O'Reilly FYI

News from within O'Reilly

Huge iPhone Security Risk? It's nothing new, says Jonathan Zdziarski

By Kathryn Barrett
August 27, 2008

"There's a huge security problem in the latest iPhone 2.0.2," writes Jesus Diaz in a story on Gizmodo, "a very simple trick gives anyone full access to your cellphone private information in Mail, SMS, Contacts, and even Safari."

But this is nothing new, says iPhone hacker Jonathan Zdziarski. "The iPhone passcode was cracked long ago," he explains in a post on his Zdziarski.com:

"With all the hubbub going on about a cracking the iPhone's passcode easily through a bug in v2.0.2 of the device's firmware, I thought I'd highlight the fact that passcode cracking for the iPhone has been around for quite some time. The method that's been gaining a lot of press lately seems to have only been doing so because it's much easier for your kid brother to do, but passcodes can actually be cracked in every version of iPhone software to-date.

"While the "ugly hack" method utilizing emergency calls is likely to disappear in the next version of the firmware, those interested in data security should still be quite concerned about the iPhone. The alternative methods for cracking the passcode - namely, the ones I've documented in the book - are by and far more sustainable techniques, which take advantage of flaws in the iPhone's design itself. Until hardware changes are made to the iPhone, it is very likely going to continue to be very easy to break into one."

Jonathan Zdziarski
Learn How to Obtain iPhone Forensic Data

Register nowiPhone Forensics Developer Workshop — Happening September 16-17, 2008 in Burlington, MA, this valuable workshop led by Jonathan Zdziarski, the original iPhone hacker, will guide you through a highly specialized forensic examination of the iPhone, iPhone 3G, and iPod Touch. Register now to learn how to recover, process and remove sensitive data stored on these devices!

Although this may not be a huge concern to the average iPhone user—many of whom don't password protect their phones at all—Jonathan points out that this inherent security flaw in the iPhone should lead enterprises and government agencies to reconsider the iPhone's use their infrastructures.

"The iPhone is a computer, just like a desktop computer, and so it can easily be booted in such a way that one can mount the disk and delete or modify the device's configuration--including the passcode configuration. Cracking the iPhone's passcode is about as complex as changing the root password on a desktop machine, given physical access. The inherent problem with iPhone security, and why enterprises and government agencies should not be considering it for their infrastructures, is the general lack of data encryption. Until Apple adds support for File Vault to the iPhone (encrypting user data), the passcode will continue to be an easy crack for law enforcement professionals, enterprise security officers, and any geek worth his salt."

Jonathan has been making these techniques available to law enforcement agencies for several months now, and covers the method for cracking both v1.x and v2.x passcodes in his upcoming book, iPhone Forensics. "I've found even the most novice cop-geeks have been able to crack the iPhone's passcode and install my forensics toolkit on the device," he says. "Many criminals who once thought the incriminating evidence on their iPhone was safe have come to the rude awakening that passcodes do not equate to security."

To learn more about the subject of iPhone Forensics, watch Jonathan's iPhone Forensics Demonstration webcast or check out his two-day professional forensics workshop taking place September 16-17 in Burlington, Massachusetts.

You might also be interested in:


Popular Topics

Browse Books


Or, visit our complete archives.

FYI Topics

Recommended for You

Got a Question?