The iPhone 3GS and Forensics: Encryption Changes the Game?

One of the new iPhone 3GS features that has received little attention this week is hardware encryption. However, from a forensics standpoint, this is probably the most significant feature of the new update. The feature is buried at the bottom of this “more features” page:

Phil Schiller also briefly mentions this feature at 1:52 of the Apple keynote.

Why Encryption on the iPhone Matters

Encryption on the iPhone matters to businesses because the iPhone can store potentially sensitive information. Among other things, forensics investigators can recover the following from iPhones (from iPhone Forensics by Jonathan Zdziarski):

  • Keyboard caches containing usernames, passwords, and nearly everything typed on the iPhone.
  • Screenshots of the last state of an application before the home button is pressed to return to the main menu.
  • Deleted images.
  • Deleted calendar entries and contacts.
  • A record of the last 100 calls made.
  • Viewed Google Maps images and directions.
  • Browser history and caches, even when deleted.
  • Deleted email messages.
  • Deleted voicemail.
  • Pairing records establishing which computers the iPhone was synced with.

You might think that extensive forensics experience and knowledge of the iPhone operating and file system is needed to recover this data. However, several specialized forensics tools, such as Paraben‘s Device Seizure and the Sixth Legion‘s Wolf, have automated this forensics process and can recover sensitive data from iPhones in seconds.


So it is understandable that encryption on the iPhone is a highly requested feature by corporations, according to Phil Schiller. Hardware-based encryption on the iPhone could effectively nullify forensics work on the iPhone.

Remote Wipe: A Potential Weakness

However, one potential weakness in the iPhone encryption scheme is how the encryption key is stored, and is related to another new iPhone 3GS feature, instantaneous remote wipe:

According to Schiller, hardware encryption on the iPhone 3GS enables instantaneous remote wipe. Apparently, rather than overwriting every bit as does the iPhone 3G, a remote wipe on the iPhone 3GS only overwrites the hardware encryption key, rendering all data on the iPhone unintelligible. This explains why if you later recover your iPhone 3GS, you can restore your data by enabling your MobileMe account on the iPhone, which apparently downloads the hardware encryption key to the iPhone, making the data on the iPhone readable again.

Although this feature is convenient, it does pose a potential security problem. If the hardware encryption key is hidden in the iPhone file system without being encrypted itself, then a forensics investigator could find the key and decrypt data on the iPhone. And forensics tools like a faraday cage will prevent the iPhone from receiving a remote wipe command, lengthening the window to find the encryption key indefinitely.

Of course this would require specialized knowledge of the iPhone and cryptography, but that is exactly what forensics firms like Paraben and Sixth Legion have. And their expertise is encapsulated and automated in tools like Device Seizure and Wolf, extending this ability to more general users.

So while hardware encryption on the iPhone 3GS is an interesting development, unless the encryption key is itself somehow encrypted, it will be a matter of time before the forensics community learns a way to find the key and make forensic analysis of the iPhone 3GS possible.

[Update June 14, 2009: Jonathan Zdziarski of iPhone Forensics left an insightful comment below.]

8 thoughts on “The iPhone 3GS and Forensics: Encryption Changes the Game?

  1. Jonathan Zdziarski

    Anthony,

    This may not be as big an issue depending on how it works. If Apple knew how to properly implement security, my first book on iPhone Forensics wouldn’t have been able to be written. Unfortunately for consumers, Apple IMO has a history of reckless regard for “secure” coding practices.

    If the 3GS is TPMish then an app on the phone querying data will get unencrypted output at the end of it’s read functions, or be able to query the crypto facility itself to decrypt. Since the forensics process of today institutes a recovery agent in memory, it may be able to masquerade as a legitimate process to use the phone against itself for decryption.

    If a PIN is used, it may only be used to enable access to the device, and not to decrypt. In this case, you can bypass it all together. If the PIN is needed to decrypt, it’s likely you could disable the kill switch after each try so you could brute force it.

    Encrypted backups can already be defeated by simply moving the keychain so depending on whether the entire FS is encrypted or individual files, this could also be an easy solution. The keychain doesn’t exist in the user home directory either making the chance of being able to move it likely.

    Finally, as is the case with the keychain right now, the keys might be easy to deduce or extract. Lots of guys do reverse engineering so it’s likely the method for this will be published at some point. Hell if the baseband computer can be cracked, so can a simple crypto mechanism.

    Unlike a computer, the phone needs access to user data just to boot… So the ability to get to this data may not be as big of a deal. There are a number of potential ways around it. The question is: can one out of the hundreds of iPhone hackers out there be smarter than Apple? So far, the odds aren’t in Apple’s favor.

    One important thing to note is that iPhoneOS 3.0 on an iPhone or iPhone 3G uses _no_ disk encryption, and one can easily perform a forensic recovery of the user data by following the same methods outlined in the book. Encrypted backups, iPhone passcodes, and all of the huge privacy leaks in v3.0 are still there. The question is whether Apple will be able to gloss over them all with effective encryption.

    As far as the 3GS, only time will tell if the ‘S’ stands for ‘Security’.

  2. Pingback: Apple iPhone OS 3.0 For The Enterprise - Marco Nielsen at myITforum.com

  3. Histrionic

    Has any of this changed with the iPhone OS 3.1 update, by any chance? I haven’t seen any concrete information on that, and don’t specifically see it mentioned in Apple’s release notes.

  4. admin Post author

    Jonathan Zdziarski in a recent webcast (http://www.oreillynet.com/pub/e/1385) has demonstrated that nothing has changed. The encryption on the iPhone 3GS is designed to enable remote wipe, and it works great for this purpose. If the encryption key is wiped, then the data on the device is securely inaccessible.

    However, the encryption is not designed to protect the data from hackers and forensics professionals. The iPhone 3GS essentially decrypts data whenever programs make a request for data.

  5. Pingback: Limitations of Data Protection in iOS 4 | Anthony Vance

Comments are closed.