This article originally appeared in TidBITS on 2009-07-27 at 9:29 a.m.
The permanent URL for this article is: http://tidbits.com/article/10416
Include images: Off

iPhone 3GS Offers Enterprise-Class Security for Everyone

by Rich Mogull

[Update: Soon after this article came out, a technique for circumventing any iPhone encryption, including the hardware encryption of the iPhone 3GS, was published. You can read more about it over at Wired [1]. This technique requires only moderate skills and we've confirmed its plausibility with our own limited testing. Rich is writing a followup article with more details, which we will link at the top of this article once it's available. We hope Apple will address this issue as soon as possible, but until they do, iPhone encryption should not be considered secure.]

The original iPhone was widely criticized by security professionals for lacking essential security features for the enterprise, the large corporate networks that have special needs because of huge numbers of users and the massive back-end operations to support those users.

The original iPhone was hard to lock down, had only limited secure connectivity options, and lacked both data protection and some way to destroy data remotely if you lost the phone. Those capabilities have continued to improve with every iPhone software release and, combined with the hardware improvements in the iPhone 3GS, even regular users can now enjoy security equivalent to that provided by most corporate environments.


The iPhone 3GS Hardware Advantage -- While most of the software features I describe below work on any iPhone running the iPhone OS 3.0, the 3GS model has one significant advantage that enables all of its owners to experience enterprise-class security. The iPhone 3GS includes a hardware encryption chip that uses the industry-standard AES 256 protocol (that's the Advanced Encryption Standard, with a key length of 256 bits).

Hardware encryption enables a device - a phone, a hard drive, or what have you - to be nearly instantly wiped by erasing the encryption key stored on the device. With a well-designed system, securely removing that key means all data is entirely unrecoverable, even by a government... maybe.

According to Apple [2], all data on the iPhone 3GS is encrypted by default. Other than Research in Motion's BlackBerry models, very few smartphones on the market encrypt all data. Considering how much personal data we tend to keep on these advanced devices, this is an incredibly important feature. Assuming you follow my other recommendations, it's highly unlikely even a knowledgeable attacker could break into a lost phone and retrieve your data.

This doesn't protect you from all attacks. As with any other encrypted computer, if the bad guy hacks the device while you are logged in, he can still access your unencrypted data. But lost phones are the most common risk we face, and default encryption (with passcode locks, which we'll get to) essentially eliminates your exposure.


Setting Passcode Locks -- One of the most basic security options on any phone is setting a passcode to lock the screen. This prevents prying eyes from gaining easy access to your email messages, phone numbers, or text messages, and it's an option on pretty much every phone on the market. To set this on your iPhone, tap Settings -> General -> Passcode Lock and enter a passcode. (Don't forget it, or you'll have to restore your phone to get back in!) This feature predates iPhone OS 3.0, and works on any model.

On the Passcode Lock settings page you also have some additional options. On any iPhone, you can choose the amount of time your phone sits idle before it requires the passcode again. I set mine for 15 minutes, which is a good balance between security and usability for those times I slip it in and out of my pocket.

On the iPhone 3GS, you can also choose to allow or disable voice control when the screen is locked. I leave this on so I don't have to enter my passcode when using voice dialing while driving, but if you are worried about someone making calls to the Antarctic when you leave your phone unattended (or listening to any potentially embarrassing iTunes song selections), you should disable it.


Erasing Your Data -- One additional feature sets the passcode lock on the iPhone apart from many other phones on the market. If you select the option to "Erase Data," the iPhone allows just 10 failed attempts at entry. After that, the operating system starts the wiping process, deleting everything on your phone. (Don't worry: if you do this by mistake you can restore from your last backup.) I've seen this feature in enterprise devices like the BlackBerry, but it's rare in a consumer phone.

On original iPhones and the iPhone 3G, wiping can take some time, as the software deletes, then overwrites, your data: Dan Frakes at Macworld got Apple to quantify [3] that it takes 1 hour per 8 GB of data.

On the iPhone 3GS, it's faster and easier, as noted earlier. The iPhone 3GS just has to delete the encryption key that protects the data. This is known as "crypto-shredding," and is a common practice in the security world.


