Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling Take Control ebooks.

 

 

Pick an apple! 
 
Use VirusBarrier X6 to Find Internet Traffic Paths

Need to find out who owns a domain name, or where your traffic is being routed? VirusBarrier X6 has a number of network monitoring tools, including a built-in Whois search tool, and a Traceroute feature. If you use the latter, you can even display a map after the traceroute has completed, showing exactly where in the world data passes between your Mac and a selected IP address.

Visit Intego

 
 

iOS 7 Email Attachment Vulnerability Real but Limited

Send Article to a Friend

Security researcher Andreas Kurtz has identified a vulnerability that leaves email attachments downloaded by iOS 7’s Mail app unprotected by Apple’s Data Protection technologies. In short, data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. Apple specifically notes that this “provides an additional layer of protection for your email messages attachments, and third-party applications.”

Apple has confirmed the vulnerability officially for us, and says it will fix it in a future update, but such a fix didn’t make it into the recent iOS 7.1.1 update.

How Data Protection Works -- Data Protection ensures that even if a bad guy gains physical control of your device, he can’t access protected files without knowing your passcode, even if he can break the rest of the iOS device’s security. This is especially useful to thwart attackers (or law enforcement) who connect to a device and extract a copy of the entire file system, after which they attempt to decrypt it offline. If you don’t enable Data Protection by configuring a passcode, your iOS file system is encrypted in a way that is easy to circumvent by tethering your device to a computer.

Adding a passcode engages both additional hardware security to protect your device from unapproved physical connections, and it encrypts application data storage (including email) using both your passcode and a hardware key that’s both unique to your device and nearly impossible to extract or copy. Even if someone has a complete copy of your file system they must brute force both of these codes together to see your files, which is nearly impossible to do off the device.

The alternative is to try to brute force your passcode on the device (through a tethered connection to a computer), but the encryption chips are designed to slow down this kind of attack to make it far less effective. In fact, it’s nearly impossible if you have a passcode longer than 6 to 8 characters. Data Protection is extremely effective, although older iOS devices (before the iPhone 4S and iPad 2) lack some of the special hardware and are thus more vulnerable.

Limitations to the Attack -- Although Kurtz says that he was able to access the filesystem using “well-known techniques,” these techniques require technical know-how and some of the tools are compatible only with the iPhone 4 and earlier, as mentioned. Plus, we’re already in the territory of the attacker needing full physical access to the device, so this isn’t the sort of thing that could be used broadly via malware or a network connection.

An attacker either needs your passcode (in which case they have everything anyway), or he needs a jailbreak that works without a passcode, allowing him access to the file system. That’s how Kurtz was able to attack an iPhone 4. It’s unclear how he was able to reproduce on an iPhone 5s and iPad 2 running iOS 7.0.4, since more recent devices running iOS 7 aren’t susceptible to a jailbreak without the passcode. It’s possible that Kurtz had already jailbroken his iPhone 5s and iPad 2, so they weren’t as protected as a normal device would be. The bug means that email attachments still aren’t encrypted on those devices, but there isn’t a way to get to them.

Regardless, the practical upshot is that unless you receive highly sensitive information in email attachments and are at risk for being targeted in person by those interested in your data, there’s little to worry about here. Enterprise admins will want to alert users still relying on the iPhone 4, since email attachment data on those could be exposed if an attacker were to gain physical access.

 

PDFpen for iPad & iPhone, version 2 — it’s your mobile office.
Experience pro-level features like iCloud Drive, palm protection,
a new easy-to-use iOS 8 interface and more! Get full-featured PDF
editing power in a mobile app today! <http://smle.us/pdfpen2-ios-tb>
 

Comments about iOS 7 Email Attachment Vulnerability Real but Limited
(Comments are closed.)

Great article! However, I don't understand the phrase "If you don’t enable Data Protection by configuring a passcode, your iOS file system is encrypted in a way that is easy to circumvent by tethering your device to a computer." Isn't it "easy to circumvent" based simply on the fact that you can use the phone without a code and see whatever you want? I have to be missing something here. Thank you again!
Rich Mogull  An apple icon for a TidBITS Staffer 2014-05-05 17:59
Technically it is always encrypted to speed up device wiping (delete the key, and the data is unrecoverable). Adding the passcode is what really protects the data.