[ISN] The iPhone Has Passed a Key Security Threshold

From: InfoSec News <alerts_at_private>
Date: Tue, 14 Aug 2012 05:48:38 -0500 (CDT)
http://www.technologyreview.com/news/428477/the-iphone-has-passed-a-key-security-threshold/

By Simson L. Garfinkel
Technology Review
August 13, 2012

Less than a month after Apple first shipped the iPhone in June 2007, a 
group called Independent Security Evaluators documented deep security 
design flaws in the device. Apple's most embarrassing flub: every iPhone 
application that Apple had written ran with so-called root privileges, 
giving each one complete control over the entire phone. Hackers found 
bugs in those apps that could be used to take over the phone from the 
inside. Apple didn't fix the design flaw until January 2008.

But after that rocky launch, Apple invested heavily in iPhone security. 
It's still possible for a hacker to take over a phone, but it's 
increasingly difficult, largely because each app runs in its own 
isolated "sandbox." The phone even verifies its operating system when it 
boots. Today the Apple iPhone 4S and iPad 3 are trustworthy mobile 
computing systems that can be used for mobile payments, e-commerce, and 
the delivery of high-quality paid programming—all of which bring Apple 
significant revenue in the form of commissions.

In fact, in its efforts to make its devices more secure, Apple has 
crossed a significant threshold. Technologies the company has adopted 
protect Apple customers' content so well that in many situations it's 
impossible for law enforcement to perform forensic examinations of 
devices seized from criminals. Most significant is the increasing use of 
encryption, which is beginning to cause problems for law enforcement 
agencies when they encounter systems with encrypted drives.

"I can tell you from the Department of Justice perspective, if that 
drive is encrypted, you're done," Ovie Carroll, director of the 
cyber-crime lab at the Computer Crime and Intellectual Property Section 
in the Department of Justice, said during his keynote address at the 
DFRWS computer forensics conference in Washington, D.C., last Monday. 
"When conducting criminal investigations, if you pull the power on a 
drive that is whole-disk encrypted you have lost any chance of 
recovering that data."

[...]
Received on Tue Aug 14 2012 - 03:48:38 PDT

This archive was generated by hypermail 2.2.0 : Tue Aug 14 2012 - 03:53:40 PDT