Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Iphone Security Ubuntu Apple Linux

iPhone's PIN-Based Security Transparent To Ubuntu 264

ndogg writes "Security experts found that the iPhone 3GS has very little security, even with a PIN set up. They plugged one into Ubuntu 10.04, and it was automounted with almost all of the iPhone's data exposed. This has been reported to Apple, but the company seems to be having difficulty reproducing the problem."
This discussion has been archived. No new comments can be posted.

iPhone's PIN-Based Security Transparent To Ubuntu

Comments Filter:
  • by kthreadd ( 1558445 ) on Thursday May 27, 2010 @02:21PM (#32366626)
    So the problem is that the memory of the iPhone is mounted and that the data is exposed? I may not understand this exactly but hasn't the argument been for many years now that iPods couldn't be directly mounted like that?
    • by stagg ( 1606187 ) on Thursday May 27, 2010 @02:34PM (#32366882)
      Critical bug! Product too versatile -- works with non-Apple operating systems.
    • by marcansoft ( 727665 ) <(moc.tfosnacram) (ta) (rotceh)> on Thursday May 27, 2010 @02:35PM (#32366892) Homepage

      They're not a block device, so you can't mount their filesystem as such. Instead, they're effectively network drives: the proprietary AFC file transfer protocol tunneled over a hugely mutilated version of TCP stuffed into USB packets. Which you can mount under Linux, using FUSE and the appropriate apps (usbmuxd, libimobiledevice, and ifuse). I maintain usbmuxd.

      Apparently Apple relies on security through obscurity here (only their apps are usually able to talk to an iDevice), and the actual protocols aren't secured.

      Incidentally, this is where the term "jailbreaking" comes from: breaking out of the AFC filesystem jail (which is usually limited to the user's data partition). Jailbreaking's original feature was to introduce a secondary AFC share with root privileges on the root directory, and jailbreaks to this day still do. You can use ifuse --root under Linux to mount this secondary share.

      • by flooey ( 695860 ) on Thursday May 27, 2010 @02:49PM (#32367130)

        Which you can mount under Linux, using FUSE and the appropriate apps (usbmuxd, libimobiledevice, and ifuse). I maintain usbmuxd.

        In fact, when you plug an iPhone into a Mac, you can see in the process list that usbmuxd is what Mac OS is using to talk to the device.

        • by marcansoft ( 727665 ) <(moc.tfosnacram) (ta) (rotceh)> on Thursday May 27, 2010 @02:52PM (#32367180) Homepage

          Correct. I wrote most of the usbmuxd implementation that we use on Linux as a clone of Apple's version. In fact, you should (as of yesterday) be able to compile libusbmuxd and libimobiledevice and maybe even ifuse (with macFUSE?) and use them together with Apple's usbmuxd on OSX to pull off this hack there. Heck, I think at least libusbmuxd and libimobiledevice should even build on Windows these days (Apple provides a Windows version of usbmuxd with iTunes).

      • by fuzzyfuzzyfungus ( 1223518 ) on Thursday May 27, 2010 @02:50PM (#32367148) Journal
        I have to wonder what sort of testing Apple(didn't) do here. If it is possible for a linux machine to mount the filesystem, then setting a PIN clearly has no effect at all on the device's access control of that filesystem. Even if plugged into a mac or PC running iTunes, the data should be equally accessible.

        Either they simply didn't feel the need to make the PIN actually do much more than lock the screen(arguably fairly misleading), or next to no testing was done, or (even worse), setting the PIN also sets some sort of "politely ignore the data you could easily access" flag, that iTunes obeys and the third-party implementations don't.
        • by mirix ( 1649853 )

          or (even worse), setting the PIN also sets some sort of "politely ignore the data you could easily access" flag, that iTunes obeys and the third-party implementations don't.

          This would be my guess.

          I suppose Apple didn't expect to see a third party implementation developed, so they took the cheapo obscurity route. They should probably quit betting against hackers, especially if they want fascist control of "their" devices... That just gives people incentive.

        • Even if plugged into a mac or PC running iTunes, the data should be equally accessible.

