Cops Can Crack an iPhone In Under Two Minutes

Sparrowvsrevolution writes "Micro Systemation, a Stockholm-based company, has released a video showing that its software can easily bypass the iPhone's four-digit passcode in a matter of seconds. It can also crack Android phones, and is designed to dump the devices' data to a PC for easy browsing, including messages, GPS locations, web history, calls, contacts and keystroke logs. The company's director of marketing says it uses an undisclosed vulnerability in the devices it targets to run a program on the phone that brute-forces its passcode. He says the company's business is 'booming' and that it's sold the devices to law enforcement and military customers in 60 countries. He says Micro Systemation's biggest customer is the U.S. military."

sounds great

Any "smart" phones actually secure? Openmoko

Re:sounds great

[rhook]

Android 4.x includes the option to encrypt the filesystem.

Re:sounds great

[DJRumpy]

Certainly. Even an iPhone allows you to set any password of any length that you like. The 4 digit passcode is the default but you don't have to use it. I always set at least an 8 character code.

From TFA:

Dicksinson acknowledges that users who set longer passcodes for devices can in fact make the devices far tougher to crack. “The more complex the password, the longer and harder it’s going to be to access the phone,” he says. “In some cases, it takes so long to brute force that it’s not worth doing it.”

In short, longer passwords tougher to crack by brute force and potentially not worth the time. Seriously this is a non-story other than the fact that there should be a warning on all mobile phones that a 4 digit pin is this decades WEP.

Re:sounds great

[Mia'cova]

On a decent device, the PIN should be stored in specialized hardware. When you get it right, it releases the encryption keys to your data. If you guess wrong several times, the key (and therefore your data) should be destroyed. If the OS internally has easy-access to all the data without your PIN, we can expect data to be easily compromised using the vulnerability of the day. A secure design would use full-disk encryption to facilitate fast remote-wipe operations. But to protect the data when a wipe hasn't happened, the user data should be encrypted with the PIN as I described initially. The encryption key could be available to encrypt income mail and data while the handset is locked. Then, when unlocked, the phone can finish merging the new data into the email/whatever database. As soon as you lock your phone, it shouldn't be possible to brute force the PIN to access your mail due to the max number of guesses enforced by hardware.

But in addition to this, if the device doesn't require a PIN to unlock the full-disk encryption on boot, it's vulnerable to viruses being installed on the device. Then that could monitor the device and record any PIN entered by the user. I don't really know of any phones that actually implement a really good security scheme. Your best bet is to avoid having sensitive data on your phone. For example, you could use HTTPS to access gmail rather than adding the account to the phone itself. Of course, for most of us non-criminals, we don't really care. It's usually our employers who own the IP saved in our phone.

Re:sounds great

[Shoten]

What do you define as "specialized hardware," exactly? The iPhone doesn't exactly keep the PIN on a USB drive...by definition it is specialized hardware, in and of itself. And what you describe as what should happen if the PIN is incorrectly entered enough times is already a native iPhone feature.

And of course the OS has to have access to your data without the PIN; how is it going to tell you that you got a new text, email or phone call? How will it tell you the name of who is calling based on their phone number? How will it let you know that you have that meeting coming up in 15 minutes, like you want it to do? And most of all...how will it know that the PIN you gave it is the right one? There are ways to make devices more secure against side-channel attacks, but what you're describing is infeasible, impractical and pretty much impossible anyways.

It doesn't matter where you keep the PIN, hardware-wise, in this case since the problem is software related. And you don't encrypt anything with a PIN; a PIN that any human could ever remember has WAY too short a length and too little entropy to be useful. The PIN is nothing more than an authentication factor.

And if you don't know of any phones that implement a really good security scheme, it's either because you don't know what a Blackberry is, or because you don't know how to build security around a mobile device. I'm betting on the latter...

Re:sounds great

[gknoy]

Wipes after sufficient failures should be an option that can be disabled, though. Anyone with kids who ever get their hands on their phone will likely prefer that. Hell, my son managed to dial emergency services once by mistake, WHILE MY PHONE WAS LOCKED, and I didn't know until they called me back, just by mashing buttons. (Apparently, holding down zero long enough would dial 911, even when locked. Not so cool when you manage to sit on the phone wrong, or the kid decides to hold your locked phone Just Right.)

Re:sounds great

[TheRaven64]

When this sort of thing is actually designed for security, there is a dedicated crypto coprocessor with some memory that is write-only from the perspective of the rest of the system. You write the key to it once, and then it will encrypt or decrypt data that you pass to it. The decoder chip can be locked and you must supply the correct passcode to enable its access to the stored key. If you provide the wrong key a preset number of times, it deletes the internal copy of the key and the only way you can get at the data is by restoring the key from another device (typically a backup stored in a safe). Even if the entire OS is compromised, it can't get at the key unless it provides the correct passcode to the decryption chip (actually, it can't get at the key then either, but it can instruct the crypto chip to do it). Some ARM SoCs incorporate this functionality.

Re:sounds great

Android 4.x includes the option to encrypt the filesystem.

As does iOS if you enable it:

http://support.apple.com/kb/HT4175
http://images.apple.com/iphone/business/docs/iOS_Security.pdf

Generally speaking though, only Blackberrys (and much of the related software (BES)) has received any kind of certification for security. Specifically FIPS 140-2 and EAL 4+:

http://us.blackberry.com/ataglance/security/certifications.jsp

It is probably "good enough" for most businesses, but isn't rated for the 'real' security levels: Classified, Secret, and Top Secret.

I work someplace where we have a lot of personal health information, and the IT director (CISSP et al.) only allows Blackberrys for portable devices. He has an iPhone for his personal stuff, but carries a BB for work because iOS just isn't up to our needs yet when it comes to data security.

Re:sounds great

[DJRumpy]

I'm not certain about Android, but iPhone offers the option (Settings -> General -> Passcode Lock) to wipe your phone after 10 attempts. This is the same area where you can disable the 'simple' passcode 4 number pin. I'm assuming this method of hardware brute force cracking the phone allows them to bypass that of course. Sufficient for casual folks trying to hack into your phone at least. I assume Android has similar options.

Re:sounds great

I was under the impression that Good Practice was to make the decryption algorithm as long, timewise, as possible without compromising user friendliness. If you can sneak in a 1-2 second delay every time your user enters their pin (I wouldn't notice on my phone tbh) then it renders a fast cracker pointless. In an ideal world, the encrypted system should control the latency. That way you always have a statistical estimate of how breakable your device is - i.e. with 4 digits and 2 second latency, 20,000 seconds. Sure that's 6 hours - very doable - but it's much better than two minutes. Once you get to 6 digits, you're up to 280 hours.

One way to get round this would be to simply take a bit-for-bit copy of the device flash and then attack it in parallel. 10^n copies decreases your effective digit count by n, and 100 or even 1000+ simultaneous copies should be doable on today's hardware with no trouble.

And of course any properly encrypted device should have destructive failure after so many guesses. It's reasonably rare that encrypted data isn't backed up somewhere or isn't reproducible. If the data is stolen from a secure location then you have bigger fish to fry than the loss of some company figures.

Re:sounds great

[theshowmecanuck]

It is probably "good enough" for most businesses, but isn't rated for the 'real' security levels: Classified, Secret, and Top Secret.

Unless of course it's the Blackberry Obama uses, which has been upgraded with NSA add-ons.

Re:sounds great

[The+Mighty+Buzzard]

Which does pretty much nothing once they're running under your credentials after having brute forced your passcode.

Re:sounds great

[mysidia]

Anyone with kids who ever get their hands on their phone will likely prefer that.

After 3 failed attempts, the phone starts imposing a waiting period before you can attempt the passcode again.

By the time you get to 6 failed attempts, you have to wait ~1 hour before trying again.

Your kid could do 10 attempts to wipe your phone, but only if you are so careless to leave the phone with them for an extended period. Besides, your phone gets backed up every time you sync it.

Re:sounds great

[ceoyoyo]

That's not much use if they brute force the password.

Re:sounds great

[ceoyoyo]

And all that would slow the phone down, make it run hot and kill the battery life. The vast majority of people don't care. If you're really carrying around secret stuff on your phone then you should have one that has better security.

Re:sounds great

[Mia'cova]

WinMo 6.5 (and possibly earlier as well) had a nice option. After the limit - 1 attempts, you had to correctly answer a basic (for an adult) math question correctly to try again. There was also a warning about this being a final attempt and any more bad guesses would delete all the data. That took care of young kids and friends who don't realize that failed attempts wipe the device. I've had my ipad wiped a number of times at parties and such when someone picks it up and enters a few pins out of boredom.

I never owned one of those older windows mobile phones.. but I hear people (ahem, parents) who've upgraded complain about that on occasion.

Re:sounds great

[Zordak]

From the article:

Dickman also noted that long passwords were easier to crack if the phone belongs to a Slashdot user, because the password always turned out to be "Natal13 Pr0tman"

Re:sounds great

[Mia'cova]

You may have missed the point that all data on most phones is already fully encrypted. Hardware encryption/decryption doesn't use that much power. It's also not slow. Another example: intel's 320 line of SSDs. They're still the very low 0.1-0.2 watt SSDs (compared to around 1-2 watt for a standard laptop hard disk) with awesome SSD perf.. they have full-disk hardware encryption built in as well. Basic encryption is only expensive when done in software.

Re:sounds great

[alostpacket]

You can also use a password (most secure), pattern unlock (not very secure, though new screens are less smudge prone), or face recognition (fun gimmick, not secure at all).

Though I cant imagine having to type hunter2 into my phone every time I unlock it.

Re:sounds great

[Mia'cova]

Yup, that's what I meant.

To elaborate, on the PC side, that 'dedicated hardware' would be a TPM chip. You find those in most business-class notebooks now. If you have one, you can use bitlocker with just a numerical pin. The TPM chip will hold the full encryption key and only provide it to the OS when the correct key is provided. Too many failed attempts would wipe the key. And, as you suggest, you can have the full key saved securely somewhere else as a backup. You might need it if you forget your key, enter it in a bunch of times, or need to recover the data from the disk using a different machine.

Re:sounds great

[ceoyoyo]

"You may have missed the point that all data on most phones is already fully encrypted."

I didn't miss it because you made it up. Data on most phones is not encrypted. The data on some smartphones (iOS 4 and higher and Android 4 and higher, apparently, plus probably all Blackberries) may be encrypted. Even then, it looks like they don't encrypt everything anyway.

Regardless, if you have special hardware that manages encryption it's going to take up extra space, power, time and manufacturing cost. For something that the vast majority of these company's customers couldn't care less about. And no, your example of a desktop SSD isn't really relevant.

Re:sounds great

Which does pretty much nothing once they're running under your credentials after having brute forced your passcode.

if they can brute force your passcode, use something more than a 4-character numeric passcode and it isn't exactly trivial.

Re:sounds great

[gelfling]

TFA notes an un divulged vulnerability. That would indicate something which does not rely on a password of any length be it 4 or 400 characters.

Re:sounds great

The article also notes that it uses a brute force attack to crack the four pin code. It also states as has been pointed out that increasing the number of characters in the password makes the brute attack take much longer or nearly impossible given a complex enough password.

Re:sounds great

[Mia'cova]

Sorry, I meant most every smart phone currently on the shelves for purchase employs full-disk encryption. In most cases, manufactures implement it to allow corporate exchange email access. If the device supports exchange, it typically has full-disk encryption (early iphones were an ugly exception..). One of the exchange activesync requirements is that the device supports a secure remote-wipe. iphone 3GS and newer have full hardware encryption. Android 3.0+ devices use hardware encryption, and all WP7 devices use it. I'm sure blackberry does as well but I don't know their history very well. So the result is that these devices all support the remote wipe feature. That means if you enter the pin wrong a number of times or remotely trigger the wipe, the encryption key is deleted. That way, it doesn't take hours to securely delete all the data from the disk. The only thing that needs to be deleted is the encryption key. The flash always has some encryption key set. That's why setting up the remote-wipe or PIN-based wipe doesn't require you to spend an hour reformatting and encrypting your entire flash storage.

Re:sounds great

[DMUTPeregrine]

PINs are less secure than patterns.
Both are vulnerable to smudging, though patterns that don't cross themselves are slightly more vulnerable.
There are 5040 4-digit pins, 151200 6-digit pins, 604800 7-digit pins, and 1814400 8-digit pins.
There are 362880 9-dot patterns (use the whole pattern). There are 986400 total possible patterns.

IF patterns are easier to memorize for you, then choosing an 8 or 9-spot pattern will provide better security than a 6-digit PIN.
It's also harder to have a pattern of your birthday than it is to have a PIN of the same.

Re:sounds great

[fuzzyfuzzyfungus]

Android 4.x includes the option to encrypt the filesystem.

For obvious reasons, our goonware friends are a bit vague on how their mechanism works; but encryption only saves you if the attack is unable to get access to the phone as the user(since the filesystem has to be mounted and visible to you and your process as plaintext).

Encryption is excellent against the class of attacks where the attacker attempts to circumvent the OS's access control by obtaining direct access to the block device and using an OS they control to read it out. However, if the attack is directly against the OS's access control, it isn't nearly so useful, since things are usually set up to grant trivial plaintext access to the user.

Re:sounds great

If you guess wrong several times, the key (and therefore your data) should be destroyed

Three guesses what I'm going to do with your phone the instant you set it down.

On second though, no, you don't get three guesses.

Re:sounds great

911 got you just by mashing buttons? Huh. You'd think they have caller id.

Unless of course, your phone number really is 65498438544533451334535.

Re:sounds great

[dreamchaser]

A four digit pin only has 10,000 possible combinations. If one can get access via software that is trivial to brute force.

Re:sounds great

There are 5040 4-digit pins, 151200 6-digit pins, 604800 7-digit pins, and 1814400 8-digit pins.

Unless there are numbers you can't use, how are there not 10,000 4 digits PINs, etc?

Re:sounds great

[NatasRevol]

Why do you always assume base 10?!?!

Re:sounds great

[swillden]

There are 5040 4-digit pins, 151200 6-digit pins, 604800 7-digit pins, and 1814400 8-digit pins.

No, there are 10,000 4-digit PINs, 1,000,000 6-digit PINs, 10,000,000 7-digit PINs and 100,000,000 8-digit PINs. Unlike with patterns (as implemented by Android, at least), you're not restricted from re-using digits.

There are 362,880 9-dot patterns (use the whole pattern)

Not quite that many. You're assuming you can pick the nine dots in any sequence, but some patterns are impossible (or at least very difficult) because you can't get from one dot to the next in the pattern without touching a dot in between. It would be tedious, but not difficult, to enumerate the feasible set of patterns, and the likely set is even smaller, since people tend to choose connected sequences.

I'd say a longish pattern (6+ dots) is roughly equivalent to a four-digit PIN, but even a maximal-length pattern barely reaches the strength of a five-digit PIN.

Re:sounds great

[Ihmhi]

Isn't one of the nice things about Android all about how you can muck around it?

Why not make a secure version of Android like SE Linux?

