I'm often asked how IT departments should advise users to secure their iPads and iPhone4's.
Here's the process suggested by my security team:
1. Make sure you're running the latest iOS version (4.2.1 currently)
2. Download "Find My iPhone" (free app) from the Apple App Store. Log in or set up a new Mobile Me account and add the iPad to be tracked. Also try it out from a desktop to make sure you can (as a test) send a message to the device.
3. Make sure the iPad autolocks, requires a long passcode and erases data after 10 failed passcode attempts.
In Settings->General, configure:
a. Auto-Lock: set to something short, like 2-5 minutes (NOT "Never")
b. Passcode Lock:
1. Turn Passcode On
2. Require Passcode: Immediately
3. Simple Passcode: Off (then set a long passcode)
4. Picture Frame: Off
5. Erase Data: On
If the iPad is stolen, was locked at the time, and the thief does not have unencrypted access to any other device that had previously synced with the iPad (a Mac/PC), the data can be considered "safe". The user should use "Find My iPhone" to issue a remote wipe as soon as possible. This will of course work better over 3g, but should still be done if it's a wifi-only model.
They should also change any application or institutional passwords that may have been cached on their mobile device.
This will protect against likely attacks in the near-term. That is, someone finds your iPad, taps around looking for emails, pictures, etc, they can't get in. If they hook it up to a desktop, they won't be able to read anything on the filesystem.
This method should meet the standards of safe-harbor, as it includes encryption, "best practice" guidelines, and could be considered reasonable.
A few things to be aware of:
The certificates necessary to bypass the passcode screen are saved on your computer when you sync the iPad.
The hardware encryption used to protect the filesystem (and the passcode) are based on an encryption key known to Apple. They routinely unlock devices for law enforcement (with a court order).
Current accusation guidelines for forensic examiners state that the SIM card should be immediately removed and the device be placed in a Faraday bag to prevent remote wiping (iOS Forensic Analysis for iPhone, iPad and iPod touch, Sean Morrissey, Apress 2010, 978-1-4302-3342-8). Expect attackers do the same.
Cellebrite claims to be adding support for extracting encrypted, passcode locked images from iOS devices with their UFED Physical capture device. Details are a bit hazy on how they're actually accomplishing this, but expect others to follow suit once it's released. Expect hackers to take full advantage of this.
There are many background network based operations constantly running in iOS when the screen is off (and passcode locked). Assuming the device has not been remotely wiped it would be possible to observe these network connections and extract username/passwords. This shouldn't be a problem for most institutional credentials, which require network encryption for authentication, but an observer may be able to harvest passwords to other email or social networking services.
The cab driver who found your phone/ipad probably doesn't have the hardware, technical forensic knowledge or any ability to monetize extracted data. But the guy running the data mining operation buying from him in bulk probably does.
A better protection scheme would be something that applies encryption to stored data in user-space. This is the realm of the Good Technologies product, MobileIron and others.
No comments:
Post a Comment