If you feel like going through the process of typing in your PIN every time you unlock your
iPhone is worth it thanks to the unconquerable security it implies, you might want to read this report from Bernd Marienfeldt about the chosen one's security model. Yes, a PIN will keep casual users from picking up your phone and making a call with it, or firing off an e-mail to your co-workers saying that you're quitting and becoming an exotic dancer, but it won't keep someone from accessing all your data. Bernd and fellow security guru Jim Herbeck have discovered that plugging even a fully up-to-date, non-jailbroken iPhone 3GS into a computer running Ubuntu Lucid Lynx allows nearly full read access to the phone's storage -- even when it's locked. The belief is that they're just a buffer overflow away from full write access as well, which would surely open the door to making calls. Bernd believes the iPhone's lack of data encryption for content is a real problem, and also cites the inability to digitally sign e-mails as reasons why the iPhone is still not ready for prime time in the enterprise.
[Thanks, Amit]
posted May 27th 2010 6:47AM
iPhone 4.0 has data encryption, was this person using the 4.0 beta!
This worked on my ubuntu lucid lynx!!! My iPod touch 3g is jailbroken. It's not a Like SSH. But.... It still works
don't most all phones let you access their sd via usb when they're powered off?
I forgot to encrypt my diary I wrote on paper and now anybody can "crack it"........
Most of us are not spy's or CEO'S are we really that important that we have to worry that somebody can see when it is our sisters birthday?? or that we have to remember to pick up milk and bread on the wau home from work???
@CultOfOne
Yet if you had a pin-coded usb stick and you plugged it in and could get file system access you would think it fine?
Apparently Bernd Marienfeldt and many readers of here missed the upcoming features of iPhone OS 4.0 specially for business users.
You can encrypt your whole device if you want to.
A quote directly from Apple.com
"Protecting data stored on iPhone is important for any environment with a high level of sensitive corporate or customer information. In addition to encrypting data in trans-mission, iPhone 3GS provides hardware encryption for data stored on the device.
If a device is lost or stolen, it’s important to deactivate and erase the device. It’s also a good idea to have a policy in place that will wipe the device after a defined number of failed passcode attempts, a key deterrent against attempts to gain unauthorized access to the device."
http://images.apple.com/iphone/business/docs/iPhone_Security_Overview.pdf
Sorry to dissapoint you haters ;)
@Shark Tek How does a promise of security in a future OS have anything to do with the vulnerabilities in a current OS?
@Electrofreak That they know the concern of the business users about data protection and they will address that in their upcoming release.
As simple as that.
@Electrofreak
The iPhone has file encryption right now.I really don't see what the big deal is.
Apple,Dell & HP blood gadget news:
reports on three Taiwan TV stations that another person, a young woman, had also jumped at Foxconn late on Wednesday, surviving with serious injuries.
@Xing
Dear Captain Non Sequitur: This article is not about Foxconn, but even if it were, the suicide rate at Foxconn is still lower than it is in the US, or in China.
Please stop being a total fucking idiot.
Love, everybody in the entire world
Wait a second, I'm not up on the iPhone scene anymore but I remember back in the days (around the iPhone 3G days) I built a custom ramdisk with SSH server that allowed me to login to the phone and reset the password (or read/write data) regardless of its lock status.
As far as I know, that still works doesn't it?
Hmm... solution to security problem:
Keep your iPhone on your person at all times. Don't make friends (or enemies) with Linux users. Too late for me, but I have an iPad, not an iPhone (I can't access my iPad in Lucid Lynx, unfortunately).
There, problem solved.
Sooo does this mean jailbreaking is possible without jailbreaking? At least let me chance some of the message tones this way?
All these people who think this is a flaw shows how many people on Engadget are idiots. You guys cry "OMG, Apple fanboys" but you guys are worse, you guys are Apple haters because it's the cool thing to do.
OMG, if someone physically gets their hands on my phone, they can get to the data, there is no other phone, and no way to do that on a Windows PC! This has to be the dumbest article ever. The only point of this article is that someone incorrectly assumed putting a PIN on an iPhone locked it completely.
If someone gains physical access to any of my devices, and has the time to hook it to another computer, and browse it's contents, the responsibility for that breach falls squarely on my shoulders, IMO.
Well I know how to fix it. Don't loose your phone for starters. And if your a person that would lose your phone then don't put vital info in it to be stolen. And honestly how many people actually rub unbuntu. Or you could just blame apple like you always do when u mess up using one of there devices. Grow up, be a responsible adult, and take responsibilty for your actions because Steve jobs didn't tell you to store all your vital information and he would promise that the iPhone would be the fort knocks of phones. Can you people do that? I know it's alot of responsibilty, but if you try I think you would be amazed. Or you could just go get a android and have to worry about getting a virus. Or worse. Peace
this should shut up most apple fan boys talking blah about iphone and enterprise.
Everyone knows the PIN is shit security. It's so teachers don't use it if they confiscate it in class. One of my teachers seriously does this.
I've known for a while that iPhone security isn't up to snuff. Phone companies use what's called a Celex device to strip the data off of your phone or SIM card when you switch devices or carriers. This device was able to easily strip the contacts, photo, call log, IM sessions, etc from a locked iPhone. Comparatively, my PIN-locked Pre was safe from it, as was a coworkers' PIN-locked Incredible and another coworkers' pattern-locked Nexus One.
oh my gosh, the world might come to an end because we know everybody has missile launch codes and all of their financial info on their iphone.
Wait, you mean someone with physical access to a device can hack it? This is completely unheard of! Alert the media!
Lol @ this article. This isn't a vulnerability, and I mean you can't access the root filesystem anyways unless you jailbreak. This has been around since AT LEAST Ubuntu 9.04, if not earlier. There's no access to apps, texts, emails, etc, so only Photos is a sensitive piece of information. Also, the computer and the iDevice has to be on the same Wifi network, which unless you're at a coffee shop or you have creepers on your home Wifi, you're very unlikely to run into someone who cares enough to break into your phone.
This never would have happened if Apple had released iTunes for Linux. Prolly.
Well when the other option is Android, sending all of your personal data straight to google all the time, I think it's clear what my choice will be.
This is why I use a jailbroken iPod touch. I have AndroidLock + the iPhone PIN protection.
2 layers of protection if I ever lose my iPod touch that has all my important info.
Good to actually see some Linux love! I'm tired of only seeing Mac and Windows represented.
Author made mistake with using PIN term instead of Passcode. You can find explanation in my blog: http://ogreswamp.info/?p=34
In few words PIN is code of the SIM card and it WILL protect from unauthorized calls. And it isn't supposed to protact your data inside your phone.
Any chance this could open a backdoor into "sms tone replacement ability" without jailbraking??