I wrote last month about the new hardware encryption feature of the iPhone 3GS, which some have claimed provides the iPhone with “enterprise-class security”. However, now that the iPhone 3GS has been out for a month, Jonathan Zdziarski, author of iPhone Forensics, has shown that the encryption on the 3GS is much weaker than suspected.
In this Wired article and associated Youtube videos, Jonathan shows that while the iPhone’s disk is encrypted, the kernel decrypts the data when it is requested by widely-available open source tools. Jonathan will also demo how this works in an O’Reilly Media webcast on July 29th.
This is pretty laughable security. It is essentially encryption in name only. This is a good example of why it is not enough for a device or software to correctly implement a secure encryption algorithm (in this case AES 256). All other aspects of the system must be designed securely.
I love my iPhone 3GS for its refined UI experience and third-party applications, but it’s clear that security has relatively little emphasis in the iPhone’s ongoing development.