Re:sounds great

[swillden]

On phones the dedicated hardware would be a "Secure Element", an embedded smart card chip of the sort used to secure NFC transactions (e.g. Google Wallet). They're actually more secure than typical TPMs, and more secure than the ARM SoC "TrustZone". There are a small number of Android phone models that have SEs now, and more coming. Rumor has it that the iPhone5 will have NFC, which very likely means it will have an SE also.

Re:sounds great

[filthpickle]

This is complete nonsense.

Re:sounds great

[NemoinSpace]

If you guess wrong several times, the key (and therefore your data) should be destroyed

How many companies have you been fired from for implementing this?

Re:sounds great

[gl4ss]

the story is a an undisclosed vulnurability that let's them try unlimited amount of brute forcing with just sw

Re:sounds great

[gl4ss]

being able to dial emergency services without sim, with locked phone, used to be a required feature of _phones_.. I suppose it still is. it might save your life if your kid doesn't have his own phone when you're getting a stroke.

but the failed attempts... well, the iphone has a bug for that. they're exploiting it with their sw.

Re:sounds great

[kensan]

The Guardian Project is an effort to increase the security of Android. A quote from the website:

The Guardian Project aims to create easy to use apps, open-source firmware MODs, and customized, commercial mobile phones that can be used and deployed around the world, by any person looking to protect their communications and personal data from unjust intrusion and monitoring.

https://guardianproject.info/

Here is a link to their February project update to give you an idea what they are working on: https://guardianproject.info/2012/02/09/february-2012-project-update/

Re:sounds great

[rvw]

This is complete nonsense.

So what you say is complete nonsense? Strange that is hasn't been modded insightful yet!

Re:sounds great

[LDAPMAN]

You might try actually reading your links. The iOS file system is always encrypted. All the links talk about is setting a pin to protect the encryption keys. There is no functional difference between BB and iOS encryption. You can easily force the use of pin codes as well.

Re:sounds great

When you get it right, it releases the encryption keys to your data. If you guess wrong several times, the key (and therefore your data) should be destroyed

Stopped reading there. You want to make it easy for anybody to destroy the data on a locked phone? Are you out of your mind?

Luckily enough they don't let stupid fucks like you anywhere near the place where security algorithms are designed.

Re:sounds great

[heson]

That specialized hardware already exists in every phone, its called a SIM card.

Re:sounds great

... with a key encrypted with what? the passcode.

Re:sounds great

There are 5040 4-digit pins, 151200 6-digit pins, 604800 7-digit pins, and 1814400 8-digit pins.

No, there are 10,000 4-digit PINs, 1,000,000 6-digit PINs, 10,000,000 7-digit PINs and 100,000,000 8-digit PINs. Unlike with patterns (as implemented by Android, at least), you're not restricted from re-using digits.

Let's not forget that on an iPhone, if you choose to use something more complicated than a 4-digit PIN, your login screen changes from a numbered keypad to a full keyboard with numbers, letters, special characters and foreign languages as well. I'll let you do the math, but I'm guessing your numbers are too low.

Re:sounds great

[BigOTilda]

I actually wrote a program to enumerate all the possibilities during a slow work day. The tricky part is that you can conditionally connect to a non-adjacent dot, but only if the intervening dot has already been used in an earlier part of the pattern (otherwise that intervening dot will be chosen as the next dot in the pattern). Assuming I understand all the requirements of the patterns correctly, here are the results:

4 dots: 1624
5 dots: 7152
6 dots: 26016
7 dots: 72912
8 dots: 140704
9 dots: 140704

For a total of 389112 possible combinations, assuming any possible 4-dot to 9-dot pattern. A 5-6 dot pattern is about equivalent to a 4-digit pin as far as the number of possibilities. Note that the 8 and 9 dot patterns have the same number because they are the same patterns, just picking the last remaining dot or not.

Re:sounds great

[swillden]

Cool! Very interesting. Care to share your code?

Re:sounds great

[rhook]

The attack involves rooting the phone and flashing custom firmware onto it in order to bypass the passcode. Encryption defeats this attack since they will only see encrypted data.

Re:sounds great

[BigOTilda]

I make no claims to the awesomeness or non-awesomeness of this. As I said I threw it together pretty quickly. PHP is the major language at my work so that's what I used.

Essentially I made a class to represent a node that represents a dot of the pattern. That node can have direct edges to other nodes. Additionally it can have a set of conditional edges, which are the edges that can only be traversed if "intervening" nodes have already been used (visited) earlier on any given path (walk). The walk() method basically traverses all edges and any available conditional edges of the current node, then continues the walk recursively for each node being visited. The whole time a global counter gets updated, counting the total paths.

class Node{
private $visited = false;
private $name;
private $edges = array();
private $condEdges = array();

public function __construct($name){
$this->name = $name;
}

public function addEdge($node){
$this->edges[] = $node;
}

public function addCondEdge($targetNode,$skipNode){
$this->condEdges[] = array('target'=>$targetNode, 'skip'=>$skipNode);
}

public function visit(){
$this->visited = true;
}

public function isVisited(){
return $this->visited;
}

public function unVisit(){
$this->visited = false;
}

public function walk($steps,$path=''){
$this->visit();
$path .= $this->name; // still walking
if ($steps > 0){ // first check conditional edges
foreach ($this->condEdges as $condEdge){
if ($condEdge['skip']->isVisited() and (!$condEdge['target']->isVisited()))
$condEdge['target']->walk($steps-1,$path);
} // now check normal edges
foreach ($this->edges as $edgeNode){
if (!$edgeNode->isVisited())
$edgeNode->walk($steps-1,$path);
}
} // end of a path
else{
$GLOBALS['count']++;
echo "#{$GLOBALS['count']}: path: $path\n";
} // when done with the walk, clear visited
$this->unVisit();
}
}

Then I build the actual set of nodes making up the Android dots, e.g. (if numbering the dots left to right, top to bottom 1-9):
$node1 = new Node('1');
$node2 = new Node('2');
$node3 = new Node('

okay

Make an app that will encrypt all your information, SSH all your stuff to dropbox then brick the phone. Cops can't do jack.

Existing tech already in use in USA

http://en.wikipedia.org/wiki/Cellebrite

Maybe the delay is in the UI

undisclosed vulnerability

Maybe the delay between login attempts in only in the UI, and using API level access they can brute force the combinations without the delay from wrong passcodes, making it much quicker?

Re:Maybe the delay is in the UI

[Solandri]

Immaterial. If the summary is right and the passcode is limited to 4 digits (I don't own an iPhone), then any practical delay is useless. If you add a 1 minute delay between attempts (which is long enough to make any Apple user scream obscenities about user unfriendliness), you can try all 9999 possible combinations in 6.9 days. That's a trivial delay for law enforcement.

The real problem is that 4 digits is just too short for a device which grants access to so much private data. Heck, even Android's pattern code (9 dots, 4-9 dots used, each dot can be used only once) has only 409,104 possible combinations (9! + 8! + 7! + 6! + 5! + 4!). With a 5 second delay between failed attempts, it'll take just 24 days to try all possible combinations.

To be of real security value, brute-forcing the code has to take on the order of centuries. The current passcodes and patterns are just to keep the device safe from prying eyes. Not to keep it safe from identity thieves and law enforcement.

Re:Maybe the delay is in the UI

If they can get access to the memory they can just brute-force the hash.

Re:Maybe the delay is in the UI

[fuzzyfuzzyfungus]

It also really doesn't help that some substantial percentage of smartphones are, by design, chatting with the mothership...

The more egregious ones(Carrier IQ and friends) are basically rootkits right out of the box, and any unattended auto-update mechanism could, with the vendor's cooperation, replace some security-critical binary with a bugged one.

A much higher bar than the 'just plug it in to the magic box', which likely places it out of the practical reach of customs agents on fishing expeditions, cops who can't get a warrant but can take your phone, but it would be a problem over the longer term.

Re:Maybe the delay is in the UI

AFAIK some phones have an exponential delay

Re:Maybe the delay is in the UI

[rtb61]

Smart phones pass codes are easy to crack for a reason, whiny users who forget their pass code. So it's all pretty much like having a lock on your front door with a window right next to it.

To tighten up security, the phone should simply log access attempts with an optional setting to inform the telco of a hack attempt (too many unsuccessful pass code attempts) and the telco to the inform the user.

Now the real question here is will the US launch an extradition attempt for software blatantly designed to do two criminal things DMCA break a method of protection and break a computer network security device. Not too forget pursuing all those who bought the software, accessories after the fact.

Re:Maybe the delay is in the UI

[tlhIngan]

Immaterial. If the summary is right and the passcode is limited to 4 digits (I don't own an iPhone), then any practical delay is useless. If you add a 1 minute delay between attempts (which is long enough to make any Apple user scream obscenities about user unfriendliness), you can try all 9999 possible combinations in 6.9 days. That's a trivial delay for law enforcement.

Actually, the iPhone does do delays.

I believe it lets you have 3 tries at full speed. Then it delays 1 minute between the 3rd and 4th try, 2 minutes between the 4th and 5th try, 5 and so on until it reaches an hour or so. After 10 attempts, if configured, it can wipe itself. So you can't try it in a practical amount of time (I believe the time just stays at an hour between attempts or so).

The real problem is that 4 digits is just too short for a device which grants access to so much private data. Heck, even Android's pattern code (9 dots, 4-9 dots used, each dot can be used only once) has only 409,104 possible combinations (9! + 8! + 7! + 6! + 5! + 4!). With a 5 second delay between failed attempts, it'll take just 24 days to try all possible combinations.

It's less. Because if you're at the edge dot, going down means you pass through the center, so that reduces the combinations. If you're at a corner dot, again, you must pass through the center to reach the directly opposite dot. Not sure if you can criss-cross through the center.

Re:Maybe the delay is in the UI

[AmiMoJo]

If the phone is locked how do they get the app on there to access the API in the first place? There must be some kind of USB based vulnerability that allows them to either unlock or execute some code. It's probably some kind of undocumented update or sync mechanism used by iTunes.

I imagine a lot of phones with sync software are vulnerable to that kind of attack. Anyone can use the same APIs as the sync software and what are the chances that there is any security at all built into them? That is why I prefer phones that don't need sync software at all - my Galaxy S is set to attach as a USB storage device and can't be set to sync mode without being unlocked.

Re:Maybe the delay is in the UI

[LittleImp]

They have physical access to the phone... They can just dump the harddisk.

Re:Maybe the delay is in the UI

You don't have to go through the middle. You can skip around creativly if you have a dot used all ready.

Re:Maybe the delay is in the UI

Mine is set to charge only. Unless unlocked it thinks the computer is a power source. Don't know if that changes things, I don't auto sync stuff. Auto is evil.

I also leave bluetooth, gps, wireless off unless activly useing. Find I get a little more batery life; weither it helps security or not.

Re:Maybe the delay is in the UI

They have physical access to the phone... They can just dump the harddisk.

Ha! Hard disk. Ha!

Re:Maybe the delay is in the UI

[Rich0]

The purpose of the passcode is to restrict casual access, not a determined attacker who has physical access. I don't want to have to unlock my car while driving with a 47 character alphanumeric password.

A simple solution to problems like this is to:
1. Use full-disk encryption and TPM so that any access attempt has to go through the OS.
2. Have the device go into some level of semi-to-full permanent locking when there are more than n failed unlock attempts.
3. Ensure the OS does not provide backdoors to access when the device is locked.

#1 is easily done - sure it takes work but it is a completely solved problem. The level of security in the TPM varies, but assuming the vendor doesn't backdoor a TPM can be VERY secure. A complex boot decryption password with lots of rounds is another option which can't be backdoored short of a hardware keylogger.

#2 is easy to implement on the lock side. It could just be an instruction to the TPM to forget the key followed by a flash wipe. If you want the ability to restore access then you might need to have a backup hard-to-guess password or something that re-unlocks the TPM, or some other mechanism that relies on plugging in a computer and re-authenticating with some kind of pre-generated secret.

#3 is the big issue. #2 only provides security if it gets triggered. Solutions here are to audit your USB and other interface code, and ensure that stuff isn't listening for new connections/etc if the screen is locked. You might also need hardware tamper switches to detect attempts to open the case while powered on and clear the RAM and re-lock the TPM if that happens.

There are known principles for defeating attacks when the attacker has physical possession of the device, but they do require hardware-level support.

Re:Maybe the delay is in the UI

[hawk]

Does this get around the "wipe device after 10 failed attempts" option?

hawk

Pshaw

[TechHawk]

I can crack any smart phone in under 15 seconds.

With a sledgehammer...

Re:Pshaw

[someone1234]

Either that, or the owner's fingers.

Re:Pshaw

Its called Gravity.

Re:Pshaw

[agm]

My son cracked his iPod touch by leaving it in his pockets which ended up in the washing machine. Ouch. Not a happy chappy.

Re:Pshaw

[war4peace]

That would teach him to check his own pockets more often, not just daddy's :)

Re:Pshaw

[steelfood]

You have some mighty feeble arms if you need a sledgehammer.

Re:Pshaw

Crushing a phone using someone else's fingers sounds cumbersome.

Wasted taxpayer money

[deathtopaulw]

What happens when these vulnerabilities are fixed and the kits become useless? I assume our overlords will have to pay for a new version.

Re:Wasted taxpayer money

Right? I highly doubt its a REAL vulnerability though. I would picture it more akin to mounting the device as a secondary drive, and reading it like we do live disks. I'll bet the vunerability term, was used as a flashy 'hey look, spooky!' for greater media bandwidth.

Re:Wasted taxpayer money

You pay XRY a yearly update license of around 5000 USD per license (physical dongle), and that includes upgrades to the latest version. If the the vulnerability is fixed, you'll have to wait until they find another one.

Re:Wasted taxpayer money

it's supposed to be fully encrypted when you use a non-simple passcode

Re:Wasted taxpayer money

[dougmc]

What happens when these vulnerabilities are fixed and the kits become useless? I assume our overlords will have to pay for a new version.

Serious answer, they probably get a support contract when they buy the software that entitles them to support and updates during the length of the contract. That's the way commercial Enterprise software generally is licensed, I see no reason why this would be different.

It's entirely possible that their vulnerability could be fixed and they end up with nothing they can use for a while, and there's probably a clause in the contract that says this could happen but that they promise to make a good faith effort to find more vulnerabilities and "fix" their software as soon as possible. (But I seriously doubt it offers their money back -- after all, the rest of the software will probably still work, and even this part will still work on unpatched phones.)

Re:Wasted taxpayer money

[AngryDeuce]

What happens when these vulnerabilities are fixed and the kits become useless?

Then they throw you in the clink until you decrypt it for them.

America! Fuck Yeah!!

Re:Wasted taxpayer money

The vulnerabilities will not be fixed.
"For national security reasons."

Re:Wasted taxpayer money

[Firehed]

It's fully encrypted with a crappy passcode, too. It just takes no more than 10,000 attempts to crack, and if they're able to dump the contents of the storage that's easy to bruteforce (hopefully law enforcement would try to do it by hand, hit the ten-attempt limit and cause the device to wipe itself). As usual, encryption is only as strong as it's weakest link, and a 4-character numeric pin will be cracked twice as fast as an all-lowercase three character password (17576 possibilities)

Re:Wasted taxpayer money

[zerro]

nah... obligatory xkcd ref: http://xkcd.com/538/

Re:Wasted taxpayer money

[CAIMLAS]

It's entirely possible that their vulnerability could be fixed and they end up with nothing they can use for a while

Not really. Most cell phones don't get updates, and even when they do they don't have all the fixes or a very fast turnaround. Mobile phone security is still very 1990s.

Re:Wasted taxpayer money

[currently_awake]

What's the point of having a secret law requiring a backdoor for police if the handset makers won't follow it?

Re:Wasted taxpayer money

Meh, if the cops have physical access to your phone then all bets are off. They'll get at your data eventually.

The only protection would be full flash encryption with a strong key (much stronger than the 4 digit code).

Re:Wasted taxpayer money

Except, the military is the biggest customer, which means - no, they probably don't, and they probably pay full price for the next version.

Re:Wasted taxpayer money

[tlhIngan]

Not really. Most cell phones don't get updates, and even when they do they don't have all the fixes or a very fast turnaround. Mobile phone security is still very 1990s.

Considering its iPhones we're talking about, most are still getting updates - the only two phones not running the latest and greatest are the original iPhone (2007), and iPhone 3G (2008). The 3GS, 4 and 4s are receiving updates, and apparently Apple users tend to update quite often (it took roughly 2 months to get 50% update rate on iOS 4, and the latest (iOS 5.1) is already close to 50% released a few weeks ago, no doubt aided by the OTA update functionality).

Of course, if this is a good vulnerability, it points to a perfect jailbreak if you can get that level of access - ability to run code and get at the filesystem through USB.

Re:Wasted taxpayer money

[ewanm89]

My favourite is thermorectal cryptanalysis, I hear it gives very good results.

Undisclosed?

[ichthus]

If the manufacturers (Apple and Google) were truly interested in patching these "undisclosed" vulnerabilities, they could purchase this software and run it on test/dev devices to see how it's done.

Re:Undisclosed?

What do you want to bet you sign a license saying you wont reverse engineer the device, or at least click through one?

Re:Undisclosed?

[FunPika]

Looking at Micro Systemation's website, they verify who you are and what you are going to use it for before they even start discussions on selling it. Something tells me getting contacted from an Apple email saying that they want to render the software useless is not going to get past that.

Re:Undisclosed?

What do you want to bet you sign a license saying you wont reverse engineer the device, or at least click through one?

Please, not even the lawyers who write those would think twice before ignoring it.

Re:Undisclosed?

[Khyber]

Apple's got enough money to just sink Micro Systemation. I have the feeling if Apple wanted this thing closed, they'd have done it long ago.

Re:Undisclosed?

[rhook]

Doesn't the DMCA already make doing do illegal?

Re:Undisclosed?

You think a company that produces a program that bypasses the user's pass-code on an iPhone is going to sue Apple for violating a EULA and win?

You do realize that iOS has a EULA too, and that bypassing a password lock to gain access to a computer system a felony right? Even if Apple couldn't throw money at the problem until it goes away (they can), they's still be in a position where their openents broke the same law they accused Apple of and developed a product that has illegal uses. Not to mention that Apple could probably argue lost revenue and or brand damages if it seems likely people would choose not to buy an iPhone because of the existence of this software.

Re:Undisclosed?

[Rouphis]

DMCA don't apply to "the man".

Re:Undisclosed?

[gnick]

Exactly.

1) Buy a device
2) Figure out what it's doing
3) Coincidentally discover a bug in your phone and offer a patch

Re:Undisclosed?

Interesting. So the police are committing a felony when they crack your device?

Re:Undisclosed?

[AngryDeuce]

Something tells me getting contacted from an Apple email saying that they want to render the software useless is not going to get past that.

Why would Apple do that? They have their own police to get it for them.

Re:Undisclosed?

if they don't have a warrant, yes.

Re:Undisclosed?

Without a warrant, yes.

Also realize that in this murky industry of "law enforcement gizmos", people don't generally disclose their clients, so there's nothing to stopping from using pure marketing spin. It says they're used by law enforcement. It says they sell mostly to the US (who doesn't). It leaves it to you to connect the two.

Your local donut-eating baconroll is unlikely to have one of these, let alone be smart enough to use it. Maybe departments have them, but that's the kind of thing lawyers love to discover to torpedo cases out of the water.

Re:Undisclosed?

[idontgno]

local donut-eating baconroll

Damn you. Now I'm hungry...

Re:Undisclosed?

no they have a license to operate such devices.

Re:Undisclosed?

Good thing that Apple or Google would never think of going through a third party to acquire one of these devices under false pretenses. Hell, they could probably get a private detective to buy one under the pretenses of snooping for evidence of marital infidelity.

Re:Undisclosed?

Looking at Micro Systemation's website, they verify who you are and what you are going to use it for before they even start discussions on selling it. Something tells me getting contacted from an Apple email saying that they want to render the software useless is not going to get past that.

It's not as if you can just download their demo version from here:

http://www.msab.com/app-data/downloads/XRY_Reader/XRY_READER_NOINST_6.2.0.zip

Oh wait...

Re:Undisclosed?

The Police don't care about some badly written copywrong law which was written by Hollywood.

Re:Undisclosed?

[mjr167]

Creating tools is perfectly legal. The legality comes into question when you use the tool. For example, guns are legal tools to create. Shooting someone in the head is illegal. Cracking the password for a system you have legal right to access is legal. The law actually says that *unauthorized* access to a computer system is illegal. It says nothing about how you should go about obtaining *authorized* access.

Re:Undisclosed?

[Em+Adespoton]

If the manufacturers (Apple and Google) were truly interested in patching these "undisclosed" vulnerabilities, they could purchase this software and run it on test/dev devices to see how it's done.

Apple has no need to patch anything; they already recommend you use variable length passwords and not use the obsolete 4-digit PIN system. They haven't disabled it completely yet, but it's up to all end-users whether they want to decrease their security and use it, or stick with a multi-digit passcode or passphrase. The 4-digit PIN system has been known to be insecure for over two years now, and the alternative system has been available since the release of iOS 4 (not 5, which made it the default IIRC).

Think of the 4-digit pin as being "I don't want anyone casually snooping on my data" and the passcode system as being "I want to prevent brief focused attempts at accessing my data". If the data's not encrypted (that's also an option), a determined person who has the phone in their posession can just read all the data right off the flash. If it's encrypted, they'll need to crack the password, or find some way to bypass it (backups, debug mode, smudges, the patched cached file approach, etc).

Re:Undisclosed?

Or they could just hire a private investigator and get him to approach them...

Then sue the living hell out of them for breach of contract. Probably a DMCA in there somewhere too...

Re:Undisclosed?

[swb]

You don't think that Apple already controls a whole handful of companies not called Apple Computer and not linked the Apple except through some obscure piece of paper locked in a vault someplace?

Some of them may do useful work in their fields and most of the employees know zip about their ownership, some may just be three guys in chinos in a 1500 square foot suburban office who know who they work for but change what their company is depending on what Apple might need.

Re:Undisclosed?

[russotto]

Creating tools is perfectly legal.

Not according to 17 USC 1201(a)(2) and 17 USC 1201(b)(1) it isn't.

Re:Undisclosed?

[schnikies79]

You are assuming that they don't do just that.

Re:Undisclosed?

Apple's got enough money to just sink Micro Systemation. I have the feeling if Apple wanted this thing closed, they'd have done it long ago.

Offering large amounts of money to companies that crack your phone is not a good way to stop people from cracking your phone.

Re:Undisclosed?

Looking at Micro Systemation's website, they verify who you are and what you are going to use it for before they even start discussions on selling it. Something tells me getting contacted from an Apple email saying that they want to render the software useless is not going to get past that.

Selling to some buyers but not to others?
Anti trust.

Re:Undisclosed?

[Fnord666]

If the manufacturers (Apple and Google) were truly interested in patching these "undisclosed" vulnerabilities, they could purchase this software and run it on test/dev devices to see how it's done.

I think the confusion here is probably what is meant by "undisclosed". The "vulnerability" that is being used is undisclosed to the phone owners, not the manufacturers. The manufacturers already know about it and were likely told to leave it alone. It may have even been put there by them in the first place.

What really needs to happen is for someone else to get one of the devices, determine what the vulnerability is, and either create an active exploit or use it as the basis of a jailbreak. This would either force the manufacturer's hand and get the vulnerability closed or give us a jailbreak that remains unpatched for an extended period of time.

Re:Undisclosed?

Shooting someone in the head is illegal

Unless you are a police officer or some sort of armed forces personel doing it 'on official duty' aprehending a criminal, during an emergency, or during wartime.

Re:Undisclosed?

Did you notice the "Stockholm-based" part?

This means the US can pretty much just fuck-off with their laws.

Re:Undisclosed?

Creating tools to bypass DRM in Sweden is illegal. Also using and possessing programs which primary usage is to bypass copy protection systems. If that law applies to development firms working for the government I will left unsaid.

Re:Undisclosed?

DMCA applies to US citizens that don't have a career breaking the law.
Encrypting the data is a good way to start.

Re:Undisclosed?

The law says quite a bit about creating guns, too.

Re:Undisclosed?

[yoshman]

Creating tools is perfectly legal.

Not according to 17 USC 1201(a)(2) and 17 USC 1201(b)(1) it isn't.

From the article: "Micro Systemation, a Stockholm-based company..."

Instead of re-inventing something, I'll just reuse a quote from Pirate Bay,

"As you may or may not be aware, Sweden is not a state in the United States of America. Sweden is a country in northern Europe. Unless you figured it out by now, US law does not apply here."

Re:Undisclosed?

[mjr167]

Fortenutly this is a case of violating the computer fraud and abuse act (18 USC 1030), not copyright, and that law specifically requires the access to be both intentional and knowingly unauthorized.

Re:Undisclosed?

I have a feeling you're full of shit and delusional.

Re:Undisclosed?

Obviously all these vulnerabilities are already fixed. You think that these companies are able to write jailbreaks themselves? Ha! No. They're just piggybacking commercial software on the backs of jail breakers who do this for free. In the video, it looks like they're using SHAtter bottom exploit, which means they wouldn't be compatible with iPad2 or higher, and iPhone 4S.

http://theiphonewiki.com/wiki/index.php?title=SHA-1_Image_Segment_Overflow

Re:Undisclosed?

Creating tools is perfectly legal.

Not according to 17 USC 1201(a)(2) and 17 USC 1201(b)(1) it isn't.

circumvention of copyright protections does not apply here

Re:Undisclosed?

[organgtool]

4) Make the patch available only on a newer model of your phone
5) Prophet!

Re:Undisclosed?

[ichthus]

...it uses an undisclosed vulnerability in the devices it targets to run a program on the phone that brute-forces its passcode.

You don't think Apple needs to patch against this? The fact that they can even get the program to run on the phone itself is an exploit and, quite obviously, this hole needs to be closed.

Re:Undisclosed?

[rhook]

Ever hear of extradition treaties?

Re:Undisclosed?

[gnick]

I think it takes more than clever marketing to declare yourself a prophet. However, being a prophet can be very profitable.

Re:Undisclosed?

[Em+Adespoton]

...it uses an undisclosed vulnerability in the devices it targets to run a program on the phone that brute-forces its passcode.

You don't think Apple needs to patch against this? The fact that they can even get the program to run on the phone itself is an exploit and, quite obviously, this hole needs to be closed.

This is a local "exploit" -- and is the same way that Apple updates devices itself. There is no program running on the phone per-se.

However, it would definitely make sense for Apple to require that data be wiped when this operation is performed, prompting for a restore from backup after the fact. Indeed, they could use a public key check using your backup password as the private key to validate the connection -- but then they'd need a back-door in order to wipe devices for reuse.

Previous Android gesture lock story

[manekineko2]

Weren't we reading just two weeks ago about how the FBI utterly failed in cracking an Android phone's gesture lock, and had to go demanding Google to help them?

http://yro.slashdot.org/story/12/03/14/2222229/fbi-tries-to-force-google-to-unlock-users-android-phone

Re:Previous Android gesture lock story

[Sez+Zero]

Weren't we reading just two weeks ago about how the FBI utterly failed in cracking an Android phone's gesture lock, and had to go demanding Google to help them?

http://yro.slashdot.org/story/12/03/14/2222229/fbi-tries-to-force-google-to-unlock-users-android-phone

That's actually referenced in the article, probably a case of a long/strong passcode.

Dicksinson acknowledges that users who set longer passcodes for devices can in fact make the devices far tougher to crack. “The more complex the password, the longer and harder it’s going to be to access the phone,” he says. “In some cases, it takes so long to brute force that it’s not worth doing it.” That may have been the situation, for instance, in one recent case involving the phone of Dante Dears, a paroled convict accused of running a prostitution ring known as “Pimping Hoes Daily” from his Android phone; The FBI, apparently unable or unwilling to crack the phone, asked Google to help in accessing it.

Re:Previous Android gesture lock story

In the story link, it says they use brute force to find the passcode and admit sometimes it takes too long and is not worth the time.

Re:Previous Android gesture lock story

[SuricouRaven]

There are only 9!+8!+7!+6!+5!+4!+3!+2+1 possible combinations. That's... 409113.
409k combinations. It may sound like a lot, but in computer terms that's less than 2^19.

Twenty-bit encryption. Hmm. Unimpressive.

Re:Previous Android gesture lock story

Yes and now thanks to the Slashdot article, they know where to purchase a tool that can automate it!! :D Great job!

Re:Previous Android gesture lock story

[milkmage]

no you weren't. did you read the linked piece?

the phone locked because they struck out too many times on the gesture lock. the phone is now asking for the GOOGLE credentials. It's not like the guys pattern was so awesome it defeated the FBI - how many strikes do you get before the phone requires your google login? my BBerry gives me 5 before it nukes itself. 5 failed attempts is not "utter failure"

https://threatpost.com/en_us/blogs/can-google-be-forced-fbi-unlock-users-phones-031412
"Once they failed enough times, the phone locked and now requires the user's Google username and password for access. As a result, the FBI is asking that Google be forced to hand over the information to get them into the phone."

great system (seriously) .. require stronger auth if the first lock thinks it's being attacked.

Re:Previous Android gesture lock story

However, the limitation in that case was the need for human interaction with the device. How many gestural combinations can you try to brute force per second if you have to rely on physical motion for each attempt? That's why they tried to demand API level access from google.

Re:Previous Android gesture lock story

[gknoy]

I like that it falls back to a stronger authentication, rather than bricking the phone completely.

Re:Previous Android gesture lock story

I doubt Google stores our passwords as plaintext. But you never know.

Re:Previous Android gesture lock story

There are only 9!+8!+7!+6!+5!+4!+3!+2+1 possible combinations. That's... 409113.

