"There's a huge security problem in the latest iPhone 2.0.2," writes Jesus Diaz in a story on Gizmodo, "a very simple trick gives anyone full access to your cellphone private information in Mail, SMS, Contacts, and even Safari."
"With all the hubbub going on about a cracking the iPhone's passcode easily through a bug in v2.0.2 of the device's firmware, I thought I'd highlight the fact that passcode cracking for the iPhone has been around for quite some time. The method that's been gaining a lot of press lately seems to have only been doing so because it's much easier for your kid brother to do, but passcodes can actually be cracked in every version of iPhone software to-date.
"While the "ugly hack" method utilizing emergency calls is likely to disappear in the next version of the firmware, those interested in data security should still be quite concerned about the iPhone. The alternative methods for cracking the passcode - namely, the ones I've documented in the book - are by and far more sustainable techniques, which take advantage of flaws in the iPhone's design itself. Until hardware changes are made to the iPhone, it is very likely going to continue to be very easy to break into one."
Although this may not be a huge concern to the average iPhone user—many of whom don't password protect their phones at all—Jonathan points out that this inherent security flaw in the iPhone should lead enterprises and government agencies to reconsider the iPhone's use their infrastructures.
"The iPhone is a computer, just like a desktop computer, and so it can easily be booted in such a way that one can mount the disk and delete or modify the device's configuration--including the passcode configuration. Cracking the iPhone's passcode is about as complex as changing the root password on a desktop machine, given physical access. The inherent problem with iPhone security, and why enterprises and government agencies should not be considering it for their infrastructures, is the general lack of data encryption. Until Apple adds support for File Vault to the iPhone (encrypting user data), the passcode will continue to be an easy crack for law enforcement professionals, enterprise security officers, and any geek worth his salt."
Jonathan has been making these techniques available to law enforcement agencies for several months now, and covers the method for cracking both v1.x and v2.x passcodes in his upcoming book, iPhone Forensics. "I've found even the most novice cop-geeks have been able to crack the iPhone's passcode and install my forensics toolkit on the device," he says. "Many criminals who once thought the incriminating evidence on their iPhone was safe have come to the rude awakening that passcodes do not equate to security."
To learn more about the subject of iPhone Forensics, watch Jonathan's iPhone Forensics Demonstration webcast or check out his two-day professional forensics workshop taking place September 16-17 in Burlington, Massachusetts.