Cops Can Crack an iPhone In Under Two Minutes 375
Sparrowvsrevolution writes "Micro Systemation, a Stockholm-based company, has released a video showing that its software can easily bypass the iPhone's four-digit passcode in a matter of seconds. It can also crack Android phones, and is designed to dump the devices' data to a PC for easy browsing, including messages, GPS locations, web history, calls, contacts and keystroke logs. The company's director of marketing says it uses an undisclosed vulnerability in the devices it targets to run a program on the phone that brute-forces its passcode. He says the company's business is 'booming' and that it's sold the devices to law enforcement and military customers in 60 countries. He says Micro Systemation's biggest customer is the U.S. military."
Maybe the delay is in the UI (Score:5, Interesting)
undisclosed vulnerability
Maybe the delay between login attempts in only in the UI, and using API level access they can brute force the combinations without the delay from wrong passcodes, making it much quicker?
Previous Android gesture lock story (Score:5, Interesting)
Weren't we reading just two weeks ago about how the FBI utterly failed in cracking an Android phone's gesture lock, and had to go demanding Google to help them?
http://yro.slashdot.org/story/12/03/14/2222229/fbi-tries-to-force-google-to-unlock-users-android-phone [slashdot.org]
What about stronger passcodes? (Score:5, Interesting)
iOS (and I guess Android) have another layer of passcode lock that's more secure than the 4-digit PIN, though it requires a bit more work. They're basically passwords (or pass phrases?) and while they're a pain, they are supposedly much stronger than the PIN.
How does this thing fix that?
Also - it seems if they can run a program using it, it's a perfect jailbreak hole. Because the standard kernels now in iOS don't allow running unsigned programs. So either the dongle has to inject code into the kernel or other already-running process (if you can do that, it's a jailbreak avenue) in order to disable the signature check functionality, or they're running some sort of secret signed code ...
Re:Undisclosed? (Score:5, Interesting)
Apple's got enough money to just sink Micro Systemation. I have the feeling if Apple wanted this thing closed, they'd have done it long ago.
Re:Undisclosed? (Score:5, Interesting)
You think a company that produces a program that bypasses the user's pass-code on an iPhone is going to sue Apple for violating a EULA and win?
You do realize that iOS has a EULA too, and that bypassing a password lock to gain access to a computer system a felony right? Even if Apple couldn't throw money at the problem until it goes away (they can), they's still be in a position where their openents broke the same law they accused Apple of and developed a product that has illegal uses. Not to mention that Apple could probably argue lost revenue and or brand damages if it seems likely people would choose not to buy an iPhone because of the existence of this software.
Re:DMCA? (Score:2, Interesting)
isn't this a violation of the (grossly over-broad) DMCA, in "bypassing a protective measure"?
I mean, technically, aren't they hacking it and selling an exploit?
Yes. But they aren't located in the USA, and they are (allegedly) only selling to law enforcement, so the DMCA doesn't apply.
It would be refreshin to see that law used to protect some of the public for once.
HAHAHAHAHAHHA! That's a good one. Got any more jokes?
Re:Previous Android gesture lock story (Score:2, Interesting)
409k combinations. It may sound like a lot, but in computer terms that's less than 2^19.
Twenty-bit encryption. Hmm. Unimpressive.
Security just isn't a priority (Score:5, Interesting)
How to make phone operating systems more secure:
1. Remove the mechanism by which a forgotten password can be bypassed. Forgot your password? Tough shit. Now that you've bricked your phone, maybe you won't be so forgetful next time.
2. No USB access of any kind when the phone is locked. It's a huge vulnerability.
3. Full disk encryption. Granted, the phone spends most of its time operating with the key in memory, but...
4. Phone turns off when you remove the back cover or otherwise try to get inside of it. Not hard to do.
An extremely dedicated attacker could potentially bypass these measures, but not your average traffic cop or border patrol agent on a fishing expedition.