          What do other phones do? Connect a blackberry to a PC with blackberry desktop for example..
          Does iTunes ask for the PIN each time it syncs an PIN locked iPhone? I must be missing something.

          Does this trick allow use of the SIM card without entering its PIN? Could someone who has both phones elaborate?
          I don't ever remember having to enter a PIN to pair a blackberry other than the random one for pairing bluetooth devices which is responsible only for encrypting the wireless transmission.

          I know "access data l

          • Re: (Score:3, Informative)

            Can't speak to Blackberries and such, but on my Symbian-based phone (Samsung i8510) if I connect it to USB while it's PIN-locked all it does is recharge. I did this on my work PC while watching /var/log/dmesg and all it registered was a USB HUB being connected. No access to the phone memory at all. After I entered the PIN, the phone's internal storage and the SD card I have in were suddenly available.

            Of course, if you have physical access to my phone you can pull out the SD card, which doesn't have any prot

        • by marcansoft ( 727665 ) <(moc.tfosnacram) (ta) (rotceh)> on Friday May 28, 2010 @02:15AM (#32372756) Homepage

          OK, upon further testing (I don't use a passcode myself so I never even looked into this) and getting some information from others, it looks like this isn't a total oversight on Apple's part, but it is a real bug that requires a specific sequence to trigger.

          Here's how it's supposed to work:

          • The first time you connect an iPhone to a specific computer, the iPhone will "pair" with the computer. This happens behind the scenes.
          • This pairing process is disabled while the phone is locked with a passcode.
          • Once paired, that computer will always be able to talk to that phone, even while locked.

          The actual bug is that there's a race condition during boot. There's a window during which the lock code setting hasn't been read, during which the phone will accept pairing requests even though it shouldn't.

          If you want to try it on Linux, do this:

          • Delete ~/.config/{libiphone,libimobiledevice} to clear the pairing data
          • Create a directory to mount the device on
          • Configure a passcode on your device and shut it dow
          • Have a syslog window open
          • Plug it into USB and power it on
          • As soon as you see your device enumerate with the USB subsystem, start spamming ifuse <mountpoint> on a terminal
          • With any luck it will pair and mount. From now on you can unmount it and mount it as many times as you wish with this computer.

          Notice how the "slide to unlock" SpringBoard screen will not have yet appeared when this works. Once it does, the passcode has been configured and pairing will no longer work. On the latest version of ubuntu it tries to automount as soon as it sees the device, which makes this bug a lot more obvious.

      • by h4rr4r ( 612664 ) on Thursday May 27, 2010 @03:31PM (#32367820)

        I just want to say thanks for all your work. This was a big thing in getting the last windows pc in my house to linux.

    • by kent_eh ( 543303 )
      I'll have to try mine again.
      When I tried to plug my iPhone in under Ubuntu 9.10, it caused a kernel panic. I suspected that may have been intentional on Apple's part.
    • by rxan ( 1424721 )
      But the PIN should prevent you from getting that far. Unless this part of the memory is meant to be unprotected.
    • I think the problem is that the data is supposed to be protected. Sounds like you engage protection on the phone, but it doesn't actually protect the data. Now contrast this to a Blackberry, which uses strong encryption to protect its data when engaged. You can also directly mount a BB, but you can't get the data if the encryption is turned on (you can if it is off which is default).

      This is a worry if your phone has some confidential information. You rely on putting protection on it, in case it gets stolen.

      • by marcansoft ( 727665 ) <(moc.tfosnacram) (ta) (rotceh)> on Thursday May 27, 2010 @02:54PM (#32367204) Homepage

        The iPhone 3GS supposedly uses whole-disk encryption. This does squat when your USB comms protocol doesn't request authentication though, since you can pull the data off through the iPhone kernel's transparent decryption layer.

        In other words, this hack has nothing to do with encryption and everything to do with an insecure protocol that makes no attempt to actually request PIN authentication before handing over all your data. Nobody expected your PIN to actually act as key for encryption anyway; that's impossible, as the iPhone has to be able to access your data even while locked.

