The devil in iOS 5's security detail

A little over a week since Apple released iOS 5, I thought I would review some of the new functionality and security on the platform in general.

I began by revisiting the encryption Apple promises and whether they have fixed the issue that I first wrote about in May 2010.

According to the "iPad in Business: Security" document on Apple's website:

"iPad provides hardware encryption for all data stored on the device, and additional encryption of email and application data with enhanced data protection."

This type of misleading statement shows how the specific meaning of a statement might imply that all of your data is protected where the reality is the devil is in the implementation details.

iOS 5 devices have the exact same implementation flaw of the AES 256 encryption as iOS 4. While the data is encrypted, iOS provides unfettered access without knowing the passcode or posessing the encryption keys.

 

All media (photos, videos, sound recordings and music) can be accessed from a computer that can speak Apple's control protocol without any authentication, even if the device is locked.

Another issue that has come to light this week is the ability to bypass the lock screen on an iPad 2 using a Smart Cover.

9 to 5 Mac have published a video demonstrating the technique which is quite trivial to do.


Fortunately, there is a workaround and iPad 2 users can change their settings to disable auto-unlock when opening the Smart Cover.

In addition to Siri being enabled by default when the device is locked, there is another similar related flaw.

The website MacNotes.DE wrote an article describing how to make unauthorised outgoing phone calls with someone's locked iPhone with iOS 5. You can make a call without unlocking if you have a missed call notification.

If you were to forge your caller ID (somewhat trivial for VoIP users) you could call someone's iPhone with a number you wanted to call out to and then just tap the screen to dial the number.

I hope Apple is taking note and updates iOS to resolve these issues soon.

None of these issues are catastrophic, but all of them raise concerns for data loss and require iPhone/iPad users to pay extra attention to who physically has access to their devices.

Chester Wisniewski is a Senior Security Advisor at Sophos. You can read the Sophos blog here.

More from Business Spectator