Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

TheSideshow

macrumors 6502
Original poster
Apr 21, 2011
392
0
One of the roadblocks that Apple has faced in entering the enterprise market has been its perceived lack of security when compared to competitors such as RIM’s Blackberry phones. With iOS 4, Apple released hardware encryption to keep all of the data on your portable device safe and secure and even allowed third party developers to use the encryption APIs for more protection. Now, according to Geek.com, a Russian security and audit company has managed to circumvent the encryption layer leaving all of your personal data at risk.

http://www.neowin.net/news/company-finds-way-to-bypass-apples-ios-encryption

http://www.geek.com/articles/chips/apples-ios-4-hardware-encryption-has-been-cracked-20110525/

ElcomSoft offer this iOS 4 forensic toolkit to security and law enforcement agencies, but anyone can purchase the software to extract the encrypted data on a device. The application is called the ElcomSoft Phone Password Breaker and costs around $320 for the Professional edition. The speed of decryption on a home PC depends on your setup with Password Breaker supporting up to 32 CPUs and 8 GPUs.
 
From the Geek.com article (emphasis mine):

However, you need access to the device in order to decrypt the data, not just an encrypted image from a device. This is because ElcomSoft brute-force the passcode which has to be done on the device, and with something like an iPhone 4 that takes around 40 minutes to achieve.

That doesn't sound like cracking the encryption at all. It sounds more like brute-forcing the passcode to get at the contents.

Which also begs the question: what happens if the user has the option enabled to wipe data after 10 failed passcode attempts? If ElComSoft has found a way around this, then maybe there's an actual story here.

Otherwise, it would seem to me a true break of the encryption key would entail not having to even try brute-forcing any passcodes at all. You would just plug in and get the data, passcode or not... or, work off the encrypted image file without needing physical access tot he phone at all.

So unless this story is written wrong, it seems like all ElComSoft has done is automate the process of guessing an iPhone user's passcode.

Edit: The Proof is in the naming: ElComSoft calls this supposedly ingenious piece of software "iPhone Password Breaker."
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.