Remote Wipe -- With the release of the iPhone OS 2.0, corporate users gained the capability to wipe lost devices remotely using Microsoft Exchange integration. This is an important feature, since forensic investigators can often recover data off devices by connecting them to computers and performing direct analysis, rather than having to beat the passcode lock. (The 3GS is still protected, thanks to its hardware encryption.) Remote wipe sends a signal to the phone to delete all its data, assuming the phone is turned on and connected to a network to receive the signal.

As has been widely reported, iPhone OS 3.0 users with MobileMe accounts now gain the same capability, without needing a corporate server. By logging into the Find My iPhone area of MobileMe (in the Accounts screen), you can wipe your phone by selecting Remote Wipe. This is the first time we've ever seen this option in a consumer phone and service, although it does require a paid MobileMe subscription, which retails at $99 per year for a single user, or $149 for a family pack of 5 unique accounts. It also requires that you enable Find My iPhone on the phone itself; it's not turned on by default when you enter or sync your MobileMe information.

Remote Wipe on the iPhone 3GS works just like a passcode wipe; the encryption key is deleted, making it a fast and effective process.


An Unexpected Benefit -- One major thorn in the side of enterprise security teams is portable storage. Now that small storage cards, like the SD cards powering our digital cameras, can hold many gigabytes of data, they have become a common transport mechanism for the loss of sensitive information.

Many smartphones support external storage, which is rarely encrypted or otherwise protected. Enterprise security tends to require expensive software to restrict use of portable storage on remote devices and protect corporate data.

Since iPhones don't support additional storage, this is actually a benefit for the enterprise. Personally, I was more than satisfied with the 16 GB on my iPhone 3G, and haven't come close to pushing the storage limits of my 32 GB iPhone 3GS.


Additional Security Benefits... and Risks -- The inclusion of encryption hardware on the iPhone 3GS, combined with a good selection of security options, is an advantage for both enterprises and consumers. iPhones are now easy to secure in case of physical loss, but this isn't the end of the security road.

There are two other major features that aren't security-specific per se, but convey significant security benefits. The iPhone is probably the single most updated phone on the market. I don't mean our annual sojourns to the Apple store for the latest hardware, but the ongoing software updates to add features and plug security holes. Phones are small computers now, and subject to the same problems with software vulnerabilities as your Mac or PC.

While the iPhone has suffered more than its fair share of vulnerabilities (46 patched in the last update), unlike with most consumer phones, users are far more likely to update their iPhones in a timely fashion, closing the holes. In the past, for many phones you had to take your device into a retail store and make a special request to get any kind of update. With the iPhone, assuming you plug it into a Mac or PC on occasion, it's hard to avoid getting these security updates.

The second feature is the automatic backup built into iTunes. Assuming you connect your iPhone to a computer, iTunes backs up all the data on your phone, including most of your settings and all of your applications. Aside from protecting you if you trash your phone, it also means that you don't need to worry about losing your data if you make a mistake in setting any of the security features.

I can remotely wipe my iPhone to my heart's content without suffering any real loss, other than a little time to restore the backup and clean up a few settings. iTunes can also encrypt your iPhone backups (for any model running iPhone OS 3.0), which is useful for enterprises.


Secure As Can Reasonably Be -- I've focused on the most important security features for a phone, but the iPhone is also a small computer, with a variety of additional security options. You can use a VPN connection to encrypt your network communications, encrypt your email connections (without needing a VPN), and install additional security tools such as the iPhone version of the popular 1Password [4] password management tool.

This isn't to say the iPhone is perfect. The reliance on iTunes is a serious liability in enterprises that frequently don't want such consumer software cluttering work computers. Also, as mentioned, the iPhone has experienced many software vulnerabilities, some of which could allow an attacker to take control of your phone by having you visit a malicious Web page. One security researcher recently discovered a way to hack iPhones remotely with little more than SMS text messages.

The iPhone 3.0 software includes a number of security features that place it on par with most other smartphones on the market. But with the additional encryption hardware on the iPhone 3GS, and a MobileMe subscription, consumers can now experience enterprise-class security.

[1]: http://www.wired.com/gadgetlab/2009/07/iphone-encryption/
[2]: http://www.apple.com/iphone/business/integration/
[3]: http://www.macworld.com/article/141605/2009/07/remotewipe.html
[4]: http://agilewebsolutions.com/products/a/1Password