Forgot your password?
typodupeerror
Cellphones Android Encryption Iphone Security Apple

Cops Can Crack an iPhone In Under Two Minutes 375

Posted by Soulskill
from the can-i-see-that-for-a-minute dept.
Sparrowvsrevolution writes "Micro Systemation, a Stockholm-based company, has released a video showing that its software can easily bypass the iPhone's four-digit passcode in a matter of seconds. It can also crack Android phones, and is designed to dump the devices' data to a PC for easy browsing, including messages, GPS locations, web history, calls, contacts and keystroke logs. The company's director of marketing says it uses an undisclosed vulnerability in the devices it targets to run a program on the phone that brute-forces its passcode. He says the company's business is 'booming' and that it's sold the devices to law enforcement and military customers in 60 countries. He says Micro Systemation's biggest customer is the U.S. military."
This discussion has been archived. No new comments can be posted.

Cops Can Crack an iPhone In Under Two Minutes

Comments Filter:
  • by Anonymous Coward on Tuesday March 27, 2012 @05:44PM (#39490169)

    undisclosed vulnerability

    Maybe the delay between login attempts in only in the UI, and using API level access they can brute force the combinations without the delay from wrong passcodes, making it much quicker?

  • Pshaw (Score:5, Funny)

    by TechHawk (570290) on Tuesday March 27, 2012 @05:44PM (#39490173) Homepage
    I can crack any smart phone in under 15 seconds.

    With a sledgehammer...
  • by deathtopaulw (1032050) on Tuesday March 27, 2012 @05:44PM (#39490175) Homepage
    What happens when these vulnerabilities are fixed and the kits become useless? I assume our overlords will have to pay for a new version.
    • by dougmc (70836) <dougmc+slashdot@frenzied.us> on Tuesday March 27, 2012 @06:01PM (#39490401) Homepage

      What happens when these vulnerabilities are fixed and the kits become useless? I assume our overlords will have to pay for a new version.

      Serious answer, they probably get a support contract when they buy the software that entitles them to support and updates during the length of the contract. That's the way commercial Enterprise software generally is licensed, I see no reason why this would be different.

      It's entirely possible that their vulnerability could be fixed and they end up with nothing they can use for a while, and there's probably a clause in the contract that says this could happen but that they promise to make a good faith effort to find more vulnerabilities and "fix" their software as soon as possible. (But I seriously doubt it offers their money back -- after all, the rest of the software will probably still work, and even this part will still work on unpatched phones.)

    • Re: (Score:3, Insightful)

      by AngryDeuce (2205124)

      What happens when these vulnerabilities are fixed and the kits become useless?

      Then they throw you in the clink until you decrypt it for them. [wired.com]

      America! Fuck Yeah!!

  • Undisclosed? (Score:5, Insightful)

    by ichthus (72442) on Tuesday March 27, 2012 @05:46PM (#39490195) Homepage
    If the manufacturers (Apple and Google) were truly interested in patching these "undisclosed" vulnerabilities, they could purchase this software and run it on test/dev devices to see how it's done.
    • Re:Undisclosed? (Score:5, Insightful)

      by FunPika (1551249) on Tuesday March 27, 2012 @05:58PM (#39490343) Journal
      Looking at Micro Systemation's website, they verify who you are and what you are going to use it for before they even start discussions on selling it. Something tells me getting contacted from an Apple email saying that they want to render the software useless is not going to get past that.
      • Re:Undisclosed? (Score:5, Interesting)

        by Khyber (864651) <techkitsune@gmail.com> on Tuesday March 27, 2012 @06:03PM (#39490429) Homepage Journal

        Apple's got enough money to just sink Micro Systemation. I have the feeling if Apple wanted this thing closed, they'd have done it long ago.

      • Re:Undisclosed? (Score:5, Informative)

        by Anonymous Coward on Tuesday March 27, 2012 @06:51PM (#39490879)

        Looking at Micro Systemation's website, they verify who you are and what you are going to use it for before they even start discussions on selling it. Something tells me getting contacted from an Apple email saying that they want to render the software useless is not going to get past that.

        It's not as if you can just download their demo version from here:

        http://www.msab.com/app-data/downloads/XRY_Reader/XRY_READER_NOINST_6.2.0.zip

        Oh wait...

