Russian security firm cracks iOS 4's hardware encryption

By on May 25, 2011, 5:48 PM

A Russian security firm has announced the first commercially available toolkit capable of cracking the encryption and passwords on Apple's latest mobile devices. ElcomSoft says its software can bypass the security that protects data such as SMS messages, pictures, emails, geolocation data, web browsing history on the iPhone 3GS, iPhone 4 as well as recent iPods and iPads.

Starting with iOS 4, Apple has employed a hardware encryption system called Data Protection that stores a user-defined password on an embedded chip using 256-bit AES encryption. What's more, files stored on iOS 4 are secured with a device-specific encryption key known as a unique ID or UID. Naturally, ElcomSoft's toolkit obtains these keys -- one way or another.

Although the company didn't offer any great details on how its software procures a device's UID, it noted that the default "Simple passcode" option used by Apple's device can be bruteforced with relative ease as it only requires a four-digit password. With only 10,000 possible combinations, an iPhone 4's passcode can be hacked in 20 minutes (40 minutes being the longest).

If the user's passcode can't be bruteforced outright, the firm's toolkit can obtain a device's escrow keys. "Escrow keys are created and stored by the iTunes when you first plug an iOS device to the computer. Having a set of escrow keys collected from a computer to which an iOS device was once connected gives the same powers as knowing the passcode," ElcomSoft explained.

ElcomSoft's software won't be available to everyone, considering it can unlock essentially all of the personal data someone might have on an iOS device. The company says it will only sell its tools to established law enforcement, forensic and intelligence agencies, and "select" government organizations. That said, ElcomSoft does publicly sell an iOS-compatible "password breaker."




User Comments: 16

Got something to say? Post a comment
Win7Dev said:

Well, the iphone (not sure if it was 4 or not) already had a way to bypass the passcode and be able to send texts, make calls, send emails, and view all contacts in the phone just by holding the device. See here: [link]

spydercanopus spydercanopus said:

The iphone is the perfect tracking device for government and citizens alike. The fact you can't remove the battery allows it to listen in any time. FBI have officially stated they have the ability to turn on your phone's microphone even when it's off since the 9-11 false flag attack.

davin8r said:

spydercanopus said:.....since the 9-11 false flag attack.

(rolls eyes)

Lurker101 said:

So how long till someone makes a 1984 reference in this thread?

gwailo247, TechSpot Chancellor, said:

Lurker101 said:

So how long till someone makes a 1984 reference in this thread?

Because of the Russian boycott of the Olympics?

princeton princeton said:

davin8r said:

spydercanopus said:.....since the 9-11 false flag attack.

(rolls eyes)

Yah he didn't do a good job trying to make this a tin foil hat thread.

Trillionsin Trillionsin said:

Likely not the last time they crack some type of communications or technological circuit or whatever I dont know what I'm really talking about....

BrianUMR said:

They didn't crack the hardware encryption. They figured out most people use a 4 number pass code and it brute forces the pass code. With that logic you could say all encryption has been hacked if you have the time.

aj_the_kidd said:

Although the company didn't offer any great details on how its software procures a device's UID, it noted that the default "Simple passcode" option used by Apple's device can be bruteforced with relative ease as it only requires a four-digit password

@BrianUMR

It talked about one aspect the software can do, not all, in-case you missed that

FYI cryptography has gotten well pass the days of brute force being in issue

Guest said:

It seems like every website, mobile device, game, etc. can and has been penetrated/hacked at some point or another...I also feel computer and network security is a bigger issue than it really 'should' be..uh oh, I'm playing the 'should' game..

Show me a device or breakthrough in security that yields computers, devices "unhackable" (if thats even possible) and I say theres something worth writing an article about.

LOL with everybody else at iphone govt. statement. Sure they can access the data if they need to (criminal investigation), but get real with thinking that somebody is sitting in an office tracking your every move..your probably not that important.

example1013 said:

They didn't break the encryption, they found ways to get around it. This isn't like someone figuring out the password to a vault, this is like someone turning intangible and walking through the door.

foreverzero89 said:

spydercanopus said:

The iphone is the perfect tracking device for government and citizens alike. The fact you can't remove the battery allows it to listen in any time. FBI have officially stated they have the ability to turn on your phone's microphone even when it's off since the 9-11 false flag attack.

yup, that about sums it up.

PinothyJ said:

gwailo247 said:

Lurker101 said:

So how long till someone makes a 1984 reference in this thread?

Because of the Russian boycott of the Olympics?

You win 2+ internets...

Guest said:

Instead of replying to spydercanopus's comment with cheeky remarks, why don't any of you provide real facts that show he is wrong?

princeton princeton said:

Guest said:

Instead of replying to spydercanopus's comment with cheeky remarks, why don't any of you provide real facts that show he is wrong?

That isn't how an argument works. If he presents something as fact HE needs to put evidence to back it up. Evidence has already supported claims against his, we don't need to provide jack shit.

Jibberish18 said:

That said, ElcomSoft does publicly sell an iOS-compatible "password breaker."

This made me chuckle.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.