Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Where is the encryption, Steve?

P

pocketdoc

macrumors 6502a
Original poster
Apr 15, 2008
799
37
I love my iPhone. Let's get that out there right now.

HOWEVER, being a physician, encryption is VERY necessary when viewing or transferring patient information. It is required by law (HIPAA).

Microsoft and RIM have long encrypted their devices. Why hasn't Apple? I know there must be a good reason for this, but if Steve wants to penetrate the medical field as well as corporations, encryption needs to be addressed.

I see no mention of this in 3.0. Am I wrong?

Anyone know if encryption is coming?
 
8767092 said:
The OP means full device encryption the way Blackberry and Windows Mobile encrypt the device with virtually no way to get data off of the device without the passcode.
Click to expand...

There's been many threads asking how to get data off a pass-code locked iPhone, and the answer always has been that it's impossible unless you are the legitimate owner of the iphone and have the computer it regularly syncs with. How exactly is the blackberry or winmo more secure than that?
 
Night Spring said:
There's been many threads asking how to get data off a pass-code locked iPhone, and the answer always has been that it's impossible unless you are the legitimate owner of the iphone and have the computer it regularly syncs with. How exactly is the blackberry or winmo more secure than that?
Click to expand...

That answer isn't really fully correct... it's correct in the sense that a user can't get their information back off the phone in a usable format, but not in the sense that the information could not be viewed at all. If the phone is jailbreaked already (worse case scenario, although one probably ought not be jailbreaking a device they wish to be HIPAA compliant), then can someone who got it not SSH onto it, copy files off it, and then extract sensitive information from the files?

Were it not jailbreaked, I believe there are enough exploits to allow jailbreaking it even with the password intact, although I'm less sure about this.

But I don't think, so far, Apple really promised encryption. It'll be interesting to see if/when they get around to adding it.

FWIW, I think Apple's implicit argument is that the fact that it has a remote wipe feature essentially complies with HIPAA requirements. I'm not endorsing that view, just making an observation.
 
The problem for me (and others) is primarily with SMS messages. We send messages to one another and through our office about patients. The iPhone is not encrypted, and there is only one jailbroken app that solves this problem.

As already stated, MS and BB are already encrypted.
 
mkrishnan said:
Were it not jailbreaked, I believe there are enough exploits to allow jailbreaking it even with the password intact, although I'm less sure about this.
Click to expand...

I mean I'm almost positive that you can drop the phone into DFU mode and jailbreak it with SSH installed and be good to go from there. Stuff like Notes and SMS are basically unencrypted databases that can be read back fairly easily when pulled off the phone. There might even be a way to pull off the passcode lock somewhere in the filesystem.
 
Night Spring said:
There's been many threads asking how to get data off a pass-code locked iPhone, and the answer always has been that it's impossible unless you are the legitimate owner of the iphone and have the computer it regularly syncs with. How exactly is the blackberry or winmo more secure than that?
Click to expand...

With a berry, even if you take apart the phone and desolder/remove the flash chips from the circuit board, you still can't easily read the unencrypted data from the chips. With an iPhone, all you might need is a well equipped engineering and/or forensics lab, and the manufacturers data sheet for the flash memory chips.

ymmv.
 
pocketdoc said:
The problem for me (and others) is primarily with SMS messages. We send messages to one another and through our office about patients.
Click to expand...

That might already be a HIPPA violation. SMS messages are sent in plain text on known radio channels, not encrypted, and can be eavesdropped by modified radio test equipment.

But IANAL.
 
I also agree that there should be some kind of encryption available, not only for text messages but for paritions on the iPhone flash memory itself. It's layout is similar to unix and therefore should be able to support encrypted partitions.

To say that you transfer patient details via text is actually worrying and somewhat strange.

One thing I would like to see is the integration of PGP for e-mails built into the e-mail client.
Additional to that, actual proxy support/SSH tunneling for connections such as mail and web. I use an encrypted proxy tunnel for most of my web communications due to the nature of my business and find it to be both secure and easy to use.
 
Transferring patient information via cell phones is not "worrisome". I do not do it on the iPhone because IT IS NOT AN ENCRYPTED DEVICE. I love my iPhone and think it is an amazing phone. However...

I HAVE done it in the past with Blackberry and Windows Mobile devices, because the information transmitted is ENCRYPTED by the sender and the devices.

Having the phone password protected to GET INTO the phone is nice, but the problem is with transferring the information from device to device. Everything is encrypted up until it reaches the iPhone. That is where the encryption stops.

I don't know how to make this any clearer.

Again, if Apple wants to penetrate the medical and exec. world, they should encrypt their devices.

That's all from me. I am getting down form my soapbox now. :)
 
SMS is NOT encrypted when sent over the carriers' networks. The only way BB communication is encrypted is when it is routed through a BES, which is essentially encrypted email, which the iPhone does as well.
 
pocketdoc said:
The problem for me (and others) is primarily with SMS messages. We send messages to one another and through our office about patients. The iPhone is not encrypted, and there is only one jailbroken app that solves this problem.

As already stated, MS and BB are already encrypted.
Click to expand...

SMS messages are not a secure means to send data between phones.
 
I stand corrected.

If our office sends a message via secure Email and it arrives as an SMS, is that still interceptable?

Not sure how HIPAA can be applied to cellular devices...

I did see an app on Cydia that encrypts messages, but have not tried it.
 
I'm not sure about the whole SSH thing, but if you change the password for SSH from alpine to something else, is there really a way (short of a restore) to SSH into a phone without the required password?

Also, encryption has never been the case. Once it hits the AT&T server, the encryption goes bye bye. You're better off sending emails to each other as they're mostly 256k encrypted.
 
megamanbnmaster said:
I'm not sure about the whole SSH thing, but if you change the password for SSH from alpine to something else, is there really a way (short of a restore) to SSH into a phone without the required password?
Click to expand...

Programs like DiskAid and iPhoneBrowser let you browse a jailbroken phone's file system without requiring password for access.
 
I think some of you guys are missing the process behind encrypted messages, namely SMS or e-mails.
You're saying that when it hits a carrier its decrypted. Are you crazy?
If something is encrypted, it is encrypted using some kind of key. This key is not known by a carrier and therefore they cannot decrypt the data when they receive it.
The phone on the other end of the SMS has the key to decrypt it, which happens on the device itself.

This is not on the iPhone currently so it is a little off-topic.
As a software developer, the means of encryption on non-encrypted networks is something I have done for clients in the past. I have made, and personally use an MSN encryption library that encrypts text sent over msn between compatible clients. This encrypts only the body of the message and none of the headers, thus causing it to be completely compatible with Microsofts network yet there is no way they can decrypt it unless they have your key. In my case I use PGP and my key was not transfered over an unencrypted network to begin with so again, only the intended receipient has the key.

I have only recently begun programming for the iPhone but I would seriously consider making a 3rd party app to support encrypted SMS/Mail. If anyone would be interested in such an app then please let me know and we can work together to map out what would be needed.
 
firewood said:
That might already be a HIPPA violation. SMS messages are sent in plain text on known radio channels, not encrypted, and can be eavesdropped by modified radio test equipment.
Click to expand...

No, SMS messages are encrypted over the air using A5/3 (KASUMI)
 
The iPhone doesn't support S/MIME either, which is a bit of a surprise given Mail.app's stellar support for it...
 
I doubt encryption is coming due to the International laws on encryption and iPhone apps being sold outside of the U.S.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back