  • by manekineko2 (1052430) on Tuesday March 27, 2012 @05:47PM (#39490207)

    Weren't we reading just two weeks ago about how the FBI utterly failed in cracking an Android phone's gesture lock, and had to go demanding Google to help them?

    http://yro.slashdot.org/story/12/03/14/2222229/fbi-tries-to-force-google-to-unlock-users-android-phone [slashdot.org]

    • by Sez Zero (586611) on Tuesday March 27, 2012 @06:01PM (#39490399) Journal

      Weren't we reading just two weeks ago about how the FBI utterly failed in cracking an Android phone's gesture lock, and had to go demanding Google to help them?

      http://yro.slashdot.org/story/12/03/14/2222229/fbi-tries-to-force-google-to-unlock-users-android-phone [slashdot.org]

      That's actually referenced in the article, probably a case of a long/strong passcode.

      Dicksinson acknowledges that users who set longer passcodes for devices can in fact make the devices far tougher to crack. “The more complex the password, the longer and harder it’s going to be to access the phone,” he says. “In some cases, it takes so long to brute force that it’s not worth doing it.” That may have been the situation, for instance, in one recent case involving the phone of Dante Dears, a paroled convict accused of running a prostitution ring known as “Pimping Hoes Daily” from his Android phone; The FBI, apparently unable or unwilling to crack the phone, asked Google to help in accessing it.

    • Re: (Score:2, Interesting)

      by SuricouRaven (1897204)
      There are only 9!+8!+7!+6!+5!+4!+3!+2+1 possible combinations. That's... 409113.
      409k combinations. It may sound like a lot, but in computer terms that's less than 2^19.

      Twenty-bit encryption. Hmm. Unimpressive.
    • by milkmage (795746) on Tuesday March 27, 2012 @06:22PM (#39490605)

      no you weren't. did you read the linked piece?

      the phone locked because they struck out too many times on the gesture lock. the phone is now asking for the GOOGLE credentials. It's not like the guys pattern was so awesome it defeated the FBI - how many strikes do you get before the phone requires your google login? my BBerry gives me 5 before it nukes itself. 5 failed attempts is not "utter failure"

      https://threatpost.com/en_us/blogs/can-google-be-forced-fbi-unlock-users-phones-031412 [threatpost.com]
      "Once they failed enough times, the phone locked and now requires the user's Google username and password for access. As a result, the FBI is asking that Google be forced to hand over the information to get them into the phone."

      great system (seriously) .. require stronger auth if the first lock thinks it's being attacked.

  • Keystroke Logs? (Score:5, Insightful)

    by steevven1 (1045978) on Tuesday March 27, 2012 @05:47PM (#39490211) Homepage
    Um, why do these even exist on the phones in the first place?
    • by crazyjj (2598719) *

      Presumably to make it just hard enough to hack to give you time to deactivate it before your local crackhead's fingers get tired.

  • 10000 possible passcodes... most systems can try that many in a few seconds. What slow ass computer are they using that it takes 2 minutes?
    • I'd be much more interested in how they're getting around that feature. That requires memory access or code injection, and as others have mentioned, it's a jailbreak or blatantly intentional.

    • Apple needs to implement a common blocking scheme. Maybe 10 wrong then wipe is too extreme for some users, but even Mac OSX respects 3 wrong then hide the input box for a delay.

      • by PNutts (199112)

        Apple needs to implement a common blocking scheme. Maybe 10 wrong then wipe is too extreme for some users, but even Mac OSX respects 3 wrong then hide the input box for a delay.

        They do.

    • by leenks (906881)

      The iPhone. The summary even explains that... The article and video demonstrate even more. It loads alternative firmware onto the device and uses that to crack the passcode stored on the device. Most of the time is spent loading the code onto the device, not cracking the code.

      I wonder how well it works with a complex iPhone passcode though (if at all?) - I confess to not watching all of the video or reading the article properly.

    • by countach (534280)

      Err... the iPhone's "slow ass" computer?

    • by rgbrenner (317308)

      A few seconds?! I was just testing # of rounds w/ SHA512 for password encryption. The system has a AMD Sempron 140 [newegg.com] -- a $30, single core processor. Plus, it runs XenServer... so subtract some % for the virtualization overhead.

