Cops Can Crack an iPhone In Under Two Minutes 375
Sparrowvsrevolution writes "Micro Systemation, a Stockholm-based company, has released a video showing that its software can easily bypass the iPhone's four-digit passcode in a matter of seconds. It can also crack Android phones, and is designed to dump the devices' data to a PC for easy browsing, including messages, GPS locations, web history, calls, contacts and keystroke logs. The company's director of marketing says it uses an undisclosed vulnerability in the devices it targets to run a program on the phone that brute-forces its passcode. He says the company's business is 'booming' and that it's sold the devices to law enforcement and military customers in 60 countries. He says Micro Systemation's biggest customer is the U.S. military."
Maybe the delay is in the UI (Score:5, Interesting)
undisclosed vulnerability
Maybe the delay between login attempts in only in the UI, and using API level access they can brute force the combinations without the delay from wrong passcodes, making it much quicker?
Re: (Score:3)
Actually, the iPhone does do delays.
I believe it lets you have 3 tries at full speed. Then it delays 1 minute between the 3rd and 4th try
Pshaw (Score:5, Funny)
With a sledgehammer...
Re: (Score:3)
Either that, or the owner's fingers.
Wasted taxpayer money (Score:5, Insightful)
Re:Wasted taxpayer money (Score:5, Insightful)
What happens when these vulnerabilities are fixed and the kits become useless? I assume our overlords will have to pay for a new version.
Serious answer, they probably get a support contract when they buy the software that entitles them to support and updates during the length of the contract. That's the way commercial Enterprise software generally is licensed, I see no reason why this would be different.
It's entirely possible that their vulnerability could be fixed and they end up with nothing they can use for a while, and there's probably a clause in the contract that says this could happen but that they promise to make a good faith effort to find more vulnerabilities and "fix" their software as soon as possible. (But I seriously doubt it offers their money back -- after all, the rest of the software will probably still work, and even this part will still work on unpatched phones.)
Re: (Score:3, Insightful)
What happens when these vulnerabilities are fixed and the kits become useless?
Then they throw you in the clink until you decrypt it for them. [wired.com]
America! Fuck Yeah!!
Undisclosed? (Score:5, Insightful)
Re:Undisclosed? (Score:5, Insightful)
Re:Undisclosed? (Score:5, Interesting)
Apple's got enough money to just sink Micro Systemation. I have the feeling if Apple wanted this thing closed, they'd have done it long ago.
Re:Undisclosed? (Score:5, Informative)
Looking at Micro Systemation's website, they verify who you are and what you are going to use it for before they even start discussions on selling it. Something tells me getting contacted from an Apple email saying that they want to render the software useless is not going to get past that.
It's not as if you can just download their demo version from here:
http://www.msab.com/app-data/downloads/XRY_Reader/XRY_READER_NOINST_6.2.0.zip
Oh wait...
Re: (Score:2)
Doesn't the DMCA already make doing do illegal?
Re: (Score:2)
Re:Undisclosed? (Score:5, Interesting)
You think a company that produces a program that bypasses the user's pass-code on an iPhone is going to sue Apple for violating a EULA and win?
You do realize that iOS has a EULA too, and that bypassing a password lock to gain access to a computer system a felony right? Even if Apple couldn't throw money at the problem until it goes away (they can), they's still be in a position where their openents broke the same law they accused Apple of and developed a product that has illegal uses. Not to mention that Apple could probably argue lost revenue and or brand damages if it seems likely people would choose not to buy an iPhone because of the existence of this software.
Re:Undisclosed? (Score:5, Informative)
Re:Undisclosed? (Score:5, Informative)
Not according to 17 USC 1201(a)(2) and 17 USC 1201(b)(1) it isn't.
Re: (Score:3)
Exactly.
1) Buy a device
2) Figure out what it's doing
3) Coincidentally discover a bug in your phone and offer a patch
Re: (Score:3)
I think it takes more than clever marketing to declare yourself a prophet. However, being a prophet can be very profitable.
