Cops Can Crack an iPhone In Under Two Minutes 375
Sparrowvsrevolution writes "Micro Systemation, a Stockholm-based company, has released a video showing that its software can easily bypass the iPhone's four-digit passcode in a matter of seconds. It can also crack Android phones, and is designed to dump the devices' data to a PC for easy browsing, including messages, GPS locations, web history, calls, contacts and keystroke logs. The company's director of marketing says it uses an undisclosed vulnerability in the devices it targets to run a program on the phone that brute-forces its passcode. He says the company's business is 'booming' and that it's sold the devices to law enforcement and military customers in 60 countries. He says Micro Systemation's biggest customer is the U.S. military."
Taking code from the iPhone Dev Team? (Score:5, Informative)
The process is identical to what you do to jailbreak an iPhone - which makes sense. In both cases, the device would need to be put in DFU (eg, the "help, I'm broken, iTunes please fix me") mode. You have to wonder if these guys actually do the R&D for the iPhone, or just take the work that's already been done by others like the iPhone Dev Team.
Since this is pretty much a guaranteed vulnerability anyway (at least, every iOS up to now can be jailbroken with a tether), a much more interesting question is how much harder is a longer/more complicated password to break? If this is literally a bruteforce enumeration, a reasonable password (that could be used for a computer) would be fairly safe.
Re:Security 101 (Score:4, Informative)
The attack boots an alternative firmware onto the device. I doubt an unsuccessful attempt lock is much use...
Re:Previous Android gesture lock story (Score:5, Informative)
Weren't we reading just two weeks ago about how the FBI utterly failed in cracking an Android phone's gesture lock, and had to go demanding Google to help them?
http://yro.slashdot.org/story/12/03/14/2222229/fbi-tries-to-force-google-to-unlock-users-android-phone [slashdot.org]
That's actually referenced in the article, probably a case of a long/strong passcode.
Dicksinson acknowledges that users who set longer passcodes for devices can in fact make the devices far tougher to crack. “The more complex the password, the longer and harder it’s going to be to access the phone,” he says. “In some cases, it takes so long to brute force that it’s not worth doing it.” That may have been the situation, for instance, in one recent case involving the phone of Dante Dears, a paroled convict accused of running a prostitution ring known as “Pimping Hoes Daily” from his Android phone; The FBI, apparently unable or unwilling to crack the phone, asked Google to help in accessing it.
Re:sounds great (Score:5, Informative)
Android 4.x includes the option to encrypt the filesystem.
Re:sounds great (Score:5, Informative)
Certainly. Even an iPhone allows you to set any password of any length that you like. The 4 digit passcode is the default but you don't have to use it. I always set at least an 8 character code.
From TFA:
In short, longer passwords tougher to crack by brute force and potentially not worth the time. Seriously this is a non-story other than the fact that there should be a warning on all mobile phones that a 4 digit pin is this decades WEP.
Re:Previous Android gesture lock story (Score:5, Informative)
no you weren't. did you read the linked piece?
the phone locked because they struck out too many times on the gesture lock. the phone is now asking for the GOOGLE credentials. It's not like the guys pattern was so awesome it defeated the FBI - how many strikes do you get before the phone requires your google login? my BBerry gives me 5 before it nukes itself. 5 failed attempts is not "utter failure"
https://threatpost.com/en_us/blogs/can-google-be-forced-fbi-unlock-users-phones-031412 [threatpost.com]
"Once they failed enough times, the phone locked and now requires the user's Google username and password for access. As a result, the FBI is asking that Google be forced to hand over the information to get them into the phone."
great system (seriously) .. require stronger auth if the first lock thinks it's being attacked.
Re:sounds great (Score:5, Informative)
On a decent device, the PIN should be stored in specialized hardware. When you get it right, it releases the encryption keys to your data. If you guess wrong several times, the key (and therefore your data) should be destroyed. If the OS internally has easy-access to all the data without your PIN, we can expect data to be easily compromised using the vulnerability of the day. A secure design would use full-disk encryption to facilitate fast remote-wipe operations. But to protect the data when a wipe hasn't happened, the user data should be encrypted with the PIN as I described initially. The encryption key could be available to encrypt income mail and data while the handset is locked. Then, when unlocked, the phone can finish merging the new data into the email/whatever database. As soon as you lock your phone, it shouldn't be possible to brute force the PIN to access your mail due to the max number of guesses enforced by hardware.
But in addition to this, if the device doesn't require a PIN to unlock the full-disk encryption on boot, it's vulnerable to viruses being installed on the device. Then that could monitor the device and record any PIN entered by the user. I don't really know of any phones that actually implement a really good security scheme. Your best bet is to avoid having sensitive data on your phone. For example, you could use HTTPS to access gmail rather than adding the account to the phone itself. Of course, for most of us non-criminals, we don't really care. It's usually our employers who own the IP saved in our phone.
Re:Undisclosed? (Score:5, Informative)
Looking at Micro Systemation's website, they verify who you are and what you are going to use it for before they even start discussions on selling it. Something tells me getting contacted from an Apple email saying that they want to render the software useless is not going to get past that.