      Results: 10,000 rounds of SHA512 in 96ms

      • a $30 2.7GHz CPU, which is many times more powerful than the $5 ARM processor in the phone this thing runs on.
  • by tlhIngan (30335) <slashdot@wor f . n et> on Tuesday March 27, 2012 @05:51PM (#39490251)

    iOS (and I guess Android) have another layer of passcode lock that's more secure than the 4-digit PIN, though it requires a bit more work. They're basically passwords (or pass phrases?) and while they're a pain, they are supposedly much stronger than the PIN.

    How does this thing fix that?

    Also - it seems if they can run a program using it, it's a perfect jailbreak hole. Because the standard kernels now in iOS don't allow running unsigned programs. So either the dongle has to inject code into the kernel or other already-running process (if you can do that, it's a jailbreak avenue) in order to disable the signature check functionality, or they're running some sort of secret signed code ...

    • by Sez Zero (586611)

      iOS (and I guess Android) have another layer of passcode lock that's more secure than the 4-digit PIN, though it requires a bit more work. They're basically passwords (or pass phrases?) and while they're a pain, they are supposedly much stronger than the PIN.

      How does this thing fix that?

      It doesn't. They basically say that if there's a tough passcode, it might take so long as to be not worth guessing.

      Dicksinson acknowledges that users who set longer passcodes for devices can in fact make the devices far tougher to crack. “The more complex the password, the longer and harder it’s going to be to access the phone,” he says. “In some cases, it takes so long to brute force that it’s not worth doing it.”

  • by LostCluster (625375) * on Tuesday March 27, 2012 @05:52PM (#39490255)

    Unclear from the article is whether this hack would get anything if the 10-wrong rule for wiping everything is in effect.

  • If any Joe Shmoe can crack an iPhone/Android, it might put public pressure on device manufacturers to close these holes.
    • by mrbester (200927)
      How about Google and Apple team up to sue? I'm sure they wouldn't be happy about some hacker group making money from undisclosed vulnerabilities so why would this company be any different?
      • by rhook (943951)

        I wonder if Google could sue them and force them to release the source code?

    • by PNutts (199112)

      That's true, but we're talking about Guberments and Militards. The folks that did Stuxnet don't have issues getting into your phone and the ability to do this has been around for years.

  • by grei9715 (688827) on Tuesday March 27, 2012 @05:56PM (#39490311)

    The process is identical to what you do to jailbreak an iPhone - which makes sense. In both cases, the device would need to be put in DFU (eg, the "help, I'm broken, iTunes please fix me") mode. You have to wonder if these guys actually do the R&D for the iPhone, or just take the work that's already been done by others like the iPhone Dev Team.

    Since this is pretty much a guaranteed vulnerability anyway (at least, every iOS up to now can be jailbroken with a tether), a much more interesting question is how much harder is a longer/more complicated password to break? If this is literally a bruteforce enumeration, a reasonable password (that could be used for a computer) would be fairly safe.

  • We need versions of the android OS and apple iOS that are designed from the ground up to be secure. Full drive encryption would be a good start.

    • by Sez Zero (586611)

      We need versions of the android OS and apple iOS that are designed from the ground up to be secure. Full drive encryption would be a good start.

      Like NSA's SE Android [informationweek.com]?

      • Is it encrypted? If I pull the memory chip out of the phone and load it by some means into another machine will the information be encrypted?

        Anyway, it looks neat. Is it impossible to install? It looks complicated.

    • Until then we can use Encryption Manager [appbrain.com].
    • by spinkham (56603)

      iOS has "full drive encryption" in iOS 4 and later.

      It's just protected by a 4 digit pin which can be easily brute forced by default.

      You can use a stronger passcode, but you have to type it on every unlock so few do.

      • it would seem there are simple ways to make more complex passwords. For example, maybe you draw a picture with your fingers and the system unlocks if you get it close to right. Can you have "fuzzy" encryption? Something that locks a system with a "general" password? I ask because obviously with the picture idea you're never going to enter it in exactly the same every time.