        • by xgr3gx ( 1068984 )

          I don't think the PIN has anything to do with this. The PIN probably just locks the UI in the phone. That would be like pulling a hard drive out of one computer and adding to another and expecting the usernames and passwords to still work. You'll be able to mount the drive and access every part of the file system because the OS that governs access to that filesystem is not running. The drive is just being viewed by another computer.
          If the filesystem was encrypted, I imagine you'd could still mount the d

          • by rthille ( 8526 )

            If the _filesystem_ is encrypted, then you can't mount it without the key. If the files are encrypted, then you can't make sense of their contents without the key(s).

            • by Mike Buddha ( 10734 ) on Thursday May 27, 2010 @03:45PM (#32368010)

              The filesystem IS encrypted, but the OS happily decrypts everything for you without any form of authentication. That's the story here.

              • Re: (Score:3, Interesting)

                by Sancho ( 17056 ) *

                And it always will. The purpose of the encryption is to allow remote-wipe (and even local-wipe, I suppose) to be nearly instantaneous. Wipe the key, and the data is unreadable, as opposed to having to spend time wiping the entire contents of the flash memory.

                The encryption isn't meant to be used day-to-day. It's meant to be transparent until you need to destroy your data.

          • On many phones the PIN or keycode just unlocks the keypad, or in a touchscreen's case the UI. This does diddly to stop the USB connected phone's memory from being used as a storage device.

            The primary function of the "security" code here is to keep you from butt/pocket/purse dialing unintenationally. The Security code is not to lock down the confidential info on the phone and keep folks from copying all your data.

            • Re: (Score:2, Informative)

              by Anonymous Coward

              No, the keylock with a well known generic opening mechanism is what protects against pocket dialing. In the iphone case I believe that's implemented as a finger slide. The additional PIN code is obviously there to prevent people from using your phone or seeing your data -- and it failed.

        • And honestly, how long would it take a computer to bruteforce a 4-digit numeric password???

        • by Nerdfest ( 867930 ) on Thursday May 27, 2010 @04:33PM (#32368726)

          This does squat when your USB comms protocol doesn't request authentication though, since you can pull the data off through the iPhone kernel's transparent decryption layer.

          It just works ... even when it shouldn't.

    • by greatica ( 1586137 ) on Thursday May 27, 2010 @02:53PM (#32367192)

      Breaking into an Apple device: "it just works."

    • by DarkOx ( 621550 )

      And when it was a music player that was a resonable argument to make. Why should you not have an easy way to copy files to a and from it. The data is not unique or personal.. I would still make the argument they should be mountable and apparently Apple agrees. What I find entertaing is that they don't have some sort of encrypted storage; where apps can write possibly private info into. A registry or something that is protected; even in the volume itself is open.

    • by icebike ( 68054 )

      Seems not to do this on my older iPhone 3G.

      All it sees is the camera via digicam.

      So he either has some additional libraries on his Ubuntu or some hack-ness on his phone, or this bug was introduced on the 3Gs model.

      • by Benanov ( 583592 )

        Ubuntu 10.04 has newer libraries. Also make sure you're connecting the phone then turning it on.

    • You don't understand. It's a problem because can't say it is a "Walled Garden", they now will have to say "It's a walled garden. Unless you use open tools. Then it's kind of open. But Now we want better tools to do with it as we please, and Apple doesn't seem to be developing these on their dime and giving them away for free. Curses!"

    • by geekoid ( 135745 )

      The argument has been apple doesn't support it, and tries to obufscate the data.

      There are several 3rd party tools that allow you to move data onto and off of iPods. I assume the same thing with the iPhone.

    • by Graff ( 532189 ) on Thursday May 27, 2010 @04:26PM (#32368628)

      I read through both linked articles and it comes down to only this data is exposed:

      This data protection flaw exposes music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents

      Certainly not all of the data on the phone. Your e-mails, notes, application-specific data, address book, password keychain, and so on are still safely encrypted. Yes, this isn't a perfect situation but it's not as dire as it sounds. Most data that people expect to be secure is still secure.

