ElcomSoft, a Russian computer security firm that specializes in cracking passwords and circumventing encrypted systems, has successfully broken iOS 4’s hardware encryption. In around 20 minutes, the passcode used to encrypt all of the data on your iPhone can be discovered; ElcomSoft, in other words, now has a tool that can access your passwords, call logs, surfing history, photos, geographic movements — and even deleted files. This tool can be purchased by intelligence agencies and forensic organizations.

The good news is, ElcomSoft’s technique requires physical access to your iPhone, iPad, or iPod touch. The bad news is, if the attacker — the government– also has access to your installation of iTunes, the encryption can cracked almost instantaneously.

But how did ElcomSoft crack Apple’s AES-256 industry-standard encryption? The secret, much like Geohot’s prodigious jailbreak of the PlayStation 3, relies on a hardware-level attack. AES-256 is an industry standard because it’s practically impossible to brute-force — but ElcomSoft don’t attack the encrypted data, they attack the chip that performs the encryption. The data on an iOS 4 device is encrypted using a key that’s derived from your 4-digit passcode, meaning there’s only 10,000 possible encryption keys. ElcomSoft then uses the hardware encryption chip itself to brute force the correct key, which takes around 20 minutes. Once the encryption key has been derived, the complete file system is laid bare and can be analysed using conventional forensic tools like AccessData’s FTK or Guidance’s EnCase.

Using escrow keys, the authentication keys are held “on file” so that iTunes can bond with iOS and make backups, you don’t even have to brute force the passcode. The escrow keys can be derived by simply looking up the iOS device’s unique device key (UID) in an iTunes storage file — a process that seems to be relatively simple and devoid of security mechanisms, though ElcomSoft doesn’t give any further details. These escrow keys provide just as much access to the file system as the passcode key.

Should you be worried? No — unless you think the government has a reason for decrypting your iPhone. While breaking the encryption is fairly easy, making a copy of your phone’s file system for analysis can take hours. If you keep your phone physically secure — as long as it doesn’t “disappear” for a couple of hours, only to reappear in your jacket pocket — there’s no reason you should be worried. If you’re the paranoid type, though, you should completely remove iTunes from your system [Windows/Mac]. Furthermore, you should disable Simple Passcode in the Password Lock settings on your iOS device. If you use an 8-character passcode, and never use iTunes, you can rest assured that the data on your iPhone, iPad or iPod touch will forever be secure.