409k combinations. It may sound like a lot, but in computer terms that's less than 2^19.

Twenty-bit encryption. Hmm. Unimpressive.

Possible COMBINATIONS or possible PERMUTATIONS? There's a difference. Your sloppy use of terminology calls into question your qualifications to speak, as it were, to this subject.

Also, a simple solution: don't use iCrap or Android devices for anything you wish to keep out of the hands of the fuzz. Solved. Paranoia pays! :)

Re:Previous Android gesture lock story

There are only 9!+8!+7!+6!+5!+4!+3!+2+1 possible combinations. That's... 409113.

409k combinations. It may sound like a lot, but in computer terms that's less than 2^19.

Twenty-bit encryption. Hmm. Unimpressive.

8! is contained in 9!, and the phone unlocks immediately after completing the pattern.
Thus, it's 9!.
But then you have to account for the fact that (at least on my Android phone) you can repeat nodes in the grid.

Re:Previous Android gesture lock story

[Gavagai80]

Google can always change your password and provide the FBI with the new one. No need to store plaintext.

Re:Previous Android gesture lock story

[aklinux]

This is actually why I am afraid to try the pattern lock. I need a 'practice phone' to get my pattern learned on before doing it on a phone I use every day ;-)

Re:Previous Android gesture lock story

but the file system on android/iphone isn't encrypted is it?

Re:Previous Android gesture lock story

Which is why you can't use Gesture lock if you encrypt your phone.

Re:Previous Android gesture lock story

[Rich0]

This isn't encryption - it is a password entry. I doubt it is even hashed (maybe it is). The issue is that you need to interact with the device and incur delays between attempts, so you can't try 100k combos per second or whatever.

As somebody else pointed out, there is no terminator on the end, so you only need to account for max-length entries. You can repeat entries however.

The reality is that most patterns are probably only 5-6 dots long, and they're usually geometric. A typical grid point has 3.7 neighbors, so that makes the complexity around 9 * 3.7^4. That is only 1700 combos - less than a 4-digit numeric pin.

Sure, if you carefully move your finger between the dots such that any dot could truly follow any other it might really be 9*8^4, and higher if you use a longer key. But, most people slide their finger around and so after the first dot is selected the number of choices each time is only 3-5.

Re:Previous Android gesture lock story

[SuricouRaven]

Mine doesn't repeat, but remember the gestures can be from one to nine points long. Those nine factorials are the nine possible combination lengths.

Re:Previous Android gesture lock story

[SuricouRaven]

Oh, I see what you mean... and yes, you are quite right.

Re:Previous Android gesture lock story

The iPhone has an option to erase data after ten failed attempts. Wounder how their tool deals with that -- if it is enabled?

Re:Previous Android gesture lock story

[semilemon]

No, I don't think they do either, but they could quite easily reset the account password on their end and provide that info to the FBI.

4-digit pass code...

Wow must be amazing technology that can brute force a four digit number password.

Now for anyone that has a clue and is using something a little bit more complex...

Re:4-digit pass code...

[gnud]

Well, iphones are often set to wipe "automatically" after 4 failed attempts.

Re:4-digit pass code...

[msheekhah]

like the alphanumeric passcode on the iPhone

Re:4-digit pass code...

[countach]

That may not happen if they've jailbreaked and are hacking it from internally.

Re:4-digit pass code...

[X0563511]

Does it actually wipe it, or merely disable your ability to unlock it without help from Apple?

Re:4-digit pass code...

[X0563511]

... or android.

Though typing out a proper password every time you want to unlock the phone gets annoying FAST.

Re:4-digit pass code...

[dougmc]

Well, iphones are often set to wipe "automatically" after 4 failed attempts.

And people who do this probably find their iPhones wiped quite often ...

And this software probably bypasses that anyways.

Re:4-digit pass code...

[gnick]

If they're somehow imaging the drive it's easy - Just run every attempt against the same image instead of the one counting fails.

Re:4-digit pass code...

If it was merely a disable it wouldn't be called "wipe", numbnuts. So, yes, it does actually wipe the device. That's the whole point behind a feature that says "wipe data".

Re:4-digit pass code...

[MachDelta]

I thought it was 10 attempts for the iPhone?
You got 5 tries, then had to wait a minute for the 6th, five minutes for the 7th, 15 minutes for the 8th, 30 minutes for the 9th, and an hour for the final (10th) attempt. If that fails then you can either have the phone lock itself until connected to its home iTunes account OR the option to go full nuclear and wipe the device.
?

Re:4-digit pass code...

[Cimexus]

This is correct.

Re:4-digit pass code...

[guruevi]

It basically wipes the decryption key from any memory on the device. The key is not stored with Apple and I doubt Apple has a 'universal collision key' on their encryption as they use RSA if I'm not mistaken which AFAIK doesn't have a universal collision key. Same goes for Android/Google and most encryption, encryption with spare keys is easy to detect and crack.

Re:4-digit pass code...

[X0563511]

Forgive me for not taking something Apple says at face value, numbnuts.

Keystroke Logs?

[steevven1]

Um, why do these even exist on the phones in the first place?

Re:Keystroke Logs?

[crazyjj]

Presumably to make it just hard enough to hack to give you time to deactivate it before your local crackhead's fingers get tired.

Re:Keystroke Logs?

[Em+Adespoton]

Um, why do these even exist on the phones in the first place?

Because the telcos requested them. The discussion slashdot had regarding the invasive possible spyware system installed by the telcos included other more niche reasons as well.

Not an undisclosed vulnerability, it's a feature!

I'm pretty sure they're just using interfacing with it the same way consumers do to transfer messages, photos, etc to a computer. Maybe the software being used is different, and displays other folders that are usually hidden from novice users and maybe it does it automatically. Not much different that what happens at the store when you upgrade your cell phone.

So, they Jailbreak it.

Okay, well, that was easy. They jailbreak the phone (or Root it, for Android peeps) and then have their way with it. That's pretty straight forward for an expensive piece of software.

Security 101

Use long passwords and limit the number of attempts without some sort of timeout period or lockout after too many unsuccessful attempts.

Which makes me wonder, on iPhone and android, how long can these codes be? Is there a lock if there are too many unsuccessful attempts? What sort of other features does the phone have to prevent this brute forcing?

Re:Security 101

[leenks]

The attack boots an alternative firmware onto the device. I doubt an unsuccessful attempt lock is much use...

Re:Security 101

Wait, if it boots an alternate OS, why does it need a PIN from the other OS? If I boot knoppix on a PC, I don't need the windows login password to access mount any partitions.

4 digit integer passcode

[alienzed]

10000 possible passcodes... most systems can try that many in a few seconds. What slow ass computer are they using that it takes 2 minutes?

Re:4 digit integer passcode

It probably takes 119 seconds to image the drive to an external device and then less than 1 second to crack the pass code.

Re:4 digit integer passcode

[LostCluster]

Apple needs to implement a common blocking scheme. Maybe 10 wrong then wipe is too extreme for some users, but even Mac OSX respects 3 wrong then hide the input box for a delay.

Re:4 digit integer passcode

[leenks]

The iPhone. The summary even explains that... The article and video demonstrate even more. It loads alternative firmware onto the device and uses that to crack the passcode stored on the device. Most of the time is spent loading the code onto the device, not cracking the code.

I wonder how well it works with a complex iPhone passcode though (if at all?) - I confess to not watching all of the video or reading the article properly.

Re:4 digit integer passcode

[countach]

Err... the iPhone's "slow ass" computer?

Re:4 digit integer passcode

[PNutts]

Apple needs to implement a common blocking scheme. Maybe 10 wrong then wipe is too extreme for some users, but even Mac OSX respects 3 wrong then hide the input box for a delay.

They do.

Re:4 digit integer passcode

[rgbrenner]

A few seconds?! I was just testing # of rounds w/ SHA512 for password encryption. The system has a AMD Sempron 140 -- a $30, single core processor. Plus, it runs XenServer... so subtract some % for the virtualization overhead.

Results: 10,000 rounds of SHA512 in 96ms

Re:4 digit integer passcode

[viperidaenz]

a $30 2.7GHz CPU, which is many times more powerful than the $5 ARM processor in the phone this thing runs on.

Re:4 digit integer passcode

[HarrySquatter]

Welcome to the world of tomorrow!

Re:4 digit integer passcode

[Em+Adespoton]

I wonder how well it works with a complex iPhone passcode though (if at all?) - I confess to not watching all of the video or reading the article properly.

It fails utterly, if the unspoken text in the article is anything to go by... encryption + wipe + passworded backups + long password should be enough protection for most situations. Some people just find it too inconvenient, and don't realize how much valuable data they store on their smartphones.

Re:4 digit integer passcode

doesn't matter. you still can run all possible combinations in under a second with that $5 ARM processor.

Re:4 digit integer passcode

It is complicated. iOS has one of the keys buried in hardware and they use a PBKDF scheme to derive your key. Part of that derivation depends on a key that only exists on the device. There are no known techniques to extract this key (maybe these guys found a way). Even then Apple tuned the PBKDF work factor (using dedicated AES encryption hardware) to take a a bit less than a second. So your ability to trial keys is limited by a work factor AND being forced to do this on the device. The best published forensics techniques do it in 10 or 30 minutes... a long time. I forget. It seems like these guys might be able to extract the key and brute force at top speed (using non iOS hardware). Even if they have that, the password protection scheme is solid. If a user had a good and complex password it would take forever to crack.

Re:4 digit integer passcode

[rdebath]

The wrong one; they reboot the iphone into unbricking mode and suck all or part of it's flash onto the PC. Probably decrypt it there.

Re:4 digit integer passcode

[deroby]

...or, IMHO, some people have such egos that they don't realize how utterly invaluable their data is.

(if 'the man' wants to 'catch' you, it's probably a lot easier for them to simply make up some bogus info rather than going after your smartphone)

Not suprised

Once you have physical access, compromise is only a matter of time. For legitimate warranted arrests and seizures let the pigs have their point and click exploit tools to catch the dumb criminals.

What we need to guard against is having some ruggedized handheld handheld pig fob handed out to every meter maid and traffic cop. Imagine being stopped for a traffic violation and having the fucker ask for "license registration, and your phone please" and have him snoop/dump your device while he runs your plates.

Re:Not suprised

[bhcompy]

Sorry, I don't have my battery(except poor iPhone users can't even attempt to pull that off). Also, I don't have the key to undo my hoodpins so you can't see if I removed my smog equipment.

Re:Not suprised

[dougmc]

What we need to guard against is having some ruggedized handheld handheld pig fob handed out to every meter maid and traffic cop. Imagine being stopped for a traffic violation and having the fucker ask for "license registration, and your phone please" and have him snoop/dump your device while he runs your plates.

Sounds like a job for the Fourth Amendment, which is already in place.

(Of course, the other half of the equation is to not be tricked by the cop into giving permission to search the device, of course, but that's a problem with physical searches now.)

Re:Not suprised

[SuricouRaven]

They can always arrest you for breaking some other law.
Not sure which? Oh, there will be one, somewhere. Everyone is a potential criminal, it's just a matter of hunting hard enough. Ever dropped some litter and been caught on CCTV? How many times? I'm sure those fines all add up to a fair bit.

Re:Not suprised

[Anonymous+Psychopath]

They can always arrest you for breaking some other law.
Not sure which? Oh, there will be one, somewhere. Everyone is a potential criminal, it's just a matter of hunting hard enough. Ever dropped some litter and been caught on CCTV? How many times? I'm sure those fines all add up to a fair bit.

Arrest doesn't invalidate your Fourth Amendment rights. If you have a passcode, they need a warrant. They cannot legally force you to unlock your phone yourself without one.

If you do not have a passcode, any data on your phone is considered to be in plain sight and a warrant is not required. Use a passcode.

Re:Not suprised

[currently_awake]

England has a law about divulging passwords. I wonder if it applies to phones.

What about stronger passcodes?

[tlhIngan]

iOS (and I guess Android) have another layer of passcode lock that's more secure than the 4-digit PIN, though it requires a bit more work. They're basically passwords (or pass phrases?) and while they're a pain, they are supposedly much stronger than the PIN.

How does this thing fix that?

Also - it seems if they can run a program using it, it's a perfect jailbreak hole. Because the standard kernels now in iOS don't allow running unsigned programs. So either the dongle has to inject code into the kernel or other already-running process (if you can do that, it's a jailbreak avenue) in order to disable the signature check functionality, or they're running some sort of secret signed code ...

Re:What about stronger passcodes?

[Sez+Zero]

iOS (and I guess Android) have another layer of passcode lock that's more secure than the 4-digit PIN, though it requires a bit more work. They're basically passwords (or pass phrases?) and while they're a pain, they are supposedly much stronger than the PIN.

How does this thing fix that?

It doesn't. They basically say that if there's a tough passcode, it might take so long as to be not worth guessing.

Dicksinson acknowledges that users who set longer passcodes for devices can in fact make the devices far tougher to crack. “The more complex the password, the longer and harder it’s going to be to access the phone,” he says. “In some cases, it takes so long to brute force that it’s not worth doing it.”

Re:What about stronger passcodes?

[mianne]

But who, even among IT security experts, OGA ops, etc., is going to enter a long, complicated passphrase to unlock their phone every time they get a new text or email? The most diligent probably avoid storing or accessing anything particularly sensitive on their smartphones, and relying on their firewalled desktop in their Faraday caged office to access such data. It wouldn't surprise me to find that many such people eschew smartphones entirely in favor of cheap, disposable prepaid phones to make calls, and use a fully encrypted laptop to access information on the go.

Re:What about stronger passcodes?

[Cimexus]

I use complex passcode on my iPhone. But I also set the "require passcode after X minutes locked" to 5 or 10 minutes, rather than the default "instantly". Chances are, if I lose my phone or have it stolen, it won't be within 5 minutes of me last touching it. But I find that it eliminates a lot of the passcode-entering because I tend to use my phone for little bits within a few minutes of each other, then it might be hours before I touch it again.

Plus you get pretty fast at entering it after you've had some practice.

There's also an option to use a >4 digit, but still completely numeric passcode. This provides some additional security (i.e. 100 million combinations instead of 10 thousand, using 8 digits instead of 4), but is still easy to enter quickly because you are only presented with the numpad on the phone, rather than the full keyboard with itty bitty keys that's hard to unlock in a hurry.

Re:What about stronger passcodes?

*shrug* my iDevices have passcodes (instead of a pins) and will wipe after 5 failed attempts.

This just seems like a problem of defaults...

10 wrong then wipe rule?

[LostCluster]

Unclear from the article is whether this hack would get anything if the 10-wrong rule for wiping everything is in effect.

Re:10 wrong then wipe rule?

[digitac]

It gets around that. The 10-attempt rule is implemented in the UI (unlike on Blackberries) and this "tool" boots the device into recovery mode and attempts passwords directly against the authentication module. It can attempt about 14 passwords per second.

Re:10 wrong then wipe rule?

[LostCluster]

What's your source on that?

This software needs to be released/leaked

[Galestar]

If any Joe Shmoe can crack an iPhone/Android, it might put public pressure on device manufacturers to close these holes.

Re:This software needs to be released/leaked

[mrbester]

How about Google and Apple team up to sue? I'm sure they wouldn't be happy about some hacker group making money from undisclosed vulnerabilities so why would this company be any different?

Re:This software needs to be released/leaked

Wouldn't that mess up their business model?

Re:This software needs to be released/leaked

[PNutts]

That's true, but we're talking about Guberments and Militards. The folks that did Stuxnet don't have issues getting into your phone and the ability to do this has been around for years.

Re:This software needs to be released/leaked

[rhook]

I wonder if Google could sue them and force them to release the source code?

Re:This software needs to be released/leaked

[mjwx]

If any Joe Shmoe can crack an iPhone/Android, it might put public pressure on device manufacturers to close these holes.

Why do you need specialised software?

Both phones have boot modes where you can access the device over a development bridge. The software relies on actually having the device same as using ADB from the Android SDK extract data (IIRC, You can do dd from a device using the SDK, so you can copy that and crack it to your hearts content). Once again we learn that once your physical security is broken, your data security is worthless.

I'd be surprised if BB/WP7 didn't also have something like Android's fastboot.

Taking code from the iPhone Dev Team?

[grei9715]

The process is identical to what you do to jailbreak an iPhone - which makes sense. In both cases, the device would need to be put in DFU (eg, the "help, I'm broken, iTunes please fix me") mode. You have to wonder if these guys actually do the R&D for the iPhone, or just take the work that's already been done by others like the iPhone Dev Team.

Since this is pretty much a guaranteed vulnerability anyway (at least, every iOS up to now can be jailbroken with a tether), a much more interesting question is how much harder is a longer/more complicated password to break? If this is literally a bruteforce enumeration, a reasonable password (that could be used for a computer) would be fairly safe.

Re:Taking code from the iPhone Dev Team?

[JohnnyLocust]

It may actaully be possible they have the means to just perform a backup of the phone and decrypt that via a brute force method. These guys here seem to be able to that: http://www.elcomsoft.com/eppb.html

Re:Taking code from the iPhone Dev Team?

a much more interesting question is how much harder is a longer/more complicated password to break?

No, a much more interesting question is why aren't there mechanisms in place to prevent brute-force attacks on the PIN?
For instance, Blackberry will only allow ten attempts before it wipes the device.

If nothing else, why isn't there an [X] minute delay after [Y] number of attempts?

Re:Taking code from the iPhone Dev Team?

[Cimexus]

The iPhone has both those things. It has an option "wipe device after 10 failed attempts". Additionally, if this feature is turned on, any password attempts after the fifth attempt have an exponentially-increasing delay applied (up to several hours between the 9th and 10th attempt).

However, this won't do anything to prevent this kind of attack, because it's being done internally by jailbreaking the device and running arbitrary code on it, not via the standard UI.

X tries then wipe?

[xtal]

I'd be much more interested in how they're getting around that feature. That requires memory access or code injection, and as others have mentioned, it's a jailbreak or blatantly intentional.

I'll give you my phone...

[axlr8or]

When you can pry it from my cold, dead hands.

We need full phone encryption.

[Karmashock]

We need versions of the android OS and apple iOS that are designed from the ground up to be secure. Full drive encryption would be a good start.

Re:We need full phone encryption.

[Sez+Zero]

We need versions of the android OS and apple iOS that are designed from the ground up to be secure. Full drive encryption would be a good start.

Like NSA's SE Android?

Re:We need full phone encryption.

This (the lack of block level strong encryption) is why I don't have a smart phone. It has always seemed spectacularly idiotic to walk around with
a device storing, at minimum, phone numbers of everyone youv'e called, and potentially a lot of other sensitive data such as when you've been
where... and NOT encrypt it.

Seriously... WTF? Why are millions of people so careless?

Re:We need full phone encryption.

[interval1066]

Until then we can use Encryption Manager.

Re:We need full phone encryption.

[Karmashock]

Is it encrypted? If I pull the memory chip out of the phone and load it by some means into another machine will the information be encrypted?

Anyway, it looks neat. Is it impossible to install? It looks complicated.

Re:We need full phone encryption.

[spinkham]

iOS has "full drive encryption" in iOS 4 and later.

It's just protected by a 4 digit pin which can be easily brute forced by default.

You can use a stronger passcode, but you have to type it on every unlock so few do.

Re:We need full phone encryption.

We need versions of the android OS and apple iOS that are designed from the ground up to be secure. Full drive encryption would be a good start.

It was already done 10 years ago - it's called a blackberry.

Maybe you should get a blackberry if you care about your data.

Re:We need full phone encryption.

[Karmashock]

it would seem there are simple ways to make more complex passwords. For example, maybe you draw a picture with your fingers and the system unlocks if you get it close to right. Can you have "fuzzy" encryption? Something that locks a system with a "general" password? I ask because obviously with the picture idea you're never going to enter it in exactly the same every time.

Re:We need full phone encryption.

[AndrewNeo]

Android 3 and higher supports this.

Re:We need full phone encryption.

[Karmashock]

Honestly, I don't have anything on my phone that I really care about. I mean... you get my phone numbers... Yippy!... who cares?

But If I did have anything on there that I actually care about, then I'd probably do as you suggest and get a blackberry... that is assuming the company survives. They look like they're dying.

Re:We need full phone encryption.

[MachDelta]

ICS (Android 4.0) supports drive encryption.

Re:We need full phone encryption.

[icebraining]

The encryption doesn't need to be changed; you just generate the password using an algorithm that focuses on the image features and ignore small variations.

But Android already has a "gesture to unlock" feature and apparently the marks from the fingers are enough to make it easily crackable.

Re:We need full phone encryption.

[admdrew]

Is it encrypted?

Possibly, yes. The codename is "fishbowl" (https://en.wikipedia.org/wiki/Fishbowl_%28secure_phone%29), and according to the NSA spec document (PDF - http://www.nsa.gov/ia/_files/Mobility_Capability_Pkg_(Version_1.1U).pdf), "the system shall support encrypted SD cards for storage.".

While I suspect part of the intent is certainly for full encryption on the device, currently it seems to be focusing on call security (encrypted VOIP, all non-911 calls must go through a central server, SIP over a VPN, etc).

Re:We need full phone encryption.

[admdrew]

*4 and higher, since we're talking about cell phones. /pedantic jerk

Re:We need full phone encryption.

[greghodg]

Why on earth would you or anyone else give a crap who I've called? Or whose phone numbers I know? Or where I've been? At one point I wanted to sync my phone with my work exchange server. When I found out I'd have to turn on a passcode on my phone I said screw it. Seriously, WTF? Why do some people think anyone else cares about their trivial information?

Re:We need full phone encryption.

[Karmashock]

How do you get that on a prospective android phone?

I've been using smart phones for 15 years and back in the old days everything was modded on to the phones by interested parties. So I'm used to things being a little squirrely but I'd like a pointer in the right direction.

I'm thinking about buying a motorola Photon. It promises ten hours battery life which is twice what the competing phones offer. I suspect that the real battery life is half that just like the promises made by their rivals.

In any case, just wondering if you have any pointers on the subject.

Re:We need full phone encryption.

[MachDelta]

By "supports" i really meant "has"
It's under the settings->security menu. So all you have to do is either buy a phone with ICS, or root and install it yourself (where possible).

Re:We need full phone encryption.

I tried it and it's pathetic.
It ties encryption to the unlock pin instead of having the two separate. So you cannot have a super hard and long encryption password to be entered at boot, but still unlock for normal activity with a pattern or smaller unlock password (and if you fail a few times, it could reboot the phone and ask for the more complex one for example).

Changing the pin also changes the disk encryption password, so no way around having different passwords for normal unlock and for description.

Re:We need full phone encryption.

[Karmashock]

Well, I'd want the gesture to be complicated enough for that to be unlikely. For example, what if you had three or four gestures layered on top of each other?

So okay, you can guess ONE of the gestures or possibly see what all the gestures look like super imposed on each other but you don't what any individual gesture is or the sequence.

entering three or four gestures quickly one on top of the other should be fairly fast and significantly difficult to crack.

Re:We need full phone encryption.

[foniksonik]

What's needed is a second 4 digit pass code. When that is entered the long pass code goes into effect. The best of both worlds. Use your day to day PIN for casual use, then "lock" the phone with the second PIN anytime you're not in complete control. Could also be set on a timer eg if 4 hours go by the device goes into secure locked mode.

Re:We need full phone encryption.

[Karmashock]

What's also interesting is that the phone responds to this tool. Certainly before the phone opens up to this thing it should query for a more advanced password.

Maybe set up the short pin for direct touch entry. But the actual system itself is secured with a much more advanced password. The pin system would know that password but the password would only be unlocked from that system if the 4 digit pin was PHYSICALLY entered into the system.

Obviously a four digit pin is very easy to hack but if it has to be done manually then it is much more time consuming to sit there and enter in 10 thousand possible combinations. A computer can go through all that very quickly but a human being typing in each one one at a time is another matter. And obviously the pin system would now allow so many incorrect answers in a row before it would go into a cool down mode. Maybe ten wrong answers and then it won't allow any more guesses for ten minutes.

Ideally the long form password should be quiet long.

I think something people should consider is quotations. Take a monologue from your favorite movie or play and make THAT the security key. It will be very long, hard to guess, and hard to forget. People could actually remember a very long key that way. Punctuation might be an issue in some quotations but ideally you'd instruct people to keep the book or whatever that they took the quote from as a hardcopy somewhere.

Re:We need full phone encryption.

So why did you raise the point about strong encryption in the first place?

Re:We need full phone encryption.

Honestly, I don't have anything on my phone that I really care about. I mean... you get my phone numbers... Yippy!... who cares?

So why do you bother with a smartphone if all you put on it is phone numbers? It's kind of pointless.

Old news

PhoneView is a commercial utility that's been available for ages: it allows you to backup and browse the iPhone's data like iTunes should allow you to, completely painlessly. It does so using an exploit, and it's wonderfully useful to use:

http://www.ecamm.com/mac/phoneview/

Whenever I plug in my phone, it automatically backs up new text messages, and lets me browse my phone. Even though I have a passcode. The software vendors did not think to market it as a security breaching utility, but if they had, they would be making big bucks too.

Do I blame Apple? No of course not. If my phone had to be secure enough so that it'd couldn't be cracked if I lost it or it got stolen, then the device would be a fucking pain to use!!

Re:Old news

[narcc]

If my phone had to be secure enough so that it'd couldn't be cracked if I lost it or it got stolen, then the device would be a fucking pain to use!!

Why? Good security doesn't have to get in the users way.

Re:Old news

[Obfuscant]

Why? Good security doesn't have to get in the users way.

Any security, good or bad, adds complication to the system and thus "gets in the user's way", compared to no security at all. What kind of security did you have in mind that wouldn't get in the way?

Right now, to access my phone, I push the wake up button on the top and slide my finger across the screen. To access my tablet, I push the same kind of button and then have to play connect the dots. I can get onto my phone much easier than getting onto my tablet. (Add into that that my tablet is a "Cruz" reader that will power itself off when the battery gets low or you don't use it for an hour or so, so pressing the "wake up" button often requires a full reboot to get to the connect the dots stage.) Yes, it's a pain to get into the tablet, and the only reason I have the "connect the dots" is because I got tired of the tabled turning on by itself and running the battery all the way down, so I turned on gesture unlock with the hope it would prevent that from happening.

Re:Old news

[narcc]

An example would be end to end encryption on messages, which would need not be different from the users perspective than the same message sent as plain text.

The bit I didn't understand was "then the device would be a fucking pain to use!!" I don't really see how good security would significantly impact the user experience. Sure, in your example entering a password is a roadblock getting started, but it otherwise doesn't impact usability from that point forward. Just to take my earlier point a bit further, if you replaced the slide to unlock on your phone with a slide over a fingerprint-scanner you'd gain security without adding additional complexity.

Strong passcode option & delete after 10 attem

[blahbooboo]

I believe these two options in iOS will make it a bit more secure

1) Strong passcode option (alphanumeric and more than 4 characters)

2) Delete all data after 10 incorrect passcode attempts

DMCA?

[v1]

isn't this a violation of the (grossly over-broad) DMCA, in "bypassing a protective measure"?

I mean, technically, aren't they hacking it and selling an exploit?

It would be refreshin to see that law used to protect some of the public for once.

Re:DMCA?

isn't this a violation of the (grossly over-broad) DMCA, in "bypassing a protective measure"?

I mean, technically, aren't they hacking it and selling an exploit?

Yes. But they aren't located in the USA, and they are (allegedly) only selling to law enforcement, so the DMCA doesn't apply.

It would be refreshin to see that law used to protect some of the public for once.

HAHAHAHAHAHHA! That's a good one. Got any more jokes?

Re:DMCA?

[viperidaenz]

But they are selling to USA entities. So importing should be illegal, right?

Re:DMCA?

[admdrew]

IANAL, but importing != actually using, so probably not illegal, no.

Also, it seems like the use of this could still be legal for law enforcement, assuming they have a valid warrant.

Re:DMCA?

Well, this is the US and Capitalism is involved, including the US military, so ....... it's OK!

USA? Hypocrisy is thy name.

Re:DMCA?

[viperidaenz]

Going by that theory, DVD Decrypter should be legal to host in USA. Downloading != using. Macrovision still cease and desisted the guy who made it.

Re:DMCA?

that only applies to measures designed to protect copyright. these protective measures protect users' privacy, the DMCA is irrelevant.

Re:DMCA?

[admdrew]

To be fair, a cease and desist from a company is quite a bit different than being arrested or charged with a crime.

...that said, a judge "ruled that the backup copies made with software such as DVD Decrypter are legal but that distribution of the software used to make them is illegal" (https://en.wikipedia.org/wiki/DVD_Decrypter)

Re:DMCA?

[viperidaenz]

That's a backwards judgement. That's like saying shooting people is legal, but distributing guns is illegal.

Re:DMCA?

[admdrew]

Well, first off, I was using that to agree with your original comment, sooooooo

Second, I would disagree with your shooting analogy - as has been said, backup copies of digital media have been considered legal for quite some time before the DMCA came around (unlike shooting someone, which has been a no-no since before guns came around); that judgement is kinda wonky, but it takes into account both the DMCA, and pre-DMCA copy-related laws.

Wonder how they did Android...

[downhole]

I'm curious how they managed to crack the Android phones. All of the rooting methods that I know of involve manually enabling Debug mode on the phone and then rooting around on the command line. If you have a screenlock enabled and have not left debug mode enabled, then I don't see any simple way to get access to the phone to even start to mess with exploits.

Then there's the question of how this relates to the FBI publicly having to go beg Google for help to get into some low-level criminal's Android phone that had the pattern lock enabled, which some have previously complained wasn't really all that secure. Are these guys blowing smoke about how easy it is to crack Android? Were the FBI guys working on this particular case just not on the ball? Has the Government decided not to break out their coolest tricks to solve a relatively minor crime? Did this guy have some particular model that's much harder to crack?

Re:Wonder how they did Android...

[toadlife]

Well if it's a Samsung phone....

Phones with locked bootloaders would probably require n actual kernel or Android system exploit.

Re:Wonder how they did Android...

[admdrew]

I don't see any simple way to get access to the phone to even start to mess with exploits.

I believe they simply boot their own firmware, which can be done without rooting the existing OS.

Re:Wonder how they did Android...

They probably forced it into download mode, injected a kernel with CWM, then rebooted into recovery and had full access to the internal storage.

Re:Wonder how they did Android...

[downhole]

So much for my supposed phone security... I was just experimenting with it, and I discovered that I can easily get the phone to reboot into recovery without using any passwords or codes, and that I have an ADB root shell as long as it's in recovery (the phone's rooted and running CM7).

I suppose it would also be more secure if I didn't leave Titanium and Nandroid backups on the SD card that you can remove without even turning on the phone. Or if Clockwork recovery didn't let you do new Nandroid backups whenever you felt like it. Guess I better rethink a thing or two.

I don't use smartphones but...

using a 4-digit passcode is like asking to be hacked.

Not much good if the passcode is easy to guess

[daninaustin]

If you can brute force the passcode because it is only a 4 digit number it's not much use to have secure encryption.

Re:Strong passcode option & delete after 10 at

[Sez+Zero]

I believe these two options in iOS will make it a bit more secure

1) Strong passcode option (alphanumeric and more than 4 characters)

2) Delete all data after 10 incorrect passcode attempts

Probably strong passcode option, but I'm guessing that this is done at a low enough level to bypass that other feature of iOS.

Security just isn't a priority

[syncrotic]

How to make phone operating systems more secure:

1. Remove the mechanism by which a forgotten password can be bypassed. Forgot your password? Tough shit. Now that you've bricked your phone, maybe you won't be so forgetful next time.

2. No USB access of any kind when the phone is locked. It's a huge vulnerability.

3. Full disk encryption. Granted, the phone spends most of its time operating with the key in memory, but...

4. Phone turns off when you remove the back cover or otherwise try to get inside of it. Not hard to do.

An extremely dedicated attacker could potentially bypass these measures, but not your average traffic cop or border patrol agent on a fishing expedition.

Instead, phones are designed to make it inconvenient for John to pick up Suzie's phone and read her text messages, and to make sure Suzie can easily reset her password so her carrier doesn't have to deal with a whiny tech support call.

What you can do, however, if you have a reasonably user-serviceable phone, is cut the data lines going to the USB jack. It'll charge slower (500mA limit), but plugging in a USB cable won't grant a casual snoop any access. File transfer can be handled via wi-fi.

Re:Security just isn't a priority

[AndrewNeo]

I'm curious how difficult it would be to have an alternate ROM for Android phones just have a 'USB toggle' that blocks access to the USB module entirely (add/remove kernel module?)

Re:Security just isn't a priority

[admdrew]

No USB access of any kind when the phone is locked. It's a huge vulnerability.

Ehhhhhh... if you have physical access to any device (phone or not), it's really only a matter of time before you can compromise it. And if "your average traffic cop or border patrol agent" isn't easily able to snoop around your phone, but has a search warrant to legally do so, they'll simply find someone who can technically assist them.

Re:Security just isn't a priority

Was going to post this... if the attacker has physical access to the hardware, the game has been lost: The best safes never promise to keep the enemy out, they're only ever rated in how long they'll keep them out.

If you seriously expect a govt agency to attempt to access your phone against your will, the only hope to safeguard its secrets is for it to have trip sensors and self-destruct the data in the event of unauthorized access, by erasure or destructive overvoltage.

Re:Security just isn't a priority

When you have physical access to the device, you can in principle dump the flash and the rom. This can however be mitigated.
1) You can encrypt all the flash data. Of course, the key must be in memory, but it means they can't turn the device off.
2) You can put a trigger mechanism in the casing that makes it turn itself off (forget the key) if tampered with. This could possibly be prevented by carefully melting off the plastic and looking at the anti-temper mechanism but it'll be too expensive to be worth it in most cases.
3) If swipe / pin login fails a few times, forget the key. The key could for example be generated as a salted hash of the password, if it's strong enough. This will prevent people from brute forcing the pin.
4) Make the opening screen look like some well-known wipe / pin login but invisibly operate by different rules. This will increase the change that Eve will accidentally lose the key on the first try. Additionally, since you'd know that only Eve would make this mistake, you could wipe the flash in response.
In many cases this will make it too expensive or too impractical to get the data. The data is likely to be encrypted, forcing them to go through the courts before they can use it, or possibly even irretrievably gone. Of course, you have to worry about what your data is worth to you as well. Deleting it all may not be a good option unless you sync it with some web service and then Eve might force you to provide the key to the data on the web service instead.

Re:Security just isn't a priority

[mcrbids]

they'll simply find someone who can technically assist them.

That somebody may be quite expensive. Governments don't have unlimited funds. At least in the United States, law enforcement agencies pretty much chronically underfunded.

It's silly to try to argue that improving security won't result in improved security. No, it's not impenetrable, but nothing ever is. Good security is about balancing needs and risk, not about making something invulnerable.

Re:Security just isn't a priority

[mjwx]

I'm curious how difficult it would be to have an alternate ROM for Android phones just have a 'USB toggle' that blocks access to the USB module entirely (add/remove kernel module?)

Not as easy as it is for someone who wants to crack an Android phone to go into fastboot or recovery and bypass the ROM entirely. Your user data is stored on data.img, just copy using the Android SDK that and then you can crack it without the device. Even with full disk encryption it's only a matter of time.

Once physical security is broken, breaking encryption is only a matter of time. The only defence against this is having no data on the device.

Re:Security just isn't a priority

On android, ideally what you'd want to do is something that blocks USB access when the phone is in "recovery" mode since this is likely the state the phone is put into for this exploit ("download" mode would let you flash something new but probably not give you access to existing information, and when the phone's running but locked there might be other problems). Then again you could just use download mode to flash an unlocked kernel/recovery and then pull stuff off via USB.

Re:Security just isn't a priority

[AndrewNeo]

Even with full disk encryption it's only a matter of time.

Of course it's only a matter of time, but so is the heat death of the universe, and neither that nor breaking 128 bit AES are happening any time soon. You're also implying that I can't go in and modify fastboot or recovery on my phone to prevent it from being pulled down, too.

Re:Security just isn't a priority

I've wanted for a while to have a phone whose contents are completely encrypted, with the key stored in a bluetooth earpiece. So the phone is unusuable unless the earpiece is active and in range. If the BT connection drops, the phone erases its internal copy of the key. If you turn off the earpiece then turn it back on, you have to enter an access code to unlock the key, and the code for that is simple enough that it's easier to make secure. So a lost or seized phone (without the accompanying earpiece) is completely unusable, and even with the earpiece, there may still be the passcode to deal with. If you lose the earpiece without losing the phone, you are hosed unless you have a copy of the key stashed away at home, that you can load into a new earpiece. The setup instructions would tell you how to make that copy. I wonder if there are BT earpieces available with hackable firmware, sort of like Rockbox for mp3 players or CHDK for cameras. It would be pretty easy to add this functionality, if the earpiece can be made to support the serial emulation profile as well as the hands-free profile, for example.

Re:Not much good if the passcode is easy to guess

[vux984]

If you can brute force the passcode because it is only a 4 digit number it's not much use to have secure encryption.

While if you have a 40 character passphrase you have enter everytime you want to unlock it, its not terribly useful as a mobile phone.

Not really sure what the solution is. Some sort of balanced approach... 4 digits to unlock the basic functionality... place and answer calls... use preselected apps...

full passphrase to get deeper in...

with some user options to control where exactly the boundary is...

but this is of course "complicated" which disqualifies it from being ideal too... so I'm not really sure what the solution is.

gravity

did they drop it?

20 minutes?

Psh. I could do it within seconds...

...using a sledgehammer, of course. ;>

I'm safe from this crack

[Yvan256]

My password is one, two, three, four, five.

Re:I'm safe from this crack

wow thats the same combo on my luggage!

Re:I'm safe from this crack

[Dogbertius]

That's amazing! I've got the same combination on my luggage!

Re:I'm safe from this crack

[Lluc]

That's amazing! I've got the same combination on my luggage!

That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Re:I'm safe from this crack

[adisakp]

My password is one, two, three, four, five.

That's amazing. I've got the same combination on my luggage.

Re:I'm safe from this crack

That's amazing. I've seen the same combination used in a movie.

Re:I'm safe from this crack

I have the same combination on my luggage!

Re:I'm safe from this crack

Hey! That's the same combo as I use on my four-dial luggage locks!

Re:I'm safe from this crack

the funny thing is, this "cracked in 2 minutes" is ONLY if the password is 0000, believe it or not, your 1, 2, 3, 4 password would not be "cracked" that fast at all.

More info here: http://9to5mac.com/2012/04/02/xrys-two-minute-iphone-passcode-exploit-debunked/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+9To5Mac-MacAllDay+%289+to+5+Mac+-+Apple+Intelligence%29

Crack your iPhone?

[Jeremiah+Cornelius]

Remember when they only cracked your skull?

Re:Crack your iPhone?

[flyneye]

How many cops does it take to crack an iPhone?
One to get the coffee.
One to get the donuts.
One to find someone who knows how to operate an iPhone.
One to put in a requisition to the city council for Micro Systemations softwhore.
666 to increase traffic citations to pay for it...
Then 4 or 5 to install it.
and two, six months to figure out the software.

Re:Crack your iPhone?

[Taco+Cowboy]

How many cops does it take to crack an iPhone?
One to get the coffee.
One to get the donuts.
One to find someone who knows how to operate an iPhone.
One to put in a requisition to the city council for Micro Systemations softwhore.
666 to increase traffic citations to pay for it...
Then 4 or 5 to install it.
and two, six months to figure out the software.

Or ...

They hire a geek

Download a pirated version of the software

And crack the damn thing, in 2 minutes, flat

Re:Crack your iPhone?

[Proudrooster]

Actually, the procedure is a multistage process. XRY loads custom firmware/software onto the iPhone by putting the phone into recovery mode. For the Android, XRY roots the device. Their software is actually a phone hacking tool

Here is the video of how it works:

http://www.msab.com/xry/smartphones

Re:Crack your iPhone?

[Relayman]

This may give the police some information, but I doubt they could use it in court. How can they prove that they didn't introduce some data during this process?

Re:Crack your iPhone?

[cayenne8]

I wonder if they have any numbers for cracking MORE than 4 digits...numeric, upper/lower case...symbols...etc?

Re:Crack your iPhone?

[Aryden]

The same way that they prove they didn't slip an ounce of weed into the pocket of a suspect. Or that they didn't doctor video or audio footage. The court has to take their word on it unless contradicting evidence is introduced. We like to believe that the burden of proof is on the prosecution, but the reality is, the burden of DISPROOF is placed on the defendant. They are very different things.

Re:Crack your iPhone?

Yeah.... but that would involve hiring a geek.

Re:Crack your iPhone?

[SCHecklerX]

Yeah, really. Forensics 101.

Re:Crack your iPhone?

[Bob+the+Super+Hamste]

Then it sounds like there might be a good chance of getting a convection based on evidence gathered this way thrown out like the individuals who demand the source code for the breathalyzer machines and have gotten cases tossed based off of that. Here it might be even easier given that the device loads custom firmware/software on the device.

Re:Crack your iPhone?

[xycadium]

...it sounds like there might be a good chance of getting a convection based on evidence gathered this way thrown out...

I doubt it. Now a days, there is very little hope of winning when it comes to your word against theirs. They purchase/use software to get into your personal affects/papers without warrant. The software itself is considered a tool for the police, like a hand gun/tazer/cuffs, and therefor isn't questioned by the courts and is considered perfect by proxy (the police use it, so it must be perfect and not do anything to taint evidence). It's nice to think that such things could be tossed out of court but in reality this doesn't and will not happen. If you're targeted by the police, innocent or not, you're screwed with very little hope of making it back home without changing clothes into an orange jumpsuit and having your life, and the lives of your family, utterly destroyed.

I've said it many times before and I'll say it again. We need TOUGH laws against law enforcement and DAs that force DAs to prosecute law enforcement officers uner laws which will imprison those officers for decades for small infractions of dishonesty which results, or attempts to result in the loss of life/liberty for any US citizen. If we had such laws and prosecution practices in place, the number of abuse cases (and even cases which we think are legitimate but are actually horrific crimes against personal liberties and justice) would quickly diminish on a massive scale as officers would stop jeopardizing their own lives and the lives of their families versus trying to put innocents into prison based on fake/planted evidence and lies.

Re:Crack your iPhone?

[Bob+the+Super+Hamste]

I doubt it. Now a days, there is very little hope of winning when it comes to your word against theirs.

It has worked in the past and probably still is. Additionally there was this bit on /. a while back about the number of bits used when doing the A to D conversion was too low (12 bit A-D converter where only 4 bits were used) which basically showed the values to be to course to be of any value on the low end.

Re:Not much good if the passcode is easy to guess

[kestasjk]

Biometric auth perhaps? .. Not perfect of course..

Good Luck cracing my GPS data that is turned off

I always have GPS data turned off so that should make cracking it much more unlikely. On top of that, what happened to the article from a week ago saying law enforcement was having major problems unlocking the customizable swipe feature from android phones? That seems quite contradictory. I think they just like to lie to try to scare people. Would fit in right with what most law enforcement does. They say one thing to the public and then the reality of the matter is entirely different. 1984 wasn't supposed to be a blueprint by the way, it was a warning. What are warnings for?, to prevent disasters. Unless law enforcement wants a disaster, they should double check themselves, especially with the ease of access hackers seem to be able to gain to their systems. So have a blast lying and enjoy your hard times getting them cracked while telling lies to your witnesses in an effort to get them to crack.

Does this avoid the auto-wipe option?

[MattW]

I have my phone set to autowipe itself after 10 wrong passcode attempts. Does this avoid that auto deletion? Because someone doing it by hand would trigger that and the phone would theoretically wipe itself. (Not tested, but it will start to make dire warnings about wiping the device after several failures.)

Re:Does this avoid the auto-wipe option?

[Fnord666]

I have my phone set to autowipe itself after 10 wrong passcode attempts. Does this avoid that auto deletion? Because someone doing it by hand would trigger that and the phone would theoretically wipe itself. (Not tested, but it will start to make dire warnings about wiping the device after several failures.)

I doubt this tool will trigger the autowipe. For the iOS device they are using DFU mode to access the device which bypasses pretty much everything. They are loading some custom code into the device and then executing it to get the passcode. See Jonathan Zdziarski's book on iPhone Forensics for details on how to do this without corrupting a defendant's system in the process. Fortunately apple provides a small, secondary amount of storage that you can load some code into and execute without touching the primary storage. I chose not to link to Zdziarski's book because at this point it is mostly out of date.

Re:Does this avoid the auto-wipe option?

[IndustrialComplex]

Autowipe is useless in most instances, so is much of the talk about 8-10 digit codes.

Even if you have to run it on Iphone hw, here is how you dodge that:

1. Grab the image from the phone. Make 11 copies.
2. Load the image onto ten virtual phones.
3. Cycle through the codes each virtual phone assigned to do 1/10th of the total set.
4. If an autowipe is triggered, reload from image 11 and continue where you left off.

Hell, if you can snag the image from the phone without breaking it, you wouldnt even need it to do the cracking.

Palm PRE still safe

Looks like those 7 Palm PRE owners are getting the last laugh.

Re:Not much good if the passcode is easy to guess

[Flammon]

My Motorolal Atrix has a fingerprint reader. Combine that with a long password, encrypted filesystem and it's getting pretty secure.

Re:Not much good if the passcode is easy to guess

[gknoy]

Android 4's face recognition, plus having to enter a pattern drawn on screen, seems like a great pairing. I am assuming you can use both, of course.

Android + Truecrypt

[flappinbooger]

Sooooo.... what would it take to get truecrypt to put out a custom android rom?

TC doesn't have any backdoors, does it? I mean, being open source and all.

Re:Not much good if the passcode is easy to guess

One solution is to do it like your SIM card does (aka smartcard).

You get a set number of attempts and then the card destroys itself. This protection is done in hardware and is very difficult to bypass.

If the phone locked and encrypted itself using the smartcard then you couldn't unlock it without unlocking the smartcard. The smartcard would provide the decryption key once unlocked. Since the card is providing that key then it can be long and random binary data (ie. you couldn't brute force the encryption, assuming AES256 or similar).

it's not a matter of time...

[evangellydonut]

it's a matter of attempts. Blackberries and iPhones (don't know about Android) has the ability to erase all data after 10 failed attempts to log-in. So unless they can bypass the counter entirely, I'm not too concerned about the security level of 4 numbers (assuming you don't use 0000 1111 1234 or some other common ones).

Re:it's not a matter of time...

Why bother with brute force? I've cracked an iPhone password by first jailbreaking, then simply changing a field in the SQLite database. Its almost a joke.

Re:it's not a matter of time...

The data can be dumped to disk. Making the counter worthless. Also messing with the objective-c runtime is easy to do. Long live GDB.

Re:it's not a matter of time...

[mastershake82]

Assuming that an "attempt" is measured as you expect. If the attacker has bypassed the GUI and is doing something else via the data port to break / enter the password... are each of those counted as an attempt?

I could find out in Android... I have to trust Apple / RIM for iOS and Blackberry.

Re:it's not a matter of time...

The 10-fail erase thing doesn't count when you are brute-forcing the passcode through the usb/dock port. Every combination of 0-9 can be tested in 2 minutes without erasing the phone. I use a passphrase, which sucks to type in, but the additional keyspace make a brute-force attack potentially take months.

Re:Not much good if the passcode is easy to guess

[vux984]

Biometric auth perhaps? .. Not perfect of course..

You can't do much except finger print realistically on a phone... nobody is going to tolerate a retinal scan to make or answer text messages and phone calls.

And it would need to work reliably (low false accept rate / accepting photos of the finger, fingerprints lifted with gummy bears off the phone itself, etc.. or its not secure...with a near zero false reject rate or it would be unacceptable to users...

And to top it off it has to work to those tolerances under a wide range of temperatures and humidity levels and while at least moderately dirty...after all its a phone in your pocket... not a checkpoint in a well controlled environment.

A final nail in biometrics coffin for this sort of application is that you can very easily be coerced to unlock it... from criminals, to law enforcement, to the psycho you fell asleep next to on the plane... all just need to touch your finger to the handset to unlock it...

Getting a pass phrase out of you runs from "we need a wrench" to "we need a judge willing to throw out the 5th" ... which is of course doable, but the bar is a bit higher... for now at least.

Re:Not much good if the passcode is easy to guess

[Githaron]

You could have a soft and hard lock. A soft lock could be done with a short simple pin. When you believe that you are in danger of having your device taken you put it in a hard lock that clears the decrypted encryption key from the memory and requires the full password to unlock. Not perfect but a compromise.

Re:Not much good if the passcode is easy to guess

[vux984]

can you place or answer calls without unlocking it? Holding it up for "face recognition" while driving would be illegal in an increasing number of places.

I'm also not convinced that the pattern drawn on screen is really more secure than a short digit password. I admit I don't know a lot about it.

But as a programmer I'm imagining ways that it would be implemented...

After factoring in that the recognition has to be loose enough to accept anything "pretty close", there aren't -that- many different designs you can "draw" in a short number of strokes... well under a million I think... which is roughly equivalent to a 6 digit passcode... yikes.

This phone will self destruct in ....

Obviously, Apple & Google are in bed with the authorities... they could fix this if they wanted to.

I don't carry a data logger ^H^H^H^H^Hcell phone but if I did, I'd want it to have a self destruct mechanism. Take my phone and it destroys itself... no one, not even me, not even apple, can get at the data after that point.

It'll never happen. Why do we carry these devices around with us, voluntarily?!?!

Re:This phone will self destruct in ....

[FishTankX]

I saw some video of a guy once who rigged up a cellphone to a thermite charge in his hard drive, meaning he could blow his laptop at any time. Maybe someday cellphones will have the same thing. But I think the easiest way to do it would be to have a certain text message that you determine (essentially a 160 character pass code) remote wipe the phone.

Re:This phone will self destruct in ....

[sven_eee]

I'd want it to have a self destruct mechanism. Take my phone and it destroys itself... no one, not even me, not even apple, can get at the data after that point.

So you would install Windows Mobile on it? That would destroy it for sure.

Re:This phone will self destruct in ....

[LF11]

That works unless they put the phone in a shielded bag. Then it won't receive text messages.

Re:Not much good if the passcode is easy to guess

[gknoy]

Agreed. There's only 10! (3.6 million) ways to connect the dots, max, and even then most people won't use all of them. It increases if you can visit a node twice, but even then that's only like 10^N for N edge endpoints, right? (I'm probably off by one on that...)

Requiring a more detailed login (google login) is a good counter after a few failures, but honestly looking at the smudge pattern on the screen probably would be a HUGE hint. (There are probably even microscopic wear patterns that are more common over your swipe pattern, in fact. I bet it'd be really neat to look at some images of those.)

The same thing is done elsewhere, too.

Not only swedes...
http://www.oxygensoftware.ru/en/default.asp

Re:Not much good if the passcode is easy to guess

[garyebickford]

IIRC a long time ago (early 1980s?) an IBM Research Fellow published a paper about signature recognition (for the same essential purpose of authentication). He/she found that the actual strokes were not so important but the acceleration was. IOW, your actual signature varies quite a bit from one to another, but the series of accelerations are more similar.

So, I think this could be used. You could just 'sign' our phone. A reasonable 'signature' would have to my mind at least 50 data points of acceleration or deflection. Since we do vary the sig, some kind of fuzzy matching with the accepted vector would be required - say 90%. Then if it matches, the signature recognizer could use the correct data as the key to the decryption.

Thus, we would not need to remember a long key, just let our muscle memory do its thing.

Re:Not much good if the passcode is easy to guess

[CSFFlame]

Like shutdown. Long code on power up. Short code on unlock.

Re:Not much good if the passcode is easy to guess

[Thing+1]

And it would need to work reliably [...] with a near zero false reject rate or it would be unacceptable to users...

My current Android phone fails the fingerprint recognition about three times in five (possibly more like six times in seven; it's definitely more than one in two, though, because almost always it fails the first swipe, and often the second as well). It's still much better than typing a (ridiculously easy to crack) 4-digit PIN, though. Of course, the fallback is a 4-digit PIN, but thanks to this discussion I'm looking into the available settings (I've already added the encryption setting, so thanks, seriously). Then I read the rest of your post, and I'm not so sure I want to have detachable fingers...

You are all overthinking this...

[weweedmaniii]

The easiest workaround, if you are doing something questionable with your smartphone, is to carry a dumb phone, with an appropriate number of contacts: Mommy, a pastor, the local animal rescue shelter, etc. and hand that to the LEOs. They aren't going to ask "Is this the only phone?" They look, they see that you are Mr. Citizen of the Year and you're on your way...

Re:You are all overthinking this...

[kermidge]

Which works fine until you are searched, by which time you're already arrested. In my jurisdiction the police do not need to state that you're under arrest before or after you're handcuffed according to the cops, a local judge, an assistant DA, and a public defender; they do not have to Mirandize you until you're in jail at which time it appears to be optional. Same goes for the county sheriffs. Fun system.

Re:You are all overthinking this...

Nope, we're not.

If law enforcement *really* wants your data for some reason, they already have a reason for wanting it. If they *really* already have a reason for wanting it, they've gotten assistance from their tech unit. (Which may range from a moonlighting Geek Squad tech up to what the FBI and NSA have.) And thus they have already asked your provider under a sealed warrant for details of the phone (like the ESN,) and can quickly figure out you're BSing them.

What you propose is good enough for the average beat cop or podunk police department who isn't smart enough to ask for assistance when they really need it.

But let's say you did that to the beat cop.... Your only other obstacle is if you can get away with it - if the cop doesn't smell your BS. (And, if you really look like Mr Citizen of the Year, the average cop will already be suspicious as heck.) They catch you in the lie.

So now, was whatever you were thinking you were protecting worth an Obstruction of Justice felony charge????? Even if you beat the rap or a prosecutor declines to file charges, how many hours of your life are you willing to spend while law enforcement is messing with you? They can play better games than you, as they have more time and resources to mess with you than you do to mess with them.

Re:You are all overthinking this...

[King_TJ]

Umm, sure, except you must not be making much use of that smartphone if you're not even going to carry it with you anyplace, out of fear someone might get ahold of it. All your calls are going to have to go to that dumb phone you actually have with you, and at that point? The smartphone doesn't seem so smart to bother with in the first place.

Re:You are all overthinking this...

No, they're going to search you, and find all of them. Yes, even the one you have placed where the sun does not shine.

AC

Re:Not much good if the passcode is easy to guess

Good luck dialing for help when you slice your hand open on a table saw...

Not without USB

[sven_eee]

I can't speak for Apple users but as an Android user I only ever need to connect the USB on my phone for charging, everything else I do wirelessly. I also have a user changeable battery so could survive without USB at all.
So if by chance the USB connector becomes damaged or in someway disabled at a hardware/low level this approach would be rendered useless and they would have to fall back to the "Tell me or else" approach

Muahaha

these glossy fashion pieces of shit are going to get your dumb ass into a lot of trouble.

Re:Not much good if the passcode is easy to guess

[mysidia]

I would suggest having two methods: (1) Tap the power button 3 times or power off, to engage full lock manually. (2) an RFID or bluetooth "leash" concealed somewhere about your body; if the phone is within range and then suddenly taken more than a certain distance from your RFID transponder, the new distance will be calculated by the units, and when the threshold is exceeded, the "hard lock" engages automatically.

This way if you drop your phone, or someone steals it, the hard lock will engage.

The bluetooth leash could also have a remote lock button on it, and be designed to automatically signal a lock if the leash is removed from your body, or if a sufficient "sudden jolt motion" or downward motion is detected by an accelerometer on the leash (indicating that someone grabbed it real fast), or you were forced to drop it.

Re:Not much good if the passcode is easy to guess

[ceoyoyo]

"Not really sure what the solution is."

Don't keep secret stuff on your phone. Or, if you have to, keep it separately encrypted. There are lots of apps that are fine for moderately secure stuff that use encryption and long passwords.

Why bother

Why not just serve the user a subpoena and ask them nicely for the code instead?

Hi, my name is Werner Brandes.

My voice is my passport. Verify Me.

Why obscure the passwords...

If you are going to show us what they are???

Let's see... For the Android phone, you listed:
1_SSID: Reed Training
1_Password: Foxtrot42
2_SSID: Teligateway00-1F-9F-4C-6F...
2_Password: C33CBB6C4F
3_SSID: BTHomeHub2-CN5M
3_Password: 42b8dfedd5

Okay... What else would you like to obscure???

Misinformed, misleading article

It's disappointing to see how little slashdot knows about security in smart phones. So I will attempt to
impart some knowledge on you.

First of all, as the video shows, there is no "undisclosed" vulnerability.
Second, the quick ability to crack pin codes is severely misleading -- this is only true of the small set of 4-digit pins (10,000 in total).
If using a long passcode, or an alphanumeric one, their product is completely unable to bypass Data Protection.

On the vulnerability: Prior to the iPad 2, all iPhones and the iPad 1 had a bootrom vulnerability that was discovered and exploited
by the benevolent jailbreak community. The vulnerability can not be fixed, it is forever in hardware.
A hodge podge of security leach companies have since repurposed this to sell to the peeping toms of the law: police enforcement.
  The tool is just another one of the many things to do this.

On pass codes and data protection: Dino Dai Zovi's iOS 4 security guide provides comprehensive, unbiased information about iPhone security.
www.trailofbits.com/resources/ios4_security_evaluation_paper.pdf. He cites about 9 guesses/second. Shouldn't someone who has code running on the phone be able to steal the key? No! Because the keys are fused into the hardware, impossible to pull out by software. It would require invasive analysis to discover the key for quick bruteforcing, (blind guess: cost of this would be $250k+ per individual device).

9/guesses per second is severly limiting:

Assuming an alphabet of A-Za-z0-9
A 4-character alphanumeric passcode would take on average 9.5 days (max 19 days)
A 6-character alphanumeric passcode would take on average 100 years (max 200 years)!

If you read the article, the real limitation is the ability of companies to adapt the data protection APIs,
so that when your phone becomes passcode lock -- it encrypts all of your personal data as much as possible.

Wake up sheeple! Do your research. Use an alphanumeric passcode! Good luck

So all I need to do to my enemies is ...

[Skapare]

... send them some encrypted kiddie porn and tell them it's a new game if they can figure out how to crack it. Then call the cops and say this guy had something really vile showing on his phone screen.

undisclosed vulnerability?

[DragonTHC]

you mean a government backdoor.

I have no problems with the NSA having this information, I just don't know how I feel about the local PD having it.

iPhone's arent designed for secure communication

[michaeldupreejr]

The iPhones encryption is weak. The ability to pull a copy of the whole file system in DFU mode via USB is also sad from a security standpoint. iPhone's offer no native pgp support. Security restrictions are not pushed securely to the device as in the case of blackberry + bes. So if u desire security take a look at the blackberry that succeeds in many of the ways that the iPhone fails when it comes to security. I use iPhone myself, but have used blackberries in the fast and via BES they can actually be locked down pretty well. Also to those who say its just a phone, what difference does it make, phones now store emails, photos, and all sorts of other information. I use my email for slightly sensitive stuff all the time, if my phone got compromised I wouldn't want to have to worry bout a bank account number or ss number being compromised. I really would prefer that my mail be stored in a secure environment. So as one person said, if u really need to keep secret something your doing on your iPhone, setup your own mail server with https access for a web mail that works well on iPhone, and conduct your shady business through that so that nothing actually stored on the device.

How Many Bavarian Illuminati Does it Take?

[Jeremiah+Cornelius]

Three:
One to crack the iPod, and one to confuse the issue.

Re:How Many Bavarian Illuminati Does it Take?

[BrokenHalo]

Possibly true.

But since this issue keeps reappearing on geekish forums, it's probably worth repeating (again, sigh) that if you have anything you really don't want generally known, then don't put it on a phone or any other device that can be stolen or easily scraped for data. Better still, don't store it on any electronic device at all.

real passwords obscured

[amoeba1911]

At around 10 minutes there's a "real passwords obscured" block that fades in... really quick before the fade you can see the "real passwords"
They are:
Foxtrot42
42b8dfedd5

Not sure what the point of "obscuring" if you can see them anyway.

is there an android app...

[Adult+film+producer]

that prevents logging of any information? Or least erases any logged information as its written?

Chain of Custody

I know law enforcement has some proceedures they use when they search PCs, various chain of custody requirements, not working off the master hard drive(s) etc. Shouldent these apply to cell phones also? where the phone has to have a good chain of custody, they cant jailbreak the master (if they did wouldent that be good grounds for the defense to have the evidence thrown out of court).

For the record

[koan]

Cops plug the phone in and push a button, they can't understand, grasp or crack shit.

Two minutes?

If you own an Iphone, chances are really good that somebody already knows your password. Because you are a doof. If I were a black hat, I'd be targeting Apple devices specifically because of demographics. You have more money than you need, and you make bad decisions. You know we can just cut out the middle man and you can give me your credit card info now. There is no story here.

Re:Not much good if the passcode is easy to guess

[MaskedSlacker]

Ooh! I love the non-sequitur game!

Good luck entering a PIN so you can call 911 when you're being physically assaulted.

Your turn.

Why can't be have decent phones?

[Casandro]

I mean that all would be trivial to solve if phones would boot from external memory. You could then have 2 micro SD cards, one with your unsuspicious OS, and the other one with an encrypted other operating system. Everything stored on the phone does not reside in Flash, but ROM so they cannot install some sort of keylogger into the bootloader.

That would also make replacing a broken phone just as simple as replacing a broken computer. Just pop out your storage and put it into the new one. (Works at least when you have the the same kind of hardware, and with common operating systems)

Q.Q

[chucklebutte]

All I see is a bunch of pew pew and QQ. All these features iPhone and Android either just got, don't have, or might get in the next release are all the same secure feature Blackberry has had forever. Why do droves of idiots flock to iPhone and Android? Malware ridden, data snooping/stealing/selling, billboards in your pocket that you pay a premium for just sounds horrendous!

I guess 5000 fart apps and 1000 apps that when I shake my phone sounds like a shotgun is worth it?....

Re:Not much good if the passcode is easy to guess

Good luck entering a PIN so you can call 911 when you're being physically assaulted.

All smartphones permit emergency calling from the locked screen.

Your turn.

Re:Not much good if the passcode is easy to guess

[vux984]

So, I think this could be used. You could just 'sign' our phone. A reasonable 'signature' would have to my mind at least 50 data points of acceleration or deflection. Since we do vary the sig, some kind of fuzzy matching with the accepted vector would be required - say 90%. Then if it matches, the signature recognizer could use the correct data as the key to the decryption.

a) A lot of peoples signatures vary by WAY more than 10% each run... I can sign twice in a row, and the two are barely the same. For my own signature ... sometimes I make a tiny loop for the e, sometimes its just a little pointed bump like an undotted i, sometimes... its just not there at all. There are some definite "features" that my signature consistently has, but other parts are highly variable.

b) The reason signature analysis works at all is because its analyzing a muscle memory motion that we've already committed, so there is consistency. A child doesn't have a signature; they still draw their name out letter by letter each time.

Any sort of "sign your phone" process would have the same problem... we don't have a "swipe motion" we can use... sure we can make one up... but it will take weeks? months? years? of repetition before it has that characteristic rhythm like a signature. At the start we will be like children drawing it out each time...with no muscle memory rhythm.

Thus, we would not need to remember a long key, just let our muscle memory do its thing.

Unfortunately i think we'd need to remember a long key as well... as a backup in case there was problem with these other methods. Your "signing it" example could render your phone otherwise inaccessible by getting a nasty paper cut that made you much more careful and conscious moving your finger... or inducing you to use a different finger than usual ... both which would prevent you from matching your characteristic rhythm.

Re:Not much good if the passcode is easy to guess

[vux984]

Then I read the rest of your post, and I'm not so sure I want to have detachable fingers...

For the record, the reason I said it was was so easy to defeat for criminals, law enforcement, and psychos on planes was that all they had to do was grab your hand and swipe your finger over the reader...

This is much easier to do to an unwilling you than coercing a pass code/phrase, they can simply overpower you and force you to do it, or knock you unconscious and do it, or wait for you to fall asleep. even without resorting to severing your fingers. Although of course... they could do that too.

Re:Not an undisclosed vulnerability, it's a featur

[rdebath]

I eventually RTFA (and movie), They appear to be 'unbricking' the iPhone with a custom bootloader from the USB. Once they've done this they can grab the flash and post it to the PC. For a PC brute forcing a 4 digit passcode is a millisecond job (hell, a 20digit passcode is just an annoying little pause).

It's very much a dumb user tool, if your fingers are too fat to properly push the iPhone's buttons they even have special recovery options for when you mess up.

Re:Not much good if the passcode is easy to guess

[vux984]

Don't keep secret stuff on your phone.

Depending on circumstances...

your call history
text message history

could all be "secret".. not necessarily illegal but maybe the fact that you happen to be good friends with a guy who you know smokes up regularly, and another guy who pissed on a dumpster in an alley at 2am walking home from the bar and is now a registered sex offender...

maybe you don't want border patrol hassling you about them, or extra because of them... again... simply because they're friends of yours... during a routine stop crossing the border to visit family... or whatever hypothetical situation law enforcement has for grabbing at your stuff this time.

If they can stick your phone on a box... and analyze it for "criminality" links... they will.

We need to
a) make it technically not possible through security.

b) make it clearly unreasonable search and an invasion of privacy short of a warrant relating to suspicion of an actual crime instead of going on a fishing expedition on everyone who wants to do anything beyond hide in their own house their whole life.

Maybe......

[oddware]

We need TrueCrypt for mobiles

Re:Not much good if the passcode is easy to guess

[Fjandr]

My "balance" is a >10 digit alphanumeric + characters. I can even enter it without having to look at my phone's keypad since there's a small tab on the 5 key which lets me know which button I'm hitting in relation to it. Doesn't work if you have a touchscreen though.

Mm-mm

[ThatsNotPudding]

You can just feel the freedom!

Re:Not much good if the passcode is easy to guess

[Thing+1]

Yep, I realized that -- but I still like the over-the-top "scoop the eyeball out with a spoon for the retinal reader" (I forget the name of film, it scarred me at a young age).

TheRaven64 (u trolling worm): Step inside... apk

Anytime you *think* you have the intellect to 'get the better of me'? Come on over here -> http://mobile.slashdot.org/comments.pl?sid=2734503&cid=39493361 & disprove any points I have made on hosts files there!

(Along with the thoughts & opinions of your /. peers that outnumber your craven tactics 40++:1 and actually agree that hosts files are useful for speed, security, and more of beneficial value to they and others)

You're 'so brave' doing cowardly little trollish ad hominem attack attempts, in your snide little comment there -> http://mobile.slashdot.org/comments.pl?sid=2734503&cid=39406223 !

Let's see how well you bear up under fire when you're challenged to disprove not only the thoughts of others on hosts files benefits they have gotten using custom hosts files, but also points I have made in favor of hosts files that have gotten myself modded up MANY TIMES here by others also (which is tough to get as an AC since /. buries our posts by default).

* It is going to be a PLEASURE annihilating you...

APK

P.S.=> So yes - that's right: I am going to make it a point to humiliate you now, worm.

Especially since you saw fit to attempt to try to 'start up' with me there with an off-topic illogical failing attempt @ ad hominem attacks directed my way there!

So - now the shoe's on the other foot, except that it will illustrate your inadequacy in things technical in computing hugely, proving this is no mere ad hominem attack on my part (only payback you merited, and best part is? YOU only did this, to yourself, worm)... apk

Strawman

[Benanov]

You can call 911 without entering your pattern/passcode on Android.

"undisclosed vulnerability" ?

[Snaller]

So the moment they fix that, the company is out of business?

Re:"undisclosed vulnerability" ?

[psydeshow]

So the moment they fix that, the company is out of business?

The moment they fix all vulnerabilities, you won't be able to jailbreak your phone.

I wonder why they have never fixed them all, then? Perhaps it is actually a hard problem to solve...

Headless Beast:

[jduhls]

Security Industrial Complex

Only one solution

[Snaller]

Don't get caught! ;)

Re:Not much good if the passcode is easy to guess

[Moxon]

In my mind it doesn't even matter if cut off body parts are actually usable for biometric authentication. Any self-respecting thug who has seen Demolition Man, Minority Report, or one of the many others, will have to try the trick for himself just in case the people who said it didn't work were just trying to keep the competition in the dark..

Useless with ICS

This tool simply is totally useless if you are using an ICS phone and have full device encryption enabled.

They can't even access the filesystem to find the files they want to read.

The real question is, when is iOS going to get FDE capability?

This is not news and was achieved a long time ago

Ummm, bruteforcing the passcode was completed ages ago...

https://code.google.com/p/iphone-dataprotection/

Re:Not much good if the passcode is easy to guess

[tophermeyer]

I like that. A long code on powerup would give you the option of just yanking your battery.

Re:Not much good if the passcode is easy to guess

[tophermeyer]

Neat idea. It could sit on a keyring and work just like the keyless transponders for cars.

What exactly where you protecting ?

[freaker_TuC]

The secret plans to solve the world economy (and hunger) problem or a device which allows you to communicate?

It all sounds great to have; but; you got to think more global. Something which works for a phone, might work for a wallet, keys or anything (more important) which needs to be protected against pickpockets .. my 2 cents ..

Ok, it has my personal data on it, but the burden to replace every single card in my wallet (while I keep this one thing streamlined as possible) or replacing all my keys costs me more trouble (and money) than a phone backup restoration.

Re:What exactly where you protecting ?

[mysidia]

It all sounds great to have; but; you got to think more global. Something which works for a phone, might work for a wallet, keys or anything (more important) which needs to be protected against pickpockets .. my 2 cents ..

I the future your phone will be your wallet and keys.

Your "driver's license" will simply be a token in a computer database, that your biometrics unlock. If an officer needs your ID, they will simply scan your face and take your thumbprint, no need to carry around a 20th century style physical token.

Banking apps and near-field communication will allow you to use your phone as a credit card. Money is too easily counterfeited; digital currency will replace it, and a phone app will be used to effect person-to-person transfers using short range wireless.

To unlock your car you place your phone on the door sensor, push the unlock button your car powers on and unlocks, you get in, stick your phone in the "ignition" slot in your car, tap your PIN on the touch screen, your car starts.

When you get within range of your home, a 'open door' button is displayed on your cell phone, you push that, and your apartment or house unlocks for you.

So your phone is phone, wallet, and keys.

And one robust security mechanism protects them all

Re:What exactly where you protecting ?

[freaker_TuC]

I the future your phone will be your wallet and keys.

We're far away from this future, knowing my Nokia 6310 already supported contactless payments ; which has never been possible to use in the EU. Also, our police officers do not ask for fingerprints; according Belgian law we need to keep our identity papers at all time with us in our pockets. Doing not so is illegal. This is in many EU countries.

Although, a feedback system would be great for the "most important objects to take outside" ; like keys, carkeys, cell and wallet. Preferably with proximity detection. In that case, there will be no "moments of shame" having to knock you awake, to find out you can't pay or enter your own house anymore ...

I am afraid the "house of the future" is an idea of the past, to be revised in the present, when cost effective enough to produce. We're just not there yet ...

Re:What exactly where you protecting ?

[mysidia]

We're far away from this future, knowing my Nokia 6310 already supported contactless payments ; which has never been possible to use in the EU. Also, our police officers do not ask for fingerprints; according Belgian law we need to keep our identity papers at all time with us in our pockets.

Well, it may be far in the future for YOU, but all the requisite technologies already exist, it's just a question of development of software and productization. In free countries you don't have to carry identity papers with you.

Contactless payment methods exist and are implemented by stores; Visa Paywave, Mastercard paypass, for example. Inclusion of the technology in a smart phone is a simple iteration. As soon as there is customer demand for it, most stores will implement it rapidly.

Vehicles on the market are already opened remotely using a wireless remote or transponder, and are started that way to, so its no stretch this capability can be extended to smart phones within the next couple years.

As far as houses being openable with a smart phone, biometric fingerprint locks and remote-operated deadbolts already exist. Again, extending this to smart phones is just an integration problem, which is easy to do with software devices, not a problem requiring development of new technology.
Of course other possibilities also eliminate the need for physical keys -- hand scanner deadbolt on the front door is just as good, if not better, than using a smart phone.

Any scenario where you don't need to carry around physical keys anymore suffices for eliminating that problem. RFID implanted in your body for making payments is just as equivalent; there are plenty of options resulting in you not needing to carry around anything other than a communications device.

Obviously there is consumer choice, and some consumers will choose to live in the way they learned in the past and was more familiar to them, such people will continue to carry around physical tokens.

The existence of such people, even in a majority, doesn't deny the shift, however, to smart phone as everything.

Re:Not much good if the passcode is easy to guess

[Thing+1]

just trying to keep the competition in the dark..

With the retinal scanner... I see what you did there... :)

Re:Not much good if the passcode is easy to guess

[ewanm89]

all mobile phones can dial the national emergency number while locked, it's a legal requirement in several countries so say if i come across an accident and borrow the injured persons phone I can dial for an ambulance.

Big Deal

[DarthVain]

It is a 4 digit numerical password, not exactly advanced cryptanalysis there. On top of that, most people that choose passwords, usually choose something stupid.

We found an iPhone at a cabin we rented for a stag party a few years ago. The previous girl left her whole wallet. The guy who broke it, only had to try exactly twice, and probably took less than a minute, and no fancy software was involved.

Try # 1: 1234
nope
Opened wallet, and looked at drivers licence. Mused aloud, lets see how dumb this chick is:
Try #2: Birthday (can't remember was either day/month, or month/day, either way got it first shot)
yup.

We did mail it and all the contents of her stuff back to her however.

Unlock/Jailbreak

I just unlocked my iPhone and used the software to jailbreak it, too. Now that it is jailbroken, I can tether my iPhone and use it as a mobile hotspot for FREE. It was really easy, took a few minutes, is 100% reversible at any time, and very cheap. Check it out --> http://unlockeveryiphone.com/amember/go.php?r=1287

Re:Not much good if the passcode is easy to guess

[MaskedSlacker]

Point to me.

Remember, your responses must have nothing to do with the previous comment.

Now to resume: I am a banana!