Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Apple iPhone encryption cracked by Russian firm

Data held on smartphones vulnerable to hacking

Article comments

Having cracked Apple iPhone backups last year, Russian security company ElcomSoft appears to have found a reliable way to beat the layered encryption system used to secure data held on the smartphone itself.

Since the advent of iOS 4 in June 2010, Apple has been able to secure data on compatible devices using a hardware encryption system called Data Protection, which stores a user's passcode key on an internal chip using 256-bit AES. Adding to this, each file stored on an iOS device is secured with an individual key computed from the device's Unique ID (UID).

Apple products containing this security design include all devices from 2009 onwards, including the iPhone 3GS (which can be upgraded to iOS 4), iPhone 4, iPad, iPad 2 and recent iPod Touch models.

ElcomSoft has not explained how it hacked the hardware-stored key system in detail for commercial reasons, but the first point of attack appears to have been the user system passcode itself as all other keys are only vulnerable to attack once the device is in an unlocked state.

The company said it had been aided by subtle weaknesses in the security architecture used by Apple, starting with the default passcode length of 4 digits. This yields only 10,000 possible number variations, which the company said most users would likely use to secure their devices without question.

The only limitation in breaking this key using a bruteforce attack was the need to run through the possible combinations on the iPhone or iOS device itself, which took between 10 and 40 minutes, far longer than would have been the case using a desktop PC.

If the passcode was too long to bruteforce, the company said it was possible to bypass this by hacking what are called "escrow keys," which are created by Apple applications such as iTunes and stored on a user's computer.

Given that the company's hacking of Apple devices began last August with the news that it had found a way to beat the encryption on iPhone backup archives stored on PCs, this could be how the company first spotted the weakness in the iPhone Data Protection system.

"We are responsible citizens, and we don't want this technology to fall into the wrong hands," said ElcomSoft CEO, Vladimir Katalov. "Therefore, we made a firm decision to limit access to this functionality to law enforcement, forensic and intelligence organisations and select government agencies."

The company has updated its Phone Password Breaker software to include the ability to "decrypt iOS 4.x file system images, as well as an optional tools to obtain file system images of the iOS 4.x devices, extract keys required for image decryption and brute force passcode," a note on its website said.

A licence for this can be purchased for £79 with the iOS 4-cracking feature enabled only for customers that meet the stated requirements. How ElcomSoft verifies a customer's credentials is unclear. All buyers of the software have access to the feature that cracks Apple iPhone and BlackBerry backup archives

ElcomSoft has gained a reputation in the last three years for cracking encryption systems used in a variety of technologies, including the digital camera image verification systems used by Canon and Nikon, WPA2 wireless security, as well as a range of individual applications.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *