Recent releases of Apple's iOS platform, including the latest iOS 7.1.1 update, include a bug that prevents email attachments saved on the device from being properly protected with encryption, and a fix is presumably on the way.
Security researcher Andreas Kurtz revealed last month that he has reported the flaw to Apple, and the company responded by saying they were aware of the issue. To date, the problem has not yet been fixed, and Apple has not offered a timetable for when it might be addressed.
Apple's statement on the issue simply said, "We're aware of the issue and are working on a fix which we will deliver in a future software update."
Using an iPhone 4, Kurtz was able to verify that the attachments could be read without any encryption or restriction after accessing the device's file system in both iOS 7.1 and iOS 7.1.1. The same vulnerability was then discovered on an iPhone 5s as well as an iPad 2 running iOS 7.0.4. The flaw was highlighted last week by ZDNet.
Apple advertises data protection on its iOS platform for devices that offer hardware encryption, which includes the iPhone 3GS and later, as well as all iPad models. Data encryption can be enabled by turning on a passcode lock on an iOS device.
Exploiting flaw requires physical access or iPhone 4-only jailbreak
Of course, this security flaw requires that a malicious hacker have physical access to the iPhone in order to read the root file system. Accessing the unencrypted attachments requires the device to be placed in "DFU" mode and accessed via SSH. That step requires that a malicious user would either need the device passcode or perform a hardware jailbreak of the device to take exploit the bug.Apple's latest iOS 7.1.1 release is currently only possible to jailbreak on iPhone 4
Apple's latest iOS 7.1.1 release is currently only possible to jailbreak on iPhone 4, according to International Business Times, which notes that "owners of newer iOS devices running iOS 7.1 and above continue to be without luck as no jailbreak has been developed for the latest version of iOS on devices such as the iPhone 5S and iPad Air."
Earlier this month, a separate SSL security flaw was discovered in both iOS and OS X. Apple worked to quickly patch the issue in subsequent updates to both platforms.
26 Comments
This is not very troublesome. Encrypted in transit via ssl. Not on the disk. That's true of OS X too except the file system is easier to navigate. And the encryption on disk wouldn't even help if the hacker had physical access and the password - he'd just have to open mail.
[quote name="asdasd" url="/t/179057/apple-aware-of-email-attachment-encryption-issue-in-ios-7-1-1#post_2527615"]This is not very troublesome. Encrypted in transit via ssl. Not on the disk. That's true of OS X too except the file system is easier to navigate. And the encryption on disk wouldn't even help if the hacker had physical access and the password - he'd just have to open mail.[/quote] It reads to me that if the device is locked the can still gain access to the root file to see the attachments in their unencrypted form. That means that a stolen iPhone isn't as secure as I thought ti was as I thought all my personal data was encrypted on disk.
This is not very troublesome. Encrypted in transit via ssl. Not on the disk. That's true of OS X too except the file system is easier to navigate. And the encryption on disk wouldn't even help if the hacker had physical access and the password - he'd just have to open mail.
It reads to me that if the device is locked the can still gain access to the root file to see the attachments in their unencrypted form. That means that a stolen iPhone isn't as secure as I thought ti was as I thought all my personal data was encrypted on disk.
That's what you are supposed to think and what Apple wants you to believe. ANYONE who invests blind trust in a device/software manufacturer with a closed proprietory OS is really to naive to be rescued. Apple, like all of the rest are interested in profit and not in security or privacy. Get your head around that.
It's more serious than you may think at first glance. For one thing, if you THINK a system (any system) is secure, you are wrong in most cases. For another, if you ASSUME your system is NOT 100% secure then you will go into a risk-management mindset and alter your behaviour according to the sensitivity of the data concerned. FFS, its not rocket science.
[quote name="Taniwha" url="/t/179057/apple-aware-of-email-attachment-encryption-issue-in-ios-7-1-1#post_2527655"]Apple, like all of the rest are interested in profit and not in security or privacy. Get your head around that.[/quote] I can't get my head around why you think these are mutually exclusive.
In fact Apple have spent a lot of time and energy on security on the iPhone. In order to make a profit.