It's not as if you can just download their demo version from here:
http://www.msab.com/app-data/downloads/XRY_Reader/XRY_READER_NOINST_6.2.0.zip
Oh wait...
Re:sounds great (Score:5, Informative)
Wipes after sufficient failures should be an option that can be disabled, though. Anyone with kids who ever get their hands on their phone will likely prefer that. Hell, my son managed to dial emergency services once by mistake, WHILE MY PHONE WAS LOCKED, and I didn't know until they called me back, just by mashing buttons. (Apparently, holding down zero long enough would dial 911, even when locked. Not so cool when you manage to sit on the phone wrong, or the kid decides to hold your locked phone Just Right.)
Re:sounds great (Score:5, Informative)
Re:sounds great (Score:5, Informative)
Android 4.x includes the option to encrypt the filesystem.
As does iOS if you enable it:
http://support.apple.com/kb/HT4175
http://images.apple.com/iphone/business/docs/iOS_Security.pdf
Generally speaking though, only Blackberrys (and much of the related software (BES)) has received any kind of certification for security. Specifically FIPS 140-2 and EAL 4+:
http://us.blackberry.com/ataglance/security/certifications.jsp
It is probably "good enough" for most businesses, but isn't rated for the 'real' security levels: Classified, Secret, and Top Secret.
I work someplace where we have a lot of personal health information, and the IT director (CISSP et al.) only allows Blackberrys for portable devices. He has an iPhone for his personal stuff, but carries a BB for work because iOS just isn't up to our needs yet when it comes to data security.
Re:sounds great (Score:5, Informative)
I'm not certain about Android, but iPhone offers the option (Settings -> General -> Passcode Lock) to wipe your phone after 10 attempts. This is the same area where you can disable the 'simple' passcode 4 number pin. I'm assuming this method of hardware brute force cracking the phone allows them to bypass that of course. Sufficient for casual folks trying to hack into your phone at least. I assume Android has similar options.
Re:Undisclosed? (Score:5, Informative)
Re:sounds great (Score:5, Informative)
Re:sounds great (Score:5, Informative)
Dickman also noted that long passwords were easier to crack if the phone belongs to a Slashdot user, because the password always turned out to be "Natal13 Pr0tman"
Re:Undisclosed? (Score:5, Informative)
Not according to 17 USC 1201(a)(2) and 17 USC 1201(b)(1) it isn't.
Re:This software needs to be released/leaked (Score:2, Informative)
If any Joe Shmoe can crack an iPhone/Android, it might put public pressure on device manufacturers to close these holes.
Why do you need specialised software?
Both phones have boot modes where you can access the device over a development bridge. The software relies on actually having the device same as using ADB from the Android SDK extract data (IIRC, You can do dd from a device using the SDK, so you can copy that and crack it to your hearts content). Once again we learn that once your physical security is broken, your data security is worthless.
I'd be surprised if BB/WP7 didn't also have something like Android's fastboot.
Re:sounds great (Score:1, Informative)
Both are vulnerable to smudging, though patterns that don't cross themselves are slightly more vulnerable.
There are 5040 4-digit pins, 151200 6-digit pins, 604800 7-digit pins, and 1814400 8-digit pins.
There are 362880 9-dot patterns (use the whole pattern). There are 986400 total possible patterns.
IF patterns are easier to memorize for you, then choosing an 8 or 9-spot pattern will provide better security than a 6-digit PIN.
It's also harder to have a pattern of your birthday than it is to have a PIN of the same.
Re:sounds great (Score:5, Informative)
Android 4.x includes the option to encrypt the filesystem.
For obvious reasons, our goonware friends are a bit vague on how their mechanism works; but encryption only saves you if the attack is unable to get access to the phone as the user(since the filesystem has to be mounted and visible to you and your process as plaintext).
Encryption is excellent against the class of attacks where the attacker attempts to circumvent the OS's access control by obtaining direct access to the block device and using an OS they control to read it out. However, if the attack is directly against the OS's access control, it isn't nearly so useful, since things are usually set up to grant trivial plaintext access to the user.
Re:Crack your iPhone? (Score:5, Informative)
Here is the video of how it works:
http://www.msab.com/xry/smartphones [msab.com]
Re:sounds great (Score:5, Informative)
There are 5040 4-digit pins, 151200 6-digit pins, 604800 7-digit pins, and 1814400 8-digit pins.
No, there are 10,000 4-digit PINs, 1,000,000 6-digit PINs, 10,000,000 7-digit PINs and 100,000,000 8-digit PINs. Unlike with patterns (as implemented by Android, at least), you're not restricted from re-using digits.
There are 362,880 9-dot patterns (use the whole pattern)
Not quite that many. You're assuming you can pick the nine dots in any sequence, but some patterns are impossible (or at least very difficult) because you can't get from one dot to the next in the pattern without touching a dot in between. It would be tedious, but not difficult, to enumerate the feasible set of patterns, and the likely set is even smaller, since people tend to choose connected sequences.
I'd say a longish pattern (6+ dots) is roughly equivalent to a four-digit PIN, but even a maximal-length pattern barely reaches the strength of a five-digit PIN.
Re:Crack your iPhone? (Score:4, Informative)