Wednesday, February 16, 2011

Securing your iPad and iPhone4

I'm often asked how IT departments should advise users to secure their iPads and iPhone4's.

Here's the process suggested by my security team:

1. Make sure you're running the latest iOS version (4.2.1 currently)
2. Download "Find My iPhone" (free app) from the Apple App Store. Log in or set up a new Mobile Me account and add the iPad to be tracked. Also try it out from a desktop to make sure you can (as a test) send a message to the device.
3. Make sure the iPad autolocks, requires a long passcode and erases data after 10 failed passcode attempts.
    In Settings->General, configure:
    a. Auto-Lock: set to something short, like 2-5 minutes (NOT "Never")
    b. Passcode Lock:
        1. Turn Passcode On
        2. Require Passcode: Immediately
        3. Simple Passcode: Off (then set a long passcode)
        4. Picture Frame: Off
        5. Erase Data: On

If the iPad is stolen, was locked at the time, and the thief does not have unencrypted access to any other device that had previously synced with the iPad (a Mac/PC), the data can be considered "safe".   The user should use "Find My iPhone" to issue a remote wipe as soon as possible. This will of course work better over 3g, but should still be done if it's a wifi-only model.

They should also change any application or institutional passwords that may have been cached on their mobile device.

This will protect against likely attacks in the near-term. That is, someone finds your iPad, taps around looking for emails, pictures, etc, they can't get in. If they hook it up to a desktop, they won't be able to read anything on the filesystem.

This method should meet the standards of safe-harbor, as it includes encryption, "best practice" guidelines, and could be considered reasonable.

A few things to be aware of:

The certificates necessary to bypass the passcode screen are saved on your computer when you sync the iPad.

The hardware encryption used to protect the filesystem (and the passcode) are based on an encryption key known to Apple. They routinely unlock devices for law enforcement (with a court order).

Current accusation guidelines for forensic examiners state that the SIM card should be immediately removed and the device be placed in a Faraday bag to prevent remote wiping (iOS Forensic Analysis for iPhone, iPad and iPod touch, Sean Morrissey, Apress 2010, 978-1-4302-3342-8). Expect attackers do the same.

Cellebrite claims to be adding support for extracting encrypted, passcode locked images from iOS devices with their UFED Physical capture device. Details are a bit hazy on how they're actually accomplishing this, but expect others to follow suit once it's released. Expect hackers to take full advantage of this.

There are many background network based operations constantly running in iOS when the screen is off (and passcode locked). Assuming the device has not been remotely wiped it would be possible to observe these network connections and extract username/passwords. This shouldn't be a problem for most institutional credentials, which require network encryption for authentication, but an observer may be able to harvest passwords to other email or social networking services.

The cab driver who found your phone/ipad probably doesn't have the hardware, technical forensic knowledge or any ability to monetize extracted data. But the guy running the data mining operation buying from him in bulk probably does.

A better protection scheme would be something that applies encryption to stored data in user-space.    This is the realm of the Good Technologies product, MobileIron and others.


Ahier said...

Thanks John! Just got an iPad for my birthday and this was very helpful. Also, since we are seeing greater adoption in healthcare this will continue to be an important topic.

Donald said...

I recommend the Find My iPhone because it is so useful when iphone has been stolen. But The passlock of autolock feature sometimes fail. I tried making a lock code when the autlock feature activated, then even I entered the correct lock code, my iphone was disabled. I restored it using itunes. It now works fine. Anyway, this tip for securing iPhone is great, thanks John!

Mallesh Murugesan said...

Great Article. Thanks. We are implementing 100 + iPads into our environment. In our initial testing, we found that using a MDM software provides tremendous capability in managing the device and tracking lost devices, especially when you are dealing in that volume. Some issues we are facing are: 1. controlling download of apps and payment method for those. 2. no way to remote log in into them to troublshoot.
Any thoughts?

Jeremy said...

This is a helpful article. I was surprised to see, however, that there wasn't much mention of the critical first step to securing your iPad - theft prevention. The tactics you mention are great ways of prepping your iPad in case it gets stolen, but it's even more important to ensure that it doesn't get stolen! At our school we've been using Datamation System products to secure, sync, and charge our iPads...I'd recommend checking them out for those of you who came to this page looking for physical iPad security. You can find them at