  • Linux is hard to use?
    • Re:Who says... (Score:4, Informative)

      by Lord Lode ( 1290856 ) on Thursday May 27, 2010 @02:24PM (#32366684)

      Apparently it's so hard to use that they can't even reproduce it at Apple.

    • by rednip ( 186217 )

      Who says... Linux is hard to use?

      Lots of people do, they're wrong of course, but somehow that doesn't seem to stop them from saying it.

  • Updated story (Score:5, Informative)

    by OzPeter ( 195038 ) on Thursday May 27, 2010 @02:24PM (#32366692)
    From TFA Apple could reproduce the described serious issue and believes to understand why this can happen but cannot provide timing or further details on the release of a fix.
    • Shouldn't it just be a matter of requiring the user to allow the mount of the iPhone side? That is, I believe, how Android handles the problem. Nothing can be mounted until the user tells the phone to allow it, which must be done from the home screen, which cannot be accessed without the sign in pattern. Unless that is how it is supposed to work but for whatever reason isn't happening on Lucid Lynx?

    • by nurb432 ( 527695 )

      From TFA Apple could reproduce the described serious issue and believes to understand why this can happen but cannot provide timing or further details on the release of a fix.

      Who said it needs 'fixed'?

  • by KnownIssues ( 1612961 ) on Thursday May 27, 2010 @02:25PM (#32366702)
    Bernd Marienfeldt updated his blog saying Apple is now able to reproduce the problem and believes they know the cause, but no timing on fix release.
  • Let us Ubuntu fanboiz have a moment to gloat before trashing our OS as a whole.

    Thanks.

  • by gimmebeer ( 1648629 ) on Thursday May 27, 2010 @02:29PM (#32366796)
    It is a security problem with Ubuntu and should be fixed by their dev team before they are sued for hacking. Afterall, the iPhone was not meant to be connected to anything other than Apple software.
    • It's the user's problem, because an attacker won't feel any particular compulsion to be bound by Apple's intents and guidelines.

      It's Apple's problem if they want their users to trust that Apple has their best interests in mind.

  • by stagg ( 1606187 )
    Clearly Ubuntu is some kind of crazy hacker operating system, and Apple should block their products from working with it.
  • And? (Score:5, Insightful)

    by lennier1 ( 264730 ) on Thursday May 27, 2010 @02:31PM (#32366830)

    Will their fix consist of actually making the device more secure or will they just try to make it harder use it with Linux systems?

  • Wait a sec... if I plug in my phone, iTunes automatically makes a backup of everything on it.

    This backup doesn't require a PIN either!

  • by Steve Max ( 1235710 ) on Thursday May 27, 2010 @02:37PM (#32366938) Journal

    The GSM standard defines a PIN as an access number for your SIM card. It has nothing to do with your phone's contents. Most phones allow you to set up a security key, which is needed either to turn on the phone every time (even if you have your SIM set up not to need a PIN), or when you change the SIM.

    I don't know if this is actually the same PIN defined by the GSM standard or if it's another, Apple-specific key; but when you're talking about phones, PIN is connected to the SIM, or to the phone line, not to the phone contents.

  • by __aaaaxm1522 ( 121860 ) on Thursday May 27, 2010 @02:43PM (#32367006)

    I plugged my iPhone 3GS into my Ubuntu box. While it's true that Ubuntu did automount the iPhone, the only thing I can find that was exposed was my music, photos and podcasts.

    I wasn't able to access email, contact info, or anything else on the phone. I did see the Application Archives, PublicStaging, Purchases, and Safari folders but they're empty. I have lots of email and contact info on the device - but it appears to be inaccessible via this method.

  • This is just too funny.

    The latest release of iTunes crashes in my XP VM.

    The latest Ubuntu can read an iPhone like a regular iPod again.

    So my Ubuntu VM is a better environment for dealing with my iPhone than my XP VM is.

    What a hoot.

    • You probably want to try to diagnose your XP iTunes problem (it works fine when properly setup - I'm using it without issue).

