Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Mobile

    iPhone 4 Encryption Remains Uncracked, but Password Keys Easy to Obtain

    By
    Fahmida Y. Rashid
    -
    May 27, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Russian security firm ElcomSoft claims to have cracked the AES-256 encryption Apple used to encrypt data on user iPhones. Despite the claim of the company’s CEO, that’s not quite the case.

      The publicly available ElcomSoft Phone Password Breaker application provides users with the ability to view encrypted data extracted from mobile devices running Apple iOS and decode encrypted data, ElcomSoft’s CEO Vladimir Katalov wrote in a blog post May 23. The complete ElcomSoft toolkit with the decryption program will be marketed to law enforcement and intelligence agencies.

      Apple introduced a hardware encryption chip on iOS 4 devices, which meant that anyone doing a hardware dump will get encrypted data. This includes geo-location data, browsing history, call history, test messages, emails, usernames and passwords. The files were encrypted with its own unique encryption key tied to the individual device, and some files were further protected with keys tied to both the device and the user’s passcode.

      ElcomSoft researchers were able to decrypt the iPhone’s encrypted file system images, Katalov boasted in a blog post titled “ElcomSoft Breaks iPhone Encryption.” With the file decrypted, the contents could be viewed using any number of forensic tools, Katalov said.

      ElcomSoft is a well-known corporate security and IT audit company that works with law enforcement, military and intelligence agencies to recover data and perform forensics. Apple’s data protection was considered “adequate against even the best equipped adversaries, including forensic analysts and law enforcement agencies,” Katalov said. By “breaking” the protection, ElcomSoft made it possible to conduct “extremely comprehensive forensic analysis of affected iOS devices,” he said.

      Misleading blog post title aside, the fact is, ElcomSoft researchers did not crack AES-256, Luther Martin, a senior security architect at Voltage Security, wrote on the Superconductor blog on May 26. Digging deeper into Katalov’s post reveals that ElcomSoft researchers didn’t actually figure out a way to brute-force its way through the encryption, but circumvented the security measures altogether by obtaining the encryption keys stored on the device to unlock the data.

      Simply put, ElcomSoft researchers didn’t break the complicated lock on the door; they figured out how to get the key hidden under the flowerpot.

      “What ElcomSoft has cracked is the iPhone’s weak key management, not the encryption itself,” Martin said. The Password Breaker application attacked the four-digit PIN that users assign to their phones. The passcode protects the encryption keys that were generated when encrypting the data on the device. Once the password has been broken, the person can extract the numbers used to generate encryption keys and decrypt content, according to Martin.

      Cracking the “AES-256 key is still so hard that it’s essentially impossible,” Martin said.

      “The extraction of file system encryption keys is nearly instant as opposed to lengthy dictionary or brute-force attacks which are required to obtain a password,” Katalov acknowledged in his post.

      The lesson learned from this particular technique is that using a four-digit code to protect a 256-bit key doesn’t mean the data is being protected with “256 bits of cryptographic strength,” Martin said. Anyone with access to a low-cost desktop can come up with the four-digit combination, so the passcode is not “providing a meaningful level of protection” to the encryption keys. For the iPhone 4, it takes about 40 minutes to crack the four-digit code.

      Security expert Charlie Miller uncovered a similar method in February. Miller recommended that users use long complicated passwords instead of easily cracked four-digit codes.

      Fahmida Y. Rashid
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×