Slashdot Mirror
Cops Can Crack an iPhone In Under Two Minutes
Sparrowvsrevolution writes "Micro Systemation, a Stockholm-based company, has released a video showing that its software can easily bypass the iPhone's four-digit passcode in a matter of seconds. It can also crack Android phones, and is designed to dump the devices' data to a PC for easy browsing, including messages, GPS locations, web history, calls, contacts and keystroke logs. The company's director of marketing says it uses an undisclosed vulnerability in the devices it targets to run a program on the phone that brute-forces its passcode. He says the company's business is 'booming' and that it's sold the devices to law enforcement and military customers in 60 countries. He says Micro Systemation's biggest customer is the U.S. military."
undisclosed vulnerability
Maybe the delay between login attempts in only in the UI, and using API level access they can brute force the combinations without the delay from wrong passcodes, making it much quicker?
I can crack any smart phone in under 15 seconds.
With a sledgehammer...
"My brand of comfort isn't so much 'There-there' as it is 'There's a boot, pardon me while I connect it with your ass!'"
What happens when these vulnerabilities are fixed and the kits become useless? I assume our overlords will have to pay for a new version.
If the manufacturers (Apple and Google) were truly interested in patching these "undisclosed" vulnerabilities, they could purchase this software and run it on test/dev devices to see how it's done.
sig: sauer
Weren't we reading just two weeks ago about how the FBI utterly failed in cracking an Android phone's gesture lock, and had to go demanding Google to help them?
http://yro.slashdot.org/story/12/03/14/2222229/fbi-tries-to-force-google-to-unlock-users-android-phone
iOS (and I guess Android) have another layer of passcode lock that's more secure than the 4-digit PIN, though it requires a bit more work. They're basically passwords (or pass phrases?) and while they're a pain, they are supposedly much stronger than the PIN.
How does this thing fix that?
Also - it seems if they can run a program using it, it's a perfect jailbreak hole. Because the standard kernels now in iOS don't allow running unsigned programs. So either the dongle has to inject code into the kernel or other already-running process (if you can do that, it's a jailbreak avenue) in order to disable the signature check functionality, or they're running some sort of secret signed code ...
isn't this a violation of the (grossly over-broad) DMCA, in "bypassing a protective measure"?
I mean, technically, aren't they hacking it and selling an exploit?
It would be refreshin to see that law used to protect some of the public for once.
I work for the Department of Redundancy Department.
Android 4.x includes the option to encrypt the filesystem.
Certainly. Even an iPhone allows you to set any password of any length that you like. The 4 digit passcode is the default but you don't have to use it. I always set at least an 8 character code.
From TFA:
In short, longer passwords tougher to crack by brute force and potentially not worth the time. Seriously this is a non-story other than the fact that there should be a warning on all mobile phones that a 4 digit pin is this decades WEP.
How to make phone operating systems more secure:
1. Remove the mechanism by which a forgotten password can be bypassed. Forgot your password? Tough shit. Now that you've bricked your phone, maybe you won't be so forgetful next time.
2. No USB access of any kind when the phone is locked. It's a huge vulnerability.
3. Full disk encryption. Granted, the phone spends most of its time operating with the key in memory, but...
4. Phone turns off when you remove the back cover or otherwise try to get inside of it. Not hard to do.
An extremely dedicated attacker could potentially bypass these measures, but not your average traffic cop or border patrol agent on a fishing expedition.
Instead, phones are designed to make it inconvenient for John to pick up Suzie's phone and read her text messages, and to make sure Suzie can easily reset her password so her carrier doesn't have to deal with a whiny tech support call.
What you can do, however, if you have a reasonably user-serviceable phone, is cut the data lines going to the USB jack. It'll charge slower (500mA limit), but plugging in a USB cable won't grant a casual snoop any access. File transfer can be handled via wi-fi.
If you can brute force the passcode because it is only a 4 digit number it's not much use to have secure encryption.
While if you have a 40 character passphrase you have enter everytime you want to unlock it, its not terribly useful as a mobile phone.
Not really sure what the solution is. Some sort of balanced approach... 4 digits to unlock the basic functionality... place and answer calls... use preselected apps...
full passphrase to get deeper in...
with some user options to control where exactly the boundary is...
but this is of course "complicated" which disqualifies it from being ideal too... so I'm not really sure what the solution is.
When this sort of thing is actually designed for security, there is a dedicated crypto coprocessor with some memory that is write-only from the perspective of the rest of the system. You write the key to it once, and then it will encrypt or decrypt data that you pass to it. The decoder chip can be locked and you must supply the correct passcode to enable its access to the stored key. If you provide the wrong key a preset number of times, it deletes the internal copy of the key and the only way you can get at the data is by restoring the key from another device (typically a backup stored in a safe). Even if the entire OS is compromised, it can't get at the key unless it provides the correct passcode to the decryption chip (actually, it can't get at the key then either, but it can instruct the crypto chip to do it). Some ARM SoCs incorporate this functionality.
I am TheRaven on Soylent News
Android 4.x includes the option to encrypt the filesystem.
As does iOS if you enable it:
http://support.apple.com/kb/HT4175
http://images.apple.com/iphone/business/docs/iOS_Security.pdf
Generally speaking though, only Blackberrys (and much of the related software (BES)) has received any kind of certification for security. Specifically FIPS 140-2 and EAL 4+:
http://us.blackberry.com/ataglance/security/certifications.jsp
It is probably "good enough" for most businesses, but isn't rated for the 'real' security levels: Classified, Secret, and Top Secret.
I work someplace where we have a lot of personal health information, and the IT director (CISSP et al.) only allows Blackberrys for portable devices. He has an iPhone for his personal stuff, but carries a BB for work because iOS just isn't up to our needs yet when it comes to data security.
I would suggest having two methods: (1) Tap the power button 3 times or power off, to engage full lock manually. (2) an RFID or bluetooth "leash" concealed somewhere about your body; if the phone is within range and then suddenly taken more than a certain distance from your RFID transponder, the new distance will be calculated by the units, and when the threshold is exceeded, the "hard lock" engages automatically.
This way if you drop your phone, or someone steals it, the hard lock will engage.
The bluetooth leash could also have a remote lock button on it, and be designed to automatically signal a lock if the leash is removed from your body, or if a sufficient "sudden jolt motion" or downward motion is detected by an accelerometer on the leash (indicating that someone grabbed it real fast), or you were forced to drop it.