      The latest version of Ubuntu kinda sorta works with the iPod. If you like manually dragging and dropping files to and from the device then it works OK. If you want true syncing capability (rather than manual), or to manage apps on the device, then Windows still works better.

      I'm fully expecting to move to a Droid phone within a few months though which should allow me to move over eve

  • Not being able to talk with Linux is one of the things that has kept me off iPods for years. I finally liked the features of the iPod touch and buckled, and used it in Virtualbox under windows/iTunes (so I didn't have to jailbreak it).

    Now, finally, Rhythmbox can seamlessly put music on my iPod. If they take that functionality away, then that oft-publicized letter that Jobs put forth touting open standards as an excuse for not supporting Flash is going to be exposed as pure and utter hogwash.

    • There's "fix" as in completely remove the functionality, and "fix" as in allow the proper mounting after the PIN is supplied.

    • Re: (Score:3, Informative)

      by geekoid ( 135745 )

      There have been Linux tools for getting music on and off the iPod since about a week after the first iPod came out.

      Yeah, Apple doesn't support it, but so what?

  • Seriously, they don't encrypt the content of an iPhone by default? I mean, it's not the default on Blackberry, but it's there and Blackberry have been around for a long time. When making a new device, why not build encryption into the filesystem? Apple has all the components already from their desktop and it can't suck that much battery. Now Apple is offering encryption just for e-mail? Really, that isn't good enough. And while I'm at it, Google what's up with you doing the same bloody thing? Come on guys.

  • by bic2k ( 140221 ) * on Thursday May 27, 2010 @03:00PM (#32367300) Homepage

    Ya, one of the new features in iPhone OS 4.0 is "Data Protection". Specified files for applications are on the fly encrypted and decrypted. The phone has to be unlocked (valid pin entered) to access the data.

    Seems like they already handled this issue, unless someone wants to test that on an iPhone with 4.0 running on it...

    • Indeed I just tried with my phone running 4.0 beta4 locked, and nothing mounted, then I unlocked it and retried and it automounted like a block device.

  • Old news ... (Score:3, Insightful)

    by BitZtream ( 692029 ) on Thursday May 27, 2010 @04:34PM (#32368736)

    Yes, you can get the raw data off without a PIN.

    The original phones up until the 3Gs didn't encryption the data.

    The 3GS and presumable 4.0 phones encrypted the data using a key that isnt (in theory) directly accessable to anyone outside the phone os and more specifically hardware.

    So yes, there have been many ways to get data off 2g and 3g devices. 3Gs and 4.0 devices work in a different way so short of ripping apart a chip to get the key, the best you'll get is an encrypted memory dump which is more or less worthless unless you can get the key out of the hardware.

    On older phones with newer OSes a remove wipe destroys the key. Updated versions of the software first destroy the key, then proceed to overwrite the encrypted data itself to make it useless even if you obtained the key somewhere else.

    Basically, Apple realized this was studip 2 revisions of the hardware back and has such fixed the issue.

    When you unlock the phone, you effectively add the key to the file system keystore so it can decrypt the files.

    if you unlock your phone, you have ... unlocked your phone. Whats the difficulty in understanding this?

  • by SharpFang ( 651121 ) on Friday May 28, 2010 @06:34AM (#32374018) Homepage Journal

    You can't blame Apple for Ubuntu mis-implementing the API and skipping a step described as mandatory.

    From Iphone3G API documentation...

    7.4 Mounting the phone filesystem over USB

    (...)
    User authentication must be assured to mount encrypted filesystem. A call to validatePIN() method is a mandatory step before attempting to acquire the system key and mounting the filesystem. A typical scenario of mounting the filesystem goes like this:

    IphoneSecurity& sec = Iphone::Security();
    IphoneSecurity::EncKey key = NULL;
    IphoneIO::Partition mp = NULL;

    if(sec.validatePIN() == true)
    {
          key = sec.getEncKey();
          mp = sec.mount(device,mountpoint,options,key);
    }
    else
    { //error handling
    }

    it's a spoof, dummies

We all agree on the necessity of compromise. We just can't agree on when it's necessary to compromise. -- Larry Wall

Working...