Previous Android gesture lock story (Score:5, Interesting)
Weren't we reading just two weeks ago about how the FBI utterly failed in cracking an Android phone's gesture lock, and had to go demanding Google to help them?
http://yro.slashdot.org/story/12/03/14/2222229/fbi-tries-to-force-google-to-unlock-users-android-phone [slashdot.org]
Re:Previous Android gesture lock story (Score:5, Informative)
Weren't we reading just two weeks ago about how the FBI utterly failed in cracking an Android phone's gesture lock, and had to go demanding Google to help them?
http://yro.slashdot.org/story/12/03/14/2222229/fbi-tries-to-force-google-to-unlock-users-android-phone [slashdot.org]
That's actually referenced in the article, probably a case of a long/strong passcode.
Dicksinson acknowledges that users who set longer passcodes for devices can in fact make the devices far tougher to crack. “The more complex the password, the longer and harder it’s going to be to access the phone,” he says. “In some cases, it takes so long to brute force that it’s not worth doing it.” That may have been the situation, for instance, in one recent case involving the phone of Dante Dears, a paroled convict accused of running a prostitution ring known as “Pimping Hoes Daily” from his Android phone; The FBI, apparently unable or unwilling to crack the phone, asked Google to help in accessing it.
Re: (Score:2, Interesting)
409k combinations. It may sound like a lot, but in computer terms that's less than 2^19.
Twenty-bit encryption. Hmm. Unimpressive.
Re:Previous Android gesture lock story (Score:5, Informative)
no you weren't. did you read the linked piece?
the phone locked because they struck out too many times on the gesture lock. the phone is now asking for the GOOGLE credentials. It's not like the guys pattern was so awesome it defeated the FBI - how many strikes do you get before the phone requires your google login? my BBerry gives me 5 before it nukes itself. 5 failed attempts is not "utter failure"
https://threatpost.com/en_us/blogs/can-google-be-forced-fbi-unlock-users-phones-031412 [threatpost.com]
"Once they failed enough times, the phone locked and now requires the user's Google username and password for access. As a result, the FBI is asking that Google be forced to hand over the information to get them into the phone."
great system (seriously) .. require stronger auth if the first lock thinks it's being attacked.
Keystroke Logs? (Score:5, Insightful)
Re: (Score:2)
Presumably to make it just hard enough to hack to give you time to deactivate it before your local crackhead's fingers get tired.
4 digit integer passcode (Score:2)
X tries then wipe? (Score:2)
I'd be much more interested in how they're getting around that feature. That requires memory access or code injection, and as others have mentioned, it's a jailbreak or blatantly intentional.
Re: (Score:2)
Apple needs to implement a common blocking scheme. Maybe 10 wrong then wipe is too extreme for some users, but even Mac OSX respects 3 wrong then hide the input box for a delay.
Re: (Score:3)
Apple needs to implement a common blocking scheme. Maybe 10 wrong then wipe is too extreme for some users, but even Mac OSX respects 3 wrong then hide the input box for a delay.
They do.
Re: (Score:3)
The iPhone. The summary even explains that... The article and video demonstrate even more. It loads alternative firmware onto the device and uses that to crack the passcode stored on the device. Most of the time is spent loading the code onto the device, not cracking the code.
I wonder how well it works with a complex iPhone passcode though (if at all?) - I confess to not watching all of the video or reading the article properly.
Re: (Score:3)
Err... the iPhone's "slow ass" computer?
Re: (Score:2)
A few seconds?! I was just testing # of rounds w/ SHA512 for password encryption. The system has a AMD Sempron 140 [newegg.com] -- a $30, single core processor. Plus, it runs XenServer... so subtract some % for the virtualization overhead.
Results: 10,000 rounds of SHA512 in 96ms
Re: (Score:2)
What about stronger passcodes? (Score:5, Interesting)
iOS (and I guess Android) have another layer of passcode lock that's more secure than the 4-digit PIN, though it requires a bit more work. They're basically passwords (or pass phrases?) and while they're a pain, they are supposedly much stronger than the PIN.
How does this thing fix that?
Also - it seems if they can run a program using it, it's a perfect jailbreak hole. Because the standard kernels now in iOS don't allow running unsigned programs. So either the dongle has to inject code into the kernel or other already-running process (if you can do that, it's a jailbreak avenue) in order to disable the signature check functionality, or they're running some sort of secret signed code ...
Re: (Score:2)
iOS (and I guess Android) have another layer of passcode lock that's more secure than the 4-digit PIN, though it requires a bit more work. They're basically passwords (or pass phrases?) and while they're a pain, they are supposedly much stronger than the PIN.
How does this thing fix that?
It doesn't. They basically say that if there's a tough passcode, it might take so long as to be not worth guessing.
Dicksinson acknowledges that users who set longer passcodes for devices can in fact make the devices far tougher to crack. “The more complex the password, the longer and harder it’s going to be to access the phone,” he says. “In some cases, it takes so long to brute force that it’s not worth doing it.”
10 wrong then wipe rule? (Score:3)
Unclear from the article is whether this hack would get anything if the 10-wrong rule for wiping everything is in effect.
This software needs to be released/leaked (Score:2)
Re: (Score:2)
Re: (Score:2)
I wonder if Google could sue them and force them to release the source code?
Re: (Score:2)
That's true, but we're talking about Guberments and Militards. The folks that did Stuxnet don't have issues getting into your phone and the ability to do this has been around for years.
Taking code from the iPhone Dev Team? (Score:5, Informative)
The process is identical to what you do to jailbreak an iPhone - which makes sense. In both cases, the device would need to be put in DFU (eg, the "help, I'm broken, iTunes please fix me") mode. You have to wonder if these guys actually do the R&D for the iPhone, or just take the work that's already been done by others like the iPhone Dev Team.
Since this is pretty much a guaranteed vulnerability anyway (at least, every iOS up to now can be jailbroken with a tether), a much more interesting question is how much harder is a longer/more complicated password to break? If this is literally a bruteforce enumeration, a reasonable password (that could be used for a computer) would be fairly safe.
Re: (Score:3)
We need full phone encryption. (Score:2)
We need versions of the android OS and apple iOS that are designed from the ground up to be secure. Full drive encryption would be a good start.
Re: (Score:2)
We need versions of the android OS and apple iOS that are designed from the ground up to be secure. Full drive encryption would be a good start.
Like NSA's SE Android [informationweek.com]?
Re: (Score:2)
Is it encrypted? If I pull the memory chip out of the phone and load it by some means into another machine will the information be encrypted?
Anyway, it looks neat. Is it impossible to install? It looks complicated.
Re: (Score:2)
Re: (Score:3)
iOS has "full drive encryption" in iOS 4 and later.
It's just protected by a 4 digit pin which can be easily brute forced by default.
You can use a stronger passcode, but you have to type it on every unlock so few do.
Re: (Score:2)
it would seem there are simple ways to make more complex passwords. For example, maybe you draw a picture with your fingers and the system unlocks if you get it close to right. Can you have "fuzzy" encryption? Something that locks a system with a "general" password? I ask because obviously with the picture idea you're never going to enter it in exactly the same every time.
Strong passcode option & delete after 10 attem (Score:2)
I believe these two options in iOS will make it a bit more secure
1) Strong passcode option (alphanumeric and more than 4 characters)
2) Delete all data after 10 incorrect passcode attempts
Re: (Score:2)
I believe these two options in iOS will make it a bit more secure
1) Strong passcode option (alphanumeric and more than 4 characters)
2) Delete all data after 10 incorrect passcode attempts
Probably strong passcode option, but I'm guessing that this is done at a low enough level to bypass that other feature of iOS.
DMCA? (Score:5, Insightful)
isn't this a violation of the (grossly over-broad) DMCA, in "bypassing a protective measure"?
I mean, technically, aren't they hacking it and selling an exploit?
It would be refreshin to see that law used to protect some of the public for once.
Re: (Score:2, Interesting)
isn't this a violation of the (grossly over-broad) DMCA, in "bypassing a protective measure"?
I mean, technically, aren't they hacking it and selling an exploit?
Yes. But they aren't located in the USA, and they are (allegedly) only selling to law enforcement, so the DMCA doesn't apply.
It would be refreshin to see that law used to protect some of the public for once.
HAHAHAHAHAHHA! That's a good one. Got any more jokes?
Wonder how they did Android... (Score:4)
I'm curious how they managed to crack the Android phones. All of the rooting methods that I know of involve manually enabling Debug mode on the phone and then rooting around on the command line. If you have a screenlock enabled and have not left debug mode enabled, then I don't see any simple way to get access to the phone to even start to mess with exploits.
Then there's the question of how this relates to the FBI publicly having to go beg Google for help to get into some low-level criminal's Android phone that had the pattern lock enabled, which some have previously complained wasn't really all that secure. Are these guys blowing smoke about how easy it is to crack Android? Were the FBI guys working on this particular case just not on the ball? Has the Government decided not to break out their coolest tricks to solve a relatively minor crime? Did this guy have some particular model that's much harder to crack?
Re: (Score:2)
Security just isn't a priority (Score:5, Interesting)
How to make phone operating systems more secure:
1. Remove the mechanism by which a forgotten password can be bypassed. Forgot your password? Tough shit. Now that you've bricked your phone, maybe you won't be so forgetful next time.
2. No USB access of any kind when the phone is locked. It's a huge vulnerability.
3. Full disk encryption. Granted, the phone spends most of its time operating with the key in memory, but...
4. Phone turns off when you remove the back cover or otherwise try to get inside of it. Not hard to do.
An extremely dedicated attacker could potentially bypass these measures, but not your average traffic cop or border patrol agent on a fishing expedition.
Instead, phones are designed to make it inconvenient for John to pick up Suzie's phone and read her text messages, and to make sure Suzie can easily reset her password so her carrier doesn't have to deal with a whiny tech support call.
What you can do, however, if you have a reasonably user-serviceable phone, is cut the data lines going to the USB jack. It'll charge slower (500mA limit), but plugging in a USB cable won't grant a casual snoop any access. File transfer can be handled via wi-fi.
Re: (Score:3)
I'm curious how difficult it would be to have an alternate ROM for Android phones just have a 'USB toggle' that blocks access to the USB module entirely (add/remove kernel module?)
I'm safe from this crack (Score:3, Funny)
My password is one, two, three, four, five.
it's not a matter of time... (Score:3)
it's a matter of attempts. Blackberries and iPhones (don't know about Android) has the ability to erase all data after 10 failed attempts to log-in. So unless they can bypass the counter entirely, I'm not too concerned about the security level of 4 numbers (assuming you don't use 0000 1111 1234 or some other common ones).
You are all overthinking this... (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
That may not happen if they've jailbreaked and are hacking it from internally.
Re:4-digit pass code... (Score:4, Insightful)
Does it actually wipe it, or merely disable your ability to unlock it without help from Apple?
Re: (Score:3)
It basically wipes the decryption key from any memory on the device. The key is not stored with Apple and I doubt Apple has a 'universal collision key' on their encryption as they use RSA if I'm not mistaken which AFAIK doesn't have a universal collision key. Same goes for Android/Google and most encryption, encryption with spare keys is easy to detect and crack.
Re: (Score:2)
Well, iphones are often set to wipe "automatically" after 4 failed attempts.
And people who do this probably find their iPhones wiped quite often ...
And this software probably bypasses that anyways.
Re: (Score:2)
If they're somehow imaging the drive it's easy - Just run every attempt against the same image instead of the one counting fails.
Re: (Score:3)
I thought it was 10 attempts for the iPhone?
You got 5 tries, then had to wait a minute for the 6th, five minutes for the 7th, 15 minutes for the 8th, 30 minutes for the 9th, and an hour for the final (10th) attempt. If that fails then you can either have the phone lock itself until connected to its home iTunes account OR the option to go full nuclear and wipe the device.
?
Re: (Score:2)
... or android.
Though typing out a proper password every time you want to unlock the phone gets annoying FAST.
Re: (Score:2)
Re: (Score:2)
What we need to guard against is having some ruggedized handheld handheld pig fob handed out to every meter maid and traffic cop. Imagine being stopped for a traffic violation and having the fucker ask for "license registration, and your phone please" and have him snoop/dump your device while he runs your plates.
Sounds like a job for the Fourth Amendment, which is already in place.
(Of course, the other half of the equation is to not be tricked by the cop into giving permission to search the device, of course, but that's a problem with physical searches now.)
Re: (Score:2)
Not sure which? Oh, there will be one, somewhere. Everyone is a potential criminal, it's just a matter of hunting hard enough. Ever dropped some litter and been caught on CCTV? How many times? I'm sure those fines all add up to a fair bit.
Re:Security 101 (Score:4, Informative)
The attack boots an alternative firmware onto the device. I doubt an unsuccessful attempt lock is much use...
Re:sounds great (Score:5, Informative)
Android 4.x includes the option to encrypt the filesystem.
Crack your iPhone? (Score:5, Funny)
Remember when they only cracked your skull?
Re:Crack your iPhone? (Score:5, Funny)
How many cops does it take to crack an iPhone?
One to get the coffee.
One to get the donuts.
One to find someone who knows how to operate an iPhone.
One to put in a requisition to the city council for Micro Systemations softwhore.
666 to increase traffic citations to pay for it...
Then 4 or 5 to install it.
and two, six months to figure out the software.
Re:Crack your iPhone? (Score:4)
How many cops does it take to crack an iPhone?
One to get the coffee.
One to get the donuts.
One to find someone who knows how to operate an iPhone.
One to put in a requisition to the city council for Micro Systemations softwhore.
666 to increase traffic citations to pay for it...
Then 4 or 5 to install it.
and two, six months to figure out the software.
Or ...
They hire a geek
Download a pirated version of the software
And crack the damn thing, in 2 minutes, flat
How Many Bavarian Illuminati Does it Take? (Score:3)
Three:
One to crack the iPod, and one to confuse the issue.
Re:Crack your iPhone? (Score:5, Informative)
Here is the video of how it works:
http://www.msab.com/xry/smartphones [msab.com]
Re:Crack your iPhone? (Score:4, Insightful)
Re:Crack your iPhone? (Score:4, Informative)
Re:sounds great (Score:5, Informative)
Android 4.x includes the option to encrypt the filesystem.
As does iOS if you enable it:
http://support.apple.com/kb/HT4175
http://images.apple.com/iphone/business/docs/iOS_Security.pdf
Generally speaking though, only Blackberrys (and much of the related software (BES)) has received any kind of certification for security. Specifically FIPS 140-2 and EAL 4+:
http://us.blackberry.com/ataglance/security/certifications.jsp
It is probably "good enough" for most businesses, but isn't rated for the 'real' security levels: Classified, Secret, and Top Secret.
I work someplace where we have a lot of personal health information, and the IT director (CISSP et al.) only allows Blackberrys for portable devices. He has an iPhone for his personal stuff, but carries a BB for work because iOS just isn't up to our needs yet when it comes to data security.
Re: (Score:3)
You might try actually reading your links. The iOS file system is always encrypted. All the links talk about is setting a pin to protect the encryption keys. There is no functional difference between BB and iOS encryption. You can easily force the use of pin codes as well.
Re:sounds great (Score:5, Informative)
Re: (Score:3)
You can also use a password (most secure), pattern unlock (not very secure, though new screens are less smudge prone), or face recognition (fun gimmick, not secure at all).
Though I cant imagine having to type hunter2 into my phone every time I unlock it.
Re:sounds great (Score:5, Informative)
There are 5040 4-digit pins, 151200 6-digit pins, 604800 7-digit pins, and 1814400 8-digit pins.
No, there are 10,000 4-digit PINs, 1,000,000 6-digit PINs, 10,000,000 7-digit PINs and 100,000,000 8-digit PINs. Unlike with patterns (as implemented by Android, at least), you're not restricted from re-using digits.
