iPhone crypto issue isn't all it's cracked up to be
It's been a bad security week for Apple, what with the world of malware finally bothering with Macs. But there was another story: ElcomSoft Co. Ltd., a Moscow computer security firm, announced that it had developed a method to decrypt iOS 4 (iPhone, iPad, iPod touch) file system images. ElcomSoft also will be releasing the product implementing this "...for the exclusive use of law enforcement, forensic and intelligence agencies."
Oh no, another embarrassing revelation for Apple? Yes and no. To put it bluntly, the actual cryptography in the iPhone 4 is not "cracked", nor is it bypassed. The method used by ElcomSoft is brute force, which means that it cycles through all possible decryption keys finding the one that works.
Theoretically this is possible in any crypto system, but we deal with it by having complex keys, in the sense that 'asdf' isn't a good password, but '&GHd67.##jjfo)' is. And this is where the iPhone fails: by default, passcodes in iOS are composed of exactly 4 numerals. This means that there are a total of 10,000 possible keys, not a whole lot for a computer to check.
Are you concerned about this? You can enable more complex passcodes with "Settings > General > Passcode Lock > Simple Passcode > OFF." But who changes the default settings, especially to make the system less convenient to use? Not many people.
If you have truly sensitive data that can't be allowed to get into the wrong hands, you probably shouldn't be keeping it on an iPhone or an Android phone or a Blackberry or any of these things. Remember all the hullabaloo when Obama insisted on keeping his Blackberry after he was sworn in? And the odds that he would leave his smartphone on a commuter train or in a diner were considerably less than for you.
It's not clear to me whether Apple should make a change here, except to warn people explicitly that a 4 digit passcode isn't much of a barrier, and to offer the user a more secure option. As with the malware problem, ultimately the solution has to come from the user appreciating risks, something they are, sadly, not good at.
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contibuting Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.