Re: [Fed-Talk] Really, Truly Wiping an Iphone
Re: [Fed-Talk] Really, Truly Wiping an Iphone
- Subject: Re: [Fed-Talk] Really, Truly Wiping an Iphone
- From: Jon Callas <email@hidden>
- Date: Wed, 12 Sep 2012 22:44:25 +0000
- Thread-topic: [Fed-Talk] Really, Truly Wiping an Iphone
On Sep 12, 2012, at 11:38 AM, Marcus, Allan B wrote:
> How long does this secure erase take? (on say a 32GB device)
>
> I was under the impression the Erase All Content just deletes the
> encryption keys. If it's just the encryption keys, couldn't the content be
> resurrected?
>
> I looked into product called iErase (by Zdziarski, so you know it's
> good).Do you think that is needed, or is the "Erase All Content and
> Settings" truly and overwrite erase?
The way that the flash protection works is that every device has an in-hardware AES key that is burned into the mini-HSM that is part of the device. That mini-HSM exists on the 3GS and later, which means that it is not in the original iPhone nor the iPhone 3G (and their iPod Touch analogues). But the following is true for all the other iOS devices.
Nothing can use that hardware key directly, and presently only Apple software can even use that key (unless jailbroken, of course). There is also a per-epoch AES key that is put into "effaceable" storage. By epoch I mean every time the device is initialized, restored from backup, etc. Effaceable storage is small area of flash memory that is really, really erased when it is erased. There is no wear-leveling done on that storage. Further on in the storage system there are other key bags that mix together the hardware key, the epoch key, and other keys that describe containers, Content Protection levels, and so on and so forth.
When you Erase All Content, the effaceable storage is wiped. The epoch key and anything else that's been put there is gone. It's not an overwrite of all of flash, but if you believe that AES really works or you believe that the erasure of effaceable storage really works, then you're safe. To undo the wipe you have to have both the hardware key and the epoch key. If someone reads the raw bits of all of flash, it's unusable without the hardware key, which requires you either to pry the hardware apart and by that I don't mean pull the case apart, I mean pull the mini-HSM apart.
This is powerful because it means that you have to have the device to break into it. Of course, if you're erasing the device because you want to sell it on eBay, this doesn't help you. But unlike your laptop, where if they clone your disk, they have attacks on it absent the rest of the machine, the attacker has to seize your iPhone.
If you have doubts about effaceable storage, then sure, you could use some other program to erase the storage. But that program is going to have to jailbreak the device and do its stuff. Because of wear leveling, there's no guarantee that any given flash write will actually erase the flash. In the vast majority of cases, it will, but I point this out because there's no sense in doing this if you trust effaceable storage. If you don't trust that, you should be worrying about wear leveling too.
Yes, that provides an additional layer of protection. Heck, it's only a $5.99 app. If you have a policy that says you need to do an actual wipe, even better. I won't argue at all that "just feeling better" is worth six smackers.
But the bottom line is this: if you believe that Apple is writing to flash correctly, then it's superfluous. It is merely checking a box, or having a teddy bear to hug. If you don't believe that Apple writing to flash correctly, how does this app fix the problem?
Jon
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden