Inside iPhone 3.0's Remote Wipe feature
One of the big security-related features in the iPhone 3.0 software update—at least for those with a MobileMe account—is Find My iPhone’s Remote Wipe command. Should you ever lose your iPhone, you can log in to your MobileMe account on the Web and issue a remote command to securely wipe the phone’s data, making it unrecoverable.
Most people won’t test this feature because you lose the use of your phone until you’re able to connect it to your computer and restore the iPhone’s contents from the most-recent iTunes backup. But we aren’t most people—we get paid to do these very things. And so I took it upon myself to Remote Wipe any and every iPhone and iPod touch I could lay my hands on (or at least every one I could set up my MobileMe account on, since doing so is required for Find My iPhone and Remote Wipe to work).
Getting ready to wipe
Setting up Find My iPhone requires several steps:
- You must set up a MobileMe e-mail account in the iPhone or iPod touch's Mail app.
- You must enable Push in Settings: Mail, Contacts, Calendars.
- You must enable Find My iPhone for that MobileMe e-mail account (Settings: Mail, Contacts, Calendars: [MobileMe account name].
- Your iPhone or iPod touch must be connected to the Internet.
Note that if you have multiple MobileMe accounts set up on your iPhone or iPod touch, only one can have Push and Find My iPhone enabled.
Once you've set up your device, you can access the Find My iPhone features—including Remote Wipe—by logging in to the MobileMe Web site, clicking on the Account button at the top of the page (which will prompt you to re-enter your account password), and then, on the Account page, clicking on Find My iPhone on the left-hand side.
The MobileMe service will attempt to locate your iPhone or iPod touch and display that location on an onscreen map. Using the Display A Message button, you can send a message to the phone's screen; for example, if you've lost your phone, "This phone belongs to Jane; please call 415-555-1234 for a reward!" Alternatively, if you've just misplaced the phone or iPod somewhere in your house, the same button can make an iPhone or second-generation iPod touch produce a sonar-like sound to help you track it down. (This sound will play even if the phone or iPod is in Silent mode; it won't, however, be audible if you're not in Silent mode but you have the ringer/volume turned down all the way.)
But the feature we're interested in here is Remote Wipe. Click on this button, and you'll get an appropriately ominous warning that proceeding will permanently erase all data and settings. You actually have to check an "I understand" box and then click another button to continue. The good news is that, as I alluded to above, if you end up recovering your phone or iPod, you can fully restore it from the latest iTunes backup by just connecting the device to your computer—a compelling argument for regularly syncing your iPhone or iPod touch with iTunes.
(Whichever Find My iPhone option you choose—message, sound, or wipe—you'll get an e-mail at your MobileMe address when the command was received by the device.)
Remote Wipe: fast or slow?
The process of erasing the memory of an iPhone or iPod touch is surprisingly easy (and oddly pleasing, in a Men-In-Black, “look right at the light” kind of way). But after wiping three or four devices, I noticed something that Apple doesn’t tell you in the Find My iPhone/Remote Wipe documentation: The time it takes to “wipe” an iPhone or iPod touch varies greatly depending on the model. When I sent the wipe command to an iPhone 3GS, it took a minute or less for the process to complete. But when I sent the command to an older iPhone or to any iPod touch, it took more than two hours.
Why the difference? If you followed our WWDC keynote coverage last month, or watched the keynote later in iTunes, you may recall that the iPhone 3GS includes hardware encryption, so all data is encrypted on the fly. This means that for the iPhone 3GS, Remote Wipe doesn’t need to actually wipe the phone’s entire contents; it simply needs to delete—securely—the encryption key, a process that’s nearly instantaneous. Without the encryption key, your data is as good as wiped.
With older iPhones and both iPod touch models, however, your data isn’t encrypted, so a Remote Wipe really does need to securely delete every last bit. If you’ve ever used the Finder’s Secure Empty Trash feature on more than a few files, you know how long the operation can take. Apply that process to several gigabytes of data, and you’re talking—whaddyaknow?—several hours of churning. Indeed, Apple confirmed to Macworld that this explains the difference in Remote Wipe times, with secure erasure requiring approximately one hour for every 8GB of unencrypted data.
How secure is it?
This raises the obvious security question: What if this long wipe process is interrupted? In the interest of science, I force-rebooted a second-generation iPod touch—by holding down the Home and Sleep/Wake buttons for approximately 10 seconds—immediately after the wipe started. It indeed rebooted…right back to the Home screen, where all my apps and data were easily accessible. (This iPod touch didn’t have a screen-lock password. If you want to be sure your data is at all safe, you must set a password. Otherwise, a would-be thief can simply open the Settings app and disable Find My iPhone to prevent you from sending a wipe command.)
Alarmed, I tried again, but this time I waited 15 seconds after the wipe started before I initiated the force-reboot process. This time when the iPod touch restarted, the silver Apple logo remained on the screen indefinitely, which is supposed to indicate a wipe in progress. I force-rebooted two more times, with the same result. It appears—though I can’t confirm, since I can't see exactly what’s happening inside the device—that once you pass a certain window, the wipe proceeds, even if you force-reboot.
That’s not to say that this very short window of opportunity is the only vulnerability of the Remote Wipe feature. As Jonathan Zdziarsky, the author of iPhone Forensics, points out, someone can force-reboot the iPhone or iPod touch at any point during this lengthy wipe process, put the device into recovery mode, and restore the device's OS in iTunes. This leaves any not-yet-wiped personal files and data accessible to forensic-recovery tools. (The good news is that most people don't have, or know how to use, such tools, and the data is otherwise inaccessible.)
Another issue is that, as mentioned above, in order for your iPhone or iPod touch to receive a Remote Wipe command, the device must be connected to the Internet. If a thief is more interested in your data than the hardware, removing an iPhone’s SIM card takes the phone off the grid with the exception of Wi-Fi connections. If the thief can access the Settings app, he or she can also disable Wi-Fi to prevent an iPhone or iPod touch from automatically connecting to nearby WiFi networks. (Again, this emphasizes the importance of setting a screen-lock password.)
In other words, you shouldn’t feel completely safe just because you have Find My iPhone enabled. But at least now know how it works—and why some wipes are quicker than others.
Updated 7/15/09, 10:45am: Clarified Push setting requirement.