25/05/2010:

Apple’s product security team (case 105700225) still can’t reproduce described auto mounting and believes it could be a “race condition” or “a pairing issue” but is trying to get to the bottom of this issue and I am more than happy to assist, given a total 33.75 million of iPhones have been sold at Q4 2009 [11].

Update 27/05/2010:

Apple could reproduce the as described serious issue and believes to understand why this can happen but cannot provide timing or further details on the release of a fix.

Update 29/05/2010:

To clarify: This is a iPhone vulnerability and not an Ubuntu/Linux/libimobiledevice specific issue. Please see also “News” under [6]. In other words, Ubuntu Lucid Lynx just helped me to uncover the flaw easier.

The reason behind the issue that some people are not able to reproduce the time-of-check-to-time-of-use (TOCTTOU) bug [12] lies in the implementation of the iPhone authentication model, not the OS you tested with. So, this has nothing to do with the OS you used, but with the iPhone itself, and nothing else. People are best of luck to reproduce the flaw in getting the long boot cycle by powering off the iPhone from the non locked state.

Update 31/05/2010:

heise Security did manage to access a full backup of the iPhone by connecting the device to iTunes under Windows, using the flaw I uncovered recently. They could read notes, SMS-messages and even passwords in plaintext.

More info (in German):

http://www.heise.de/security/meldung/iPhone-Leck-weitet-sich-aus-1012473.html

Update 01/06/2010:

The H Security explains their associates findings from heise Security in English:

“While with Linux only a few selected folders on the iPhone were displayed, Windows allowed full system access. For instance, it was no problem to create a complete backup using iTunes, including items such as notes, text messages and even plain text passwords.”

Update 03/06/2010:

Please follow the uncertain workaround but take it as an intermediate advice:

Shutdown your iPhone only in the locked state and keep it in locked state when not in use.

Update 05/06/2010:

Please do also use the “encryption” feature with iTunes for your Backup [13].

Update 08/06/2010:

Apple will release iOS 4 which might fix the massive security vulnerability for the iPhone 3G and iPhone 3GS. Please update asap. According to Apple the release date will be on the 21st of June 2010.

Update 21/06/2010:

Apple released today a newer version of the iPhone software (version 4.0 8A293). If you want to update the phone please make sure to get iTunes also updated to the latest version 9.2.0.61 before attempting the software update.

After the first tests done, please bear in mind that I need further investigations followed to provide a more reliable conclusion. So far it turns out that the time-of-check-to-time-of-use (TOCTTOU) bug (race condition) [12] seems to be patched in iOS4. The flaw is no longer reproducible for me in the way described above.

However, I would not call the issue as cleared off for the time being:

Apple security release notes can be found here and Apple is not mentioning anything about the security improvements towards better authentication and/or encryption.

If you read the installation notes during the software update very carefully you will note:

“* Better data protection using the device passcode as an encryption key* (Requires full restore)”

What this means is that unless you go through the Full restore process you will not gain any data protection improvement promised by Apple.

Update 22/06/2010:

Although Apple hasn’t pointed this out so far I would recommend following update procedure for iOS4:

Upgrading your iPhone to the latest version is the normal procedure, however if you read the installation notes during the software update very carefully you will note as mentioned: