Cops Can Crack an iPhone In Under Two Minutes

Sparrowvsrevolution writes "Micro Systemation, a Stockholm-based company, has released a video showing that its software can easily bypass the iPhone's four-digit passcode in a matter of seconds. It can also crack Android phones, and is designed to dump the devices' data to a PC for easy browsing, including messages, GPS locations, web history, calls, contacts and keystroke logs. The company's director of marketing says it uses an undisclosed vulnerability in the devices it targets to run a program on the phone that brute-forces its passcode. He says the company's business is 'booming' and that it's sold the devices to law enforcement and military customers in 60 countries. He says Micro Systemation's biggest customer is the U.S. military."

Re:sounds great

[rhook]

Android 4.x includes the option to encrypt the filesystem.

Re:sounds great

[DJRumpy]

Certainly. Even an iPhone allows you to set any password of any length that you like. The 4 digit passcode is the default but you don't have to use it. I always set at least an 8 character code.

From TFA:

Dicksinson acknowledges that users who set longer passcodes for devices can in fact make the devices far tougher to crack. “The more complex the password, the longer and harder it’s going to be to access the phone,” he says. “In some cases, it takes so long to brute force that it’s not worth doing it.”

In short, longer passwords tougher to crack by brute force and potentially not worth the time. Seriously this is a non-story other than the fact that there should be a warning on all mobile phones that a 4 digit pin is this decades WEP.

Re:Undisclosed?

Looking at Micro Systemation's website, they verify who you are and what you are going to use it for before they even start discussions on selling it. Something tells me getting contacted from an Apple email saying that they want to render the software useless is not going to get past that.

It's not as if you can just download their demo version from here:

http://www.msab.com/app-data/downloads/XRY_Reader/XRY_READER_NOINST_6.2.0.zip

Oh wait...

Re:sounds great

[TheRaven64]

When this sort of thing is actually designed for security, there is a dedicated crypto coprocessor with some memory that is write-only from the perspective of the rest of the system. You write the key to it once, and then it will encrypt or decrypt data that you pass to it. The decoder chip can be locked and you must supply the correct passcode to enable its access to the stored key. If you provide the wrong key a preset number of times, it deletes the internal copy of the key and the only way you can get at the data is by restoring the key from another device (typically a backup stored in a safe). Even if the entire OS is compromised, it can't get at the key unless it provides the correct passcode to the decryption chip (actually, it can't get at the key then either, but it can instruct the crypto chip to do it). Some ARM SoCs incorporate this functionality.

Re:sounds great

Android 4.x includes the option to encrypt the filesystem.

As does iOS if you enable it:

http://support.apple.com/kb/HT4175
http://images.apple.com/iphone/business/docs/iOS_Security.pdf

Generally speaking though, only Blackberrys (and much of the related software (BES)) has received any kind of certification for security. Specifically FIPS 140-2 and EAL 4+:

http://us.blackberry.com/ataglance/security/certifications.jsp

It is probably "good enough" for most businesses, but isn't rated for the 'real' security levels: Classified, Secret, and Top Secret.

I work someplace where we have a lot of personal health information, and the IT director (CISSP et al.) only allows Blackberrys for portable devices. He has an iPhone for his personal stuff, but carries a BB for work because iOS just isn't up to our needs yet when it comes to data security.