Cops Can Crack an iPhone In Under Two Minutes

Sparrowvsrevolution writes "Micro Systemation, a Stockholm-based company, has released a video showing that its software can easily bypass the iPhone's four-digit passcode in a matter of seconds. It can also crack Android phones, and is designed to dump the devices' data to a PC for easy browsing, including messages, GPS locations, web history, calls, contacts and keystroke logs. The company's director of marketing says it uses an undisclosed vulnerability in the devices it targets to run a program on the phone that brute-forces its passcode. He says the company's business is 'booming' and that it's sold the devices to law enforcement and military customers in 60 countries. He says Micro Systemation's biggest customer is the U.S. military."

Wasted taxpayer money

[deathtopaulw]

What happens when these vulnerabilities are fixed and the kits become useless? I assume our overlords will have to pay for a new version.

Undisclosed?

[ichthus]

If the manufacturers (Apple and Google) were truly interested in patching these "undisclosed" vulnerabilities, they could purchase this software and run it on test/dev devices to see how it's done.

Keystroke Logs?

[steevven1]

Um, why do these even exist on the phones in the first place?

Re:Undisclosed?

[FunPika]

Looking at Micro Systemation's website, they verify who you are and what you are going to use it for before they even start discussions on selling it. Something tells me getting contacted from an Apple email saying that they want to render the software useless is not going to get past that.

Re:4-digit pass code...

[X0563511]

Does it actually wipe it, or merely disable your ability to unlock it without help from Apple?

DMCA?

[v1]

isn't this a violation of the (grossly over-broad) DMCA, in "bypassing a protective measure"?

I mean, technically, aren't they hacking it and selling an exploit?

It would be refreshin to see that law used to protect some of the public for once.

Re:Wasted taxpayer money

[dougmc]

What happens when these vulnerabilities are fixed and the kits become useless? I assume our overlords will have to pay for a new version.

Serious answer, they probably get a support contract when they buy the software that entitles them to support and updates during the length of the contract. That's the way commercial Enterprise software generally is licensed, I see no reason why this would be different.

It's entirely possible that their vulnerability could be fixed and they end up with nothing they can use for a while, and there's probably a clause in the contract that says this could happen but that they promise to make a good faith effort to find more vulnerabilities and "fix" their software as soon as possible. (But I seriously doubt it offers their money back -- after all, the rest of the software will probably still work, and even this part will still work on unpatched phones.)

Re:Wasted taxpayer money

[AngryDeuce]

What happens when these vulnerabilities are fixed and the kits become useless?

Then they throw you in the clink until you decrypt it for them. [wired.com]

America! Fuck Yeah!!

Re:Not much good if the passcode is easy to guess

[Githaron]

You could have a soft and hard lock. A soft lock could be done with a short simple pin. When you believe that you are in danger of having your device taken you put it in a hard lock that clears the decrypted encryption key from the memory and requires the full password to unlock. Not perfect but a compromise.

You are all overthinking this...

[weweedmaniii]

The easiest workaround, if you are doing something questionable with your smartphone, is to carry a dumb phone, with an appropriate number of contacts: Mommy, a pastor, the local animal rescue shelter, etc. and hand that to the LEOs. They aren't going to ask "Is this the only phone?" They look, they see that you are Mr. Citizen of the Year and you're on your way...

Re:Crack your iPhone?

[Relayman]

This may give the police some information, but I doubt they could use it in court. How can they prove that they didn't introduce some data during this process?