A security researcher who has asserted Apple’s iPhone 3GS is not enterprise-ready has posted tutorials on YouTube to back up his claims.
Jonathan Zdziarski, who teaches forensic classes about recovering data from the iPhone, has posted two tutorials to YouTube to demonstrate issues he contends are serious enough to make IT pros leave the iPhone out of the enterprise. In one, he shows how an attacker can remove a passcode and get to data on the device.
“Now law enforcement has all of the tools that they need to be able to do this,” he noted in the video. “The problem is the bad guys also do too. So while this is good for forensic purposes, it’s also quite terrible for the rest of us in terms of our own private security.”
In the second video, he shows how a hacker can use software tools to download a raw disk image from the phone that could provide personal information, deleted voice mails and other data.
Security has emerged as an important selling point for Apple with iPhone 3GS. In fact, Apple Chief Operating Officer Timothy Cook said as much during the company’s latest earnings call, noting that the phone’s new hardware encryption and improved security policies were part of the reason enterprises were expressing interest in 3GS.
The data encryption feature protects user data by encrypting it in transmission, at rest and when backed up to iTunes. The smartphone also provides secure methods to prevent unauthorized use of the device through passcode policies and restrictions. If the phone is lost or stolen, all data and settings can be cleared remotely.
Still, Zdziarski maintains that the security holes he demonstrated mean there is work left to be done.
“Unfortunately, the iPhone is completely wide open,” Zdziarski said in one of the videos. “As much as I like this device, Apple really needs to fix some of these security issues for the consumer before, in my opinion, it’s ready for the enterprise.”
Apple did not respond to a request for comment in time for publication.