Does your company use the iPhone 3G (or 3GS) as an important business tool? You may be ecstatic with your fancy new play-toy now, but maybe it’s time to take a long pause and consider the risk involved with the product you are using. According to one prominent iPhone developer and computer hacking expert, the 3G’s enterprise-friendly encryption is extremely weak and very vulnerable to hackers, to the point that it can be cracked in as little as two minutes with the right freeware.
“It is kind of like storing all your secret messages right next to the secret decoder ring,” says Jonathan Zdziarski, an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones. “I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”
The iPhone 3G has captured the mind of the public and especially companies through its simple interface and myriad of applications for download. Top companies have been snatching them up left and right, and according to Apple chief operating officer Tim Cook, almost 20 percent of Fortune 500 companies have made a 3G purchase of 10,000 or more phones apiece. There have even been a small number of corporations and government organizations that have purchased 25,000 or more phones.
Despite these impressive numbers, which are bolstered by Apple’s claim that the 3G is more enterprise friendly, Zdziarski says that the phone’s encryption feature is incapable of protecting highly sensitive information such as social-security and credit-card numbers and that the model is no better at protecting private information than ether of the previous generations of iPhone’s despite neither having encryption protection. Finally, Zdziarski claims that if a thief were able to get their hands on your iPhone, they could obtain an entire raw disk image in as little as 45 minutes using free software.
From the phone’s popularity and sales within the business community, however, it seems that business professionals are either ignoring of or do not understand the product’s encryption weakness and the effect this could have on their personal information.
“We’re seeing growing interest with the release of iPhone 3.0 and the iPhone 3GS due in part to the new hardware encryption and improved security policies,” Cook said during Apple’s earnings call. “The phone is particularly doing well with small businesses and large organizations.”
Applications on the iPhone are geared towards making the work of a variety of businesses more efficient and thus are seen as worth the risk. Quickoffice Mobile allows users to access and edit Microsoft Word and Excel files on their phone, while merchants can use Accept Credit Cards to access a credit card on an iPhone anywhere in the world with a W-Fi or cellular connection.
Lance Kidd, chief operating officer of Halton Company, an industrial equipment provider, says that the number of applications fro the iPhone make it worthy of risk-taking for his company and that, “Your organization has to be culturally ready to accept a certain degree of risk. Our culture is such that our general manager is saying, I’m willing to take the risk for the value of the application.”
Kidd says that his company only uses their 3G’s for a variety of social networking purposes, including e-mailing clients and staying in touch with them via social networking sites such as Twitter and that he has decided it would be safer to dedicate Halton to responding strongly to an information security threat, rather than putting up what he sees as a feeble effort to avoid them.
Despite the arguments of both Kidd and Apple themselves however, Zdziarski still insists the phone’s software vulnerability is too risky for use in the workplace and states that application designers must add extra security to their apps to make up for Apple’s failures to their customers.
“If they’re relying on Apple’s security, then their application is going to be terribly insecure,” he said. “Apple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but it’s entirely useless toward security.”
Apple has admitted in the past that the company is vulnerable to security threats with Steve Jobs acknowledging in August 2008 the existence of a remote kill switch for iPhone applications to automatically delete malicious apps. There is no evidence it has ever been used.
Zdziarski had one last piece of advice to leave to companies who have been relying on the iPhone for business.
“We’re going to have to go with the old imperative of ‘Trust no one,’” he said. “And unfortunately part of that is, don’t trust Apple.”