  • I believe these two options in iOS will make it a bit more secure

    1) Strong passcode option (alphanumeric and more than 4 characters)

    2) Delete all data after 10 incorrect passcode attempts

    • by Sez Zero (586611)

      I believe these two options in iOS will make it a bit more secure

      1) Strong passcode option (alphanumeric and more than 4 characters)

      2) Delete all data after 10 incorrect passcode attempts

      Probably strong passcode option, but I'm guessing that this is done at a low enough level to bypass that other feature of iOS.

  • DMCA? (Score:5, Insightful)

    by v1 (525388) on Tuesday March 27, 2012 @05:59PM (#39490377) Homepage Journal

    isn't this a violation of the (grossly over-broad) DMCA, in "bypassing a protective measure"?

    I mean, technically, aren't they hacking it and selling an exploit?

    It would be refreshin to see that law used to protect some of the public for once.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      isn't this a violation of the (grossly over-broad) DMCA, in "bypassing a protective measure"?

      I mean, technically, aren't they hacking it and selling an exploit?

      Yes. But they aren't located in the USA, and they are (allegedly) only selling to law enforcement, so the DMCA doesn't apply.

      It would be refreshin to see that law used to protect some of the public for once.

      HAHAHAHAHAHHA! That's a good one. Got any more jokes?

  • by downhole (831621) on Tuesday March 27, 2012 @06:01PM (#39490395) Homepage Journal

    I'm curious how they managed to crack the Android phones. All of the rooting methods that I know of involve manually enabling Debug mode on the phone and then rooting around on the command line. If you have a screenlock enabled and have not left debug mode enabled, then I don't see any simple way to get access to the phone to even start to mess with exploits.

    Then there's the question of how this relates to the FBI publicly having to go beg Google for help to get into some low-level criminal's Android phone that had the pattern lock enabled, which some have previously complained wasn't really all that secure. Are these guys blowing smoke about how easy it is to crack Android? Were the FBI guys working on this particular case just not on the ball? Has the Government decided not to break out their coolest tricks to solve a relatively minor crime? Did this guy have some particular model that's much harder to crack?

  • by syncrotic (828809) on Tuesday March 27, 2012 @06:14PM (#39490543)

    How to make phone operating systems more secure:

    1. Remove the mechanism by which a forgotten password can be bypassed. Forgot your password? Tough shit. Now that you've bricked your phone, maybe you won't be so forgetful next time.

    2. No USB access of any kind when the phone is locked. It's a huge vulnerability.

    3. Full disk encryption. Granted, the phone spends most of its time operating with the key in memory, but...

    4. Phone turns off when you remove the back cover or otherwise try to get inside of it. Not hard to do.

    An extremely dedicated attacker could potentially bypass these measures, but not your average traffic cop or border patrol agent on a fishing expedition.

    Instead, phones are designed to make it inconvenient for John to pick up Suzie's phone and read her text messages, and to make sure Suzie can easily reset her password so her carrier doesn't have to deal with a whiny tech support call.

    What you can do, however, if you have a reasonably user-serviceable phone, is cut the data lines going to the USB jack. It'll charge slower (500mA limit), but plugging in a USB cable won't grant a casual snoop any access. File transfer can be handled via wi-fi.

    • by AndrewNeo (979708)

      I'm curious how difficult it would be to have an alternate ROM for Android phones just have a 'USB toggle' that blocks access to the USB module entirely (add/remove kernel module?)

  • by Yvan256 (722131) on Tuesday March 27, 2012 @06:30PM (#39490683) Homepage Journal

    My password is one, two, three, four, five.

  • by evangellydonut (203778) on Tuesday March 27, 2012 @07:02PM (#39490983)

    it's a matter of attempts. Blackberries and iPhones (don't know about Android) has the ability to erase all data after 10 failed attempts to log-in. So unless they can bypass the counter entirely, I'm not too concerned about the security level of 4 numbers (assuming you don't use 0000 1111 1234 or some other common ones).

  • by weweedmaniii (1869418) on Tuesday March 27, 2012 @07:56PM (#39491437)
    The easiest workaround, if you are doing something questionable with your smartphone, is to carry a dumb phone, with an appropriate number of contacts: Mommy, a pastor, the local animal rescue shelter, etc. and hand that to the LEOs. They aren't going to ask "Is this the only phone?" They look, they see that you are Mr. Citizen of the Year and you're on your way...

You are in a maze of little twisting passages, all different.

Working...