Forgot your password?
typodupeerror
Iphone Security Ubuntu Apple Linux

iPhone's PIN-Based Security Transparent To Ubuntu 264

Posted by timothy
from the so-I-hope-you-were-using-pig-latin dept.
ndogg writes "Security experts found that the iPhone 3GS has very little security, even with a PIN set up. They plugged one into Ubuntu 10.04, and it was automounted with almost all of the iPhone's data exposed. This has been reported to Apple, but the company seems to be having difficulty reproducing the problem."
This discussion has been archived. No new comments can be posted.

iPhone's PIN-Based Security Transparent To Ubuntu

Comments Filter:
  • by flooey (695860) on Thursday May 27, 2010 @02:49PM (#32367130)

    Which you can mount under Linux, using FUSE and the appropriate apps (usbmuxd, libimobiledevice, and ifuse). I maintain usbmuxd.

    In fact, when you plug an iPhone into a Mac, you can see in the process list that usbmuxd is what Mac OS is using to talk to the device.

  • by fuzzyfuzzyfungus (1223518) on Thursday May 27, 2010 @02:50PM (#32367148) Journal
    I have to wonder what sort of testing Apple(didn't) do here. If it is possible for a linux machine to mount the filesystem, then setting a PIN clearly has no effect at all on the device's access control of that filesystem. Even if plugged into a mac or PC running iTunes, the data should be equally accessible.

    Either they simply didn't feel the need to make the PIN actually do much more than lock the screen(arguably fairly misleading), or next to no testing was done, or (even worse), setting the PIN also sets some sort of "politely ignore the data you could easily access" flag, that iTunes obeys and the third-party implementations don't.
  • by bic2k (140221) * on Thursday May 27, 2010 @03:00PM (#32367300) Homepage

    Ya, one of the new features in iPhone OS 4.0 is "Data Protection". Specified files for applications are on the fly encrypted and decrypted. The phone has to be unlocked (valid pin entered) to access the data.

    Seems like they already handled this issue, unless someone wants to test that on an iPhone with 4.0 running on it...

  • Re:iTunes (Score:1, Interesting)

    by shagie (1803508) on Thursday May 27, 2010 @03:24PM (#32367690)
    On iTunes the 'Summary' tab has a set of options. One of them reads 'Encrypt iPhone backup' as a checkmark. Poking about my system (~/Library/Application Support/MobileSync/Backup/...) I can find some of the raw data that on my phone there (settings, files). So, it is possible to encrypt that data as the backup is stored but it sounds like that the unencrypted data is what iTunes accesses.
  • by h4rr4r (612664) on Thursday May 27, 2010 @03:31PM (#32367820)

    I just want to say thanks for all your work. This was a big thing in getting the last windows pc in my house to linux.

  • Re:RTFA.. (Score:3, Interesting)

    by Late Adopter (1492849) on Thursday May 27, 2010 @04:56PM (#32369004)
    So when someone rips the flash chips off the board, they can't read them, but when they just, you know, ASK the iPhone for the data, it gives it to them?

    Security by friendliness?
  • by Sancho (17056) * on Thursday May 27, 2010 @05:22PM (#32369274) Homepage

    And it always will. The purpose of the encryption is to allow remote-wipe (and even local-wipe, I suppose) to be nearly instantaneous. Wipe the key, and the data is unreadable, as opposed to having to spend time wiping the entire contents of the flash memory.

    The encryption isn't meant to be used day-to-day. It's meant to be transparent until you need to destroy your data.

  • Re:Who says... (Score:3, Interesting)

    by shellbeach (610559) on Thursday May 27, 2010 @07:46PM (#32370748)

    That joke is getting a bit old, with Apple selling 4-button mice with every iMac for 5 years now.

    Nah. It's still good for many of us :) And besides, Apple can't quite get away from the one-button meme -- even with their multiple button mice, they try and hide the different buttons under one big button. (Something which I would have thought was the single worst interface design decision ever, incidentally ...)

    Anyway, I'm not sure what's the big deal about being able to read a small portion of the iPhone drive in Ubuntu -- you still can't access any application data or any of the databases that store your contacts/notes/whatevers. It does mean someone can copy your music ... but that's surely a good thing! And access to part of the file system isn't exactly unusual -- even without Ubuntu, you should be able to see the iPhone's DCIM photo folder when you plug the device into a computer.

  • Re:Wow. (Score:2, Interesting)

    by jetole (1242490) on Friday May 28, 2010 @03:57AM (#32373146)
    This is a joke. Right? I mean how is this evidence for anything other then the fact that I paid for a phone that did not have proper security programmed into it in the first place? It took open source programmers who worked for free (I assume) to point out how the paid for product had dropped the ball and didn't have real security in the first place. Furthermore, Linux is free because the author didn't want to charge for it. Are you saying the OS is invalid because he didn't put a price tag on it? By the way, if you are not joking then you should know MS, Oracle and IBM (those are just the ones I am aware of in your list) provide open source freeware (MS working on both Silverlight/Moonlight through Novell and Active Directory with/through samba). Also if you are not joking, please tell me you are confined to a institution that makes sure a spork is the most dangerous thing you have access to. You sound like the last person that should own a gun.

    If you think free software should be outlawed, all you are doing is mandating a law that says people have to charge for something even if they don't want to.

    P.S. FOSS people are not known to steal anything, instead we create it from scratch and the iPhone code that Ubuntu 10.04 uses was built from scratch it was not taken from any code apple provided as apple has never provided that code to anyone AFAIK. MS has only ever made idle threats about patents without naming any identifiable aspect of it. What have we stolen from anyone. If I don't want to use Windows or OS X then you think you have the write to say I can't program productive software for it or do you honestly believe that we have somehow hacked into apple and stolen the source code for the iPhone.

    P.P.S.: The post is true. I have been able to access my PIN protected iPhone 3G (not 3GS) from Ubuntu 10.04 since I installed it. The security aspect is a bit of a concern but then again, since I knew cops have been able to do this all along then I am not that surprised. The plus side is I can now upload songs to my iPhone from Linux without doing a Jail Break (I'm reluctant to Jail Break) and without having to run an app in Wine (since I hate Windows emulation) so kudos to Ubuntu for exposing a security vulnerability and at the same time making the iPhone more usable on Linux. Job well done.

The use of anthropomorphic terminology when dealing with computing systems is a symptom of professional immaturity. -- Edsger Dijkstra

Working...