The company now offers software to law enforcement and intelligence agency customers that can read all the data stored on an iOS device.
"Let's make it very clear: no privacy purist should ever use an iPhone," wrote Vladimir Katalov, ElcomSoft chief executive, on the company's web site. "IPhone devices store or cache humongous amounts of information about how, when, and where the device has been used."
What this means practically for users is that any privacy protection they might enjoy will have to be guaranteed by the law of the land, because at $128 for the software, even a cash-strapped police department can afford to read what's on an iPhone.
Although ElcomSoft says it will only sell their software to security agencies, it's not clear how the company would verify the identity of purchasers. As more personal data, including payment information, moves onto handsets, thieves may eventually find what's in the phone as valuable as the hardware itself.
Apple devices since the iPhone 3GS use 256-bit AES encryption to protect their data. Although this is generally considered strong enough to thwart even adversaries armed with supercomputers, ElcomSoft found weaknesses in Apple's implementation that allow it to break the encryption.
ElcomSoft's exploit apparently depends on users opting for "simple" four-digit passcodes (or none at all). Using an eight-digit passcode should thwart the attack and keep the data safe.
Until the most recent iOS update, a bug in Apple code stored location-related information in an unencrypted database on devices. Those databases were an open secret in the digital forensics worlds, and law enforcement agencies had reportedly been using it in investigations.
Two researchers then publicized the data, igniting a controversy about location-based privacy that saw representatives of Apple and other tech companies called before Congress.
