Thursday, 11 September 2008

Over at Wired's Gadget Labs blog, Brian Chen writes about information discovered during a webcast presentation on Thursday covering the recently discussed iPhone security weaknesses having to do with bypassing the password-protected lock screen.

Jonathan Zdziarski, a data forensics expert and author of the forthcoming book "iPhone Forensics," did the presentation for law enforcement personnel and anyone else who might have a need to access an iPhone to discover information. During the presentation, in which he outlines a method for breaking into the phone with modified firmware and some hairy manipulation, he also showed how the iPhone takes a screenshot of every application the iPhone's user closes by pressing the "home" button. The saved image is used to "draw" the collapsing screen animation you see when your application closes and you're returned to the home screen. The image file is then deleted from the iPhone's storage.

But, nothing is ever really completely "deleted." And in this case, apparently when the temporary image file is killed from storage, the data "on-disk" is not overwritten or otherwise cleaned, so anyone with some basic forensics knowledge can search the iPhone storage space for the old files and recover them easily. You can do the same thing on pretty much any computer.

Depending on your point of view, this is either a potential privacy issue or a great forensics feature. Having worked as both a police officer and as a business security professional responsible for privacy and data integrity issues, I can understand both arguments. Certainly as a cop, being able to dig into someone's iPhone (with a proper warrant of course) to find evidence of crimes where the phone was used in some manner is of real value, and screen shots are potentially pretty useful evidence. But as a person who also values privacy as a matter of basic principle, it's a little disconcerting, especially since I didn't realize until today screen shots are being made.

The webcast recording is not yet available as of the time of this writing, but it should be posted to http://www.youtube.com/OreillyMedia in the next few days. If you're interested in learning something about electronic data forensics, it will be worth the time to check it out. Here's the O'Reilly abstract from the session:

In this free, live webcast, iPhone hacker and data forensics expert Jonathan Zdziarski guides you through the steps used by law enforcement agencies to bypass the iPhone 3G's passcode lock by creating a custom firmware bundle. Author of the upcoming book, iPhone Forensics, Jonathan has devoted much of his talent supporting law enforcement personnel with his development of a forensics toolkit that allows them to recover, process, and remove sensitive data stored on the iPhone, iPhone 3G, and iPod Touch. This live presentation is aimed towards law enforcement and anyone else who has a need to access the not-so-readily available data on an iPhone.



Add/Read: Comments [4]
IT Security | Tech
Friday, 12 September 2008 03:02:03 (Pacific Standard Time, UTC-08:00)
"as both a police officer and as a business security professional responsible for privacy and data integrity issues"

And now you're also an Anti-iPhone propagandist.

"The saved image is used to "draw" the collapsing screen animation you see when your application closes and you're returned to the home screen. The image file is then deleted from the iPhone's storage.

But, nothing is ever really completely "deleted." And in this case, apparently when the temporary image file is killed from storage, the data "on-disk" is not overwritten or otherwise cleaned, so anyone with some basic forensics knowledge can search the iPhone storage space for the old files and recover them easily. You can do the same thing on pretty much any computer."

You've changed the story. The original Wired story:

"The phone presumably deletes the image after you close the application."

Notice Zdziarski's weasel word, "presumably" that you omitted. Zdziarski doesn't really know whether any image is recoverable or not. He's a propagandist. More than likely the "image" only exists in the video frame buffer, and no "snapshot" is taken, but in the world of propaganda, that's just not scary enough.




zato
Friday, 12 September 2008 06:53:53 (Pacific Standard Time, UTC-08:00)
I don't get it, it takes a screen shot if you close out in a particular way. So, assuming the screen shot is recoverable, you can see what apps someone closed? What real use is that? Unless there is a 'people I've robbed' app or maybe a 'kittypron' app. What am I missing about this 'flaw'?

"oh noes! someone can find out I bought the 'iAMRICH' app!" wait ... er ...
Sunday, 14 September 2008 08:14:27 (Pacific Standard Time, UTC-08:00)
@jhayes - Reasonable question. We need to look at the bigger picture. It's not all about predators and murderers.

This concern is of the type that businesses should be aware of and know about, for example. Say I am the IT guy for a software company that works with databases from financial institutions. I have 500 or so employees, some of whom are using an iPhone (as a happy iPhone owner I can tell you that might not be such a great idea, but that's another subject for another day, perhaps). Not all of my employees follow procedure every time, and in customer crisis situation one of those employees just emailed me (in violation of policy) a list of user accounts with sensitive info in it (such as names, accounts, passwords, etc. - stuff that he should never have had, let along sent in email). I receive the email, I open it, and I read it. I click the Home button. Now a copy of sensitive information is stored in a file I didn't know existed on a device that is not very closely managed.

If I'm a bad guy, I write a little app that I hide inside a seemingly-safe app for the iPhone that ennumerates the device storage and reassembles deleted screen shots (there could be hundreds or more) and sends them off to me.

All of this is purely hypothetical, for the record. I'm just trying to illustrate the *potential* risk. That's what we have to do in the security industry - look at the worst case and plan ahead. That's also how software should be designed - by modeling threats at the very beginning and maintaining that threat model throughout a product lifecycle, addressing the needs as you go, but hopefully before they become a real, live problem. None of this is super easy, but none of it is rocket science, either.

There's a simple way to substantially reduce the surface exposure and related risk of this cool UI feature: Securely overwrite the files rather than deleting them from the mater file allocation table.

If the iPhone is to be seen as a secure device that can be used in Enterprise without fear of data loss, potential data vulnerabilities like this are among the sorts of things that need to be reviewed and addressed. You have to think like the bad guy when designing devices and apps. If you don't, someone will take advantage.
Sunday, 14 September 2008 08:49:15 (Pacific Standard Time, UTC-08:00)
@zato said, "And now you're also an Anti-iPhone propagandist."

No. I'm not. I own an iPhone and use it a lot. I like it. But calling out potential flaws is a reasonable and prudent thing to do. Did you watch the webcast?

A flaw like this can have real and important implications in business and government, for example. Protection of information is critical, and this is a possible weakness in that regard.

Is it the end of the world? No. Is it important to look at, investigate, point out and resolve? Yes.
Comments are closed.