There are 362,880 9-dot patterns (use the whole pattern)
Not quite that many. You're assuming you can pick the nine dots in any sequence, but some patterns are impossible (or at least very difficult) because you can't get from one dot to the next in the pattern without touching a dot in between. It would be tedious, but not difficult, to enumerate the feasible set of patterns, and the likely set is even smaller, since people tend to choose connected sequences.
I'd say a longish pattern (6+ dots) is roughly equivalent to a four-digit PIN, but even a maximal-length pattern barely reaches the strength of a five-digit PIN.
Re:sounds great (Score:5, Informative)
Android 4.x includes the option to encrypt the filesystem.
For obvious reasons, our goonware friends are a bit vague on how their mechanism works; but encryption only saves you if the attack is unable to get access to the phone as the user(since the filesystem has to be mounted and visible to you and your process as plaintext).
Encryption is excellent against the class of attacks where the attacker attempts to circumvent the OS's access control by obtaining direct access to the block device and using an OS they control to read it out. However, if the attack is directly against the OS's access control, it isn't nearly so useful, since things are usually set up to grant trivial plaintext access to the user.
Re:sounds great (Score:5, Informative)
Certainly. Even an iPhone allows you to set any password of any length that you like. The 4 digit passcode is the default but you don't have to use it. I always set at least an 8 character code.
From TFA:
In short, longer passwords tougher to crack by brute force and potentially not worth the time. Seriously this is a non-story other than the fact that there should be a warning on all mobile phones that a 4 digit pin is this decades WEP.
Re:sounds great (Score:5, Informative)
On a decent device, the PIN should be stored in specialized hardware. When you get it right, it releases the encryption keys to your data. If you guess wrong several times, the key (and therefore your data) should be destroyed. If the OS internally has easy-access to all the data without your PIN, we can expect data to be easily compromised using the vulnerability of the day. A secure design would use full-disk encryption to facilitate fast remote-wipe operations. But to protect the data when a wipe hasn't happened, the user data should be encrypted with the PIN as I described initially. The encryption key could be available to encrypt income mail and data while the handset is locked. Then, when unlocked, the phone can finish merging the new data into the email/whatever database. As soon as you lock your phone, it shouldn't be possible to brute force the PIN to access your mail due to the max number of guesses enforced by hardware.
But in addition to this, if the device doesn't require a PIN to unlock the full-disk encryption on boot, it's vulnerable to viruses being installed on the device. Then that could monitor the device and record any PIN entered by the user. I don't really know of any phones that actually implement a really good security scheme. Your best bet is to avoid having sensitive data on your phone. For example, you could use HTTPS to access gmail rather than adding the account to the phone itself. Of course, for most of us non-criminals, we don't really care. It's usually our employers who own the IP saved in our phone.
Re:sounds great (Score:4, Interesting)
What do you define as "specialized hardware," exactly? The iPhone doesn't exactly keep the PIN on a USB drive...by definition it is specialized hardware, in and of itself. And what you describe as what should happen if the PIN is incorrectly entered enough times is already a native iPhone feature.
And of course the OS has to have access to your data without the PIN; how is it going to tell you that you got a new text, email or phone call? How will it tell you the name of who is calling based on their phone number? How will it let you know that you have that meeting coming up in 15 minutes, like you want it to do? And most of all...how will it know that the PIN you gave it is the right one? There are ways to make devices more secure against side-channel attacks, but what you're describing is infeasible, impractical and pretty much impossible anyways.
It doesn't matter where you keep the PIN, hardware-wise, in this case since the problem is software related. And you don't encrypt anything with a PIN; a PIN that any human could ever remember has WAY too short a length and too little entropy to be useful. The PIN is nothing more than an authentication factor.
And if you don't know of any phones that implement a really good security scheme, it's either because you don't know what a Blackberry is, or because you don't know how to build security around a mobile device. I'm betting on the latter...
Re:sounds great (Score:5, Informative)
Re:sounds great (Score:5, Informative)
Wipes after sufficient failures should be an option that can be disabled, though. Anyone with kids who ever get their hands on their phone will likely prefer that. Hell, my son managed to dial emergency services once by mistake, WHILE MY PHONE WAS LOCKED, and I didn't know until they called me back, just by mashing buttons. (Apparently, holding down zero long enough would dial 911, even when locked. Not so cool when you manage to sit on the phone wrong, or the kid decides to hold your locked phone Just Right.)