Instead, phones are designed to make it inconvenient for John to pick up Suzie's phone and read her text messages, and to make sure Suzie can easily reset her password so her carrier doesn't have to deal with a whiny tech support call.
What you can do, however, if you have a reasonably user-serviceable phone, is cut the data lines going to the USB jack. It'll charge slower (500mA limit), but plugging in a USB cable won't grant a casual snoop any access. File transfer can be handled via wi-fi.
Re:Not much good if the passcode is easy to guess (Score:5, Interesting)
If you can brute force the passcode because it is only a 4 digit number it's not much use to have secure encryption.
While if you have a 40 character passphrase you have enter everytime you want to unlock it, its not terribly useful as a mobile phone.
Not really sure what the solution is. Some sort of balanced approach... 4 digits to unlock the basic functionality... place and answer calls... use preselected apps...
full passphrase to get deeper in...
with some user options to control where exactly the boundary is...
but this is of course "complicated" which disqualifies it from being ideal too... so I'm not really sure what the solution is.
Re:sounds great (Score:4, Interesting)
What do you define as "specialized hardware," exactly? The iPhone doesn't exactly keep the PIN on a USB drive...by definition it is specialized hardware, in and of itself. And what you describe as what should happen if the PIN is incorrectly entered enough times is already a native iPhone feature.
And of course the OS has to have access to your data without the PIN; how is it going to tell you that you got a new text, email or phone call? How will it tell you the name of who is calling based on their phone number? How will it let you know that you have that meeting coming up in 15 minutes, like you want it to do? And most of all...how will it know that the PIN you gave it is the right one? There are ways to make devices more secure against side-channel attacks, but what you're describing is infeasible, impractical and pretty much impossible anyways.
It doesn't matter where you keep the PIN, hardware-wise, in this case since the problem is software related. And you don't encrypt anything with a PIN; a PIN that any human could ever remember has WAY too short a length and too little entropy to be useful. The PIN is nothing more than an authentication factor.
And if you don't know of any phones that implement a really good security scheme, it's either because you don't know what a Blackberry is, or because you don't know how to build security around a mobile device. I'm betting on the latter...
Re:Not much good if the passcode is easy to guess (Score:2, Interesting)
can you place or answer calls without unlocking it? Holding it up for "face recognition" while driving would be illegal in an increasing number of places.
I'm also not convinced that the pattern drawn on screen is really more secure than a short digit password. I admit I don't know a lot about it.
But as a programmer I'm imagining ways that it would be implemented...
After factoring in that the recognition has to be loose enough to accept anything "pretty close", there aren't -that- many different designs you can "draw" in a short number of strokes... well under a million I think... which is roughly equivalent to a 6 digit passcode... yikes.
Re:sounds great (Score:5, Interesting)
Anyone with kids who ever get their hands on their phone will likely prefer that.
After 3 failed attempts, the phone starts imposing a waiting period before you can attempt the passcode again.
By the time you get to 6 failed attempts, you have to wait ~1 hour before trying again.
Your kid could do 10 attempts to wipe your phone, but only if you are so careless to leave the phone with them for an extended period. Besides, your phone gets backed up every time you sync it.
Re:Not much good if the passcode is easy to guess (Score:5, Interesting)
I would suggest having two methods: (1) Tap the power button 3 times or power off, to engage full lock manually. (2) an RFID or bluetooth "leash" concealed somewhere about your body; if the phone is within range and then suddenly taken more than a certain distance from your RFID transponder, the new distance will be calculated by the units, and when the threshold is exceeded, the "hard lock" engages automatically.
This way if you drop your phone, or someone steals it, the hard lock will engage.
The bluetooth leash could also have a remote lock button on it, and be designed to automatically signal a lock if the leash is removed from your body, or if a sufficient "sudden jolt motion" or downward motion is detected by an accelerometer on the leash (indicating that someone grabbed it real fast), or you were forced to drop it.