Pensieri di un lunatico minore

Security risk theater

A new “explosive” security risk is going around the blogosphere, and people are having a field day with it. To quote Wired magazine:

You’re a smart, safety conscious iPhone user, right? You keep the phone set to require a 4-digit passcode every time it wakes up, so if you ever lose your baby, all your personal information is safe. But if you are running v2.0.2 of the iPhone operating system, you might as well not bother. A simple hack will get anybody past your PIN code with free access to all your mail, contacts and bookmarks. Ouch!

The title to the article? “Massive iPhone Security Flaw Exposes Your Private Data – Here’s the Fix”

Wow, talk about being a total idiot for security-related issues. Anyone who works in security knows that if someone has physical access to a computer/device, no amount of software trickery—and that’s what PINs/passwords are—will stop them from getting your data. Is it “easier” than it should be, yes, but it’s not exactly the doom scenario that the “journalists” would have you believe.

How do you deal with this? Well, theoretically, you could encrypt everything on the phone and have to run everything through a decryption cycle to access it. This would require the PIN to “unlock” and you’d have to clear the memory, etc. However, this is also idiotic since at some point, there’s only 10,000 options (4 digit PIN), and that can be brute forced in a trivial amount of time with physical access to the underlying data.

In the end, it’s just like anything else with your personal data on it: keep an eye on it and protect it. If this “vulnerability” were exploitable remotely without anyone having to have access to the phone, then it’d be a bit bigger deal. As it is, it’s a coding mistake, but hardly the end-of-the-world scenario that it’s made out to be.

As for the implicit comparison to the Blackberry, has anyone actually examined the Blackberry with the same level of zeal that people seem to take in breaking Apple gear? Perhaps; perhaps not.