Re:sounds great (Score:5, Informative)
I'm not certain about Android, but iPhone offers the option (Settings -> General -> Passcode Lock) to wipe your phone after 10 attempts. This is the same area where you can disable the 'simple' passcode 4 number pin. I'm assuming this method of hardware brute force cracking the phone allows them to bypass that of course. Sufficient for casual folks trying to hack into your phone at least. I assume Android has similar options.
Re:sounds great (Score:5, Interesting)
Anyone with kids who ever get their hands on their phone will likely prefer that.
After 3 failed attempts, the phone starts imposing a waiting period before you can attempt the passcode again.
By the time you get to 6 failed attempts, you have to wait ~1 hour before trying again.
Your kid could do 10 attempts to wipe your phone, but only if you are so careless to leave the phone with them for an extended period. Besides, your phone gets backed up every time you sync it.
Re: (Score:3)
Sorry, I meant most every smart phone currently on the shelves for purchase employs full-disk encryption. In most cases, manufactures implement it to allow corporate exchange email access. If the device supports exchange, it typically has full-disk encryption (early iphones were an ugly exception..). One of the exchange activesync requirements is that the device supports a secure remote-wipe. iphone 3GS and newer have full hardware encryption. Android 3.0+ devices use hardware encryption, and all WP7 device
Re:sounds great (Score:5, Informative)
Dickman also noted that long passwords were easier to crack if the phone belongs to a Slashdot user, because the password always turned out to be "Natal13 Pr0tman"
Re:Not much good if the passcode is easy to guess (Score:5, Interesting)
If you can brute force the passcode because it is only a 4 digit number it's not much use to have secure encryption.
While if you have a 40 character passphrase you have enter everytime you want to unlock it, its not terribly useful as a mobile phone.
Not really sure what the solution is. Some sort of balanced approach... 4 digits to unlock the basic functionality... place and answer calls... use preselected apps...
full passphrase to get deeper in...
with some user options to control where exactly the boundary is...
but this is of course "complicated" which disqualifies it from being ideal too... so I'm not really sure what the solution is.
Re: (Score:3)
Re: (Score:3)
Biometric auth perhaps? .. Not perfect of course..
You can't do much except finger print realistically on a phone... nobody is going to tolerate a retinal scan to make or answer text messages and phone calls.
And it would need to work reliably (low false accept rate / accepting photos of the finger, fingerprints lifted with gummy bears off the phone itself, etc.. or its not secure...with a near zero false reject rate or it would be unacceptable to users...
And to top it off it has to work to those tolerances u
Re: (Score:3)
IIRC a long time ago (early 1980s?) an IBM Research Fellow published a paper about signature recognition (for the same essential purpose of authentication). He/she found that the actual strokes were not so important but the acceleration was. IOW, your actual signature varies quite a bit from one to another, but the series of accelerations are more similar.
So, I think this could be used. You could just 'sign' our phone. A reasonable 'signature' would have to my mind at least 50 data points of acceleratio
Re:Not much good if the passcode is easy to guess (Score:5, Insightful)
Re: (Score:3)
Re:Not much good if the passcode is easy to guess (Score:5, Interesting)
I would suggest having two methods: (1) Tap the power button 3 times or power off, to engage full lock manually. (2) an RFID or bluetooth "leash" concealed somewhere about your body; if the phone is within range and then suddenly taken more than a certain distance from your RFID transponder, the new distance will be calculated by the units, and when the threshold is exceeded, the "hard lock" engages automatically.
This way if you drop your phone, or someone steals it, the hard lock will engage.
The bluetooth leash could also have a remote lock button on it, and be designed to automatically signal a lock if the leash is removed from your body, or if a sufficient "sudden jolt motion" or downward motion is detected by an accelerometer on the leash (indicating that someone grabbed it real fast), or you were forced to drop it.