Slashdot Mirror
Apple Refutes Hacker's Claim He Could Break iPhone Passcode Limit (cnet.com)
A security researcher claimed he had figured out a way to bypass the passcode lock limit on an iPhone or iPad, ZDNet reported. But it turned out the passcodes he tested weren't always counted. From a report: "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," Apple said Saturday in an emailed statement. Since the 2014 release of iOS 8, all iPhones and iPads have come with device encryption protected by a four- or six-digit passcode. If the wrong passcode is entered too many times, the device gets wiped, explained ZDNet's Zack Whittaker. But Hacker House co-founder Matthew Hickey figured out a way "to bypass the 10-time limit and enter as many codes as he wants -- even on iOS 11.3," Whittaker wrote.
The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing
He was using/holding it wrong.
sudo rm -r -f --no-preserve-root /
What an unclear story. At first read, it sounds like Apple is saying "well, it's just that some of them don't get counted, so neener neener", which is, er, exactly what the guy was alleging.
If I understand the clarifications, what Apple meant was that some of them don't get used at all (to try to unlock the device).
So I can wipe someone's phone without their consent? Is this a feature or a bug?
Well, yes. Of course after 5 attempts you have to wait an increasing time before another attempt - so all you have to do is type in 10 wrong passcodes spread unevenly over 3 hours.
This cannot have anything to do with the phone. The PIN is verified and eventually blocked by the SIM card itself, the phone only submits the PIN to the card as provided and has no way to know if it is correct or not until the card responds. That is unless it caches a succesful PIN entry and then verifies subsequent PIN entries autonomously without submitting them to the card. That would be a crazy thing to do and certainly not a bug but a deliberate backdoor (not to mention that you could have changed the PIN in the meantime using another phone) .
Did entering the correct PIN unlock the phone?
'cause I'd be unsurprised if upon entering the correct PIN you got the same 'wrong PIN', authors of the phone just being lazy and implementing 'SIM doesn't work without PIN, ask for PIN regardless of lockout status'.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
This is like saying I can pull the trigger on a gun and never run out of bullets because the doing in the magazine isn't there...so while both are true the intended outcome isn't possible...a bullet leaving through the barrel. Here, the phone will never unlock since the unlocking mechanism is disabled.
I had changed the pin and could not remember the order of the digits but could remember the digits, so I tried permutation of the numbers until it unlocked. I got it after 10 or so tried.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
It's fascinating to see how Slashdot has changed. Not that I agree with parents post (I don't) but a low 6 digit UID slamming Apple used to get a +5 Insightful or at least a +5 Funny.
RIght? It's not even like Apple hasn't demonstrated exactly the behavior I pointed out before either. BendGate, KeyboardGate, AntennaeGate, BatteryGate. All instances where Apple shouted to high heaven the perfection of their devices then slowly had to walk it back after mass customer disillusionment and evidence they couldn't avoid.
Oh, and when they do come up with a fix, it will require an Apple Certified PIN Repair Pro certificate that doesn't exist, and parts they haven't ordered into their supply chain.
I can type ten bad passwords into my iPhone and not have it wiped. It's an option in settings that when turned off causes the phone to freeze and not accept a new attempt for a progressively longer time.
So there you have it, not all iPhones wipe after ten bad attempts.
This is a badly written article. Users don't just have a 4 or 6 digit pin as an option; I use a whole passphrase to unlock my iPhone (in the situation where touch ID isn't allowed - when touch-id failed too many times, it's been too long since it was unlocked, the device was powered off, or I did the five button press to disable it)
Does this mean that some jackass can wipe my phone by grabbing it and entering the wrong password 10 times? That would be a nasty prank.
"better ways of doing things eventually just replace the inferior things" - Linus Torvalds 09-08-07
Hey, no trying to use reasonable facts to get us off our irrational hate Apple Rant. We need to feel good about our Android Phones, sure Android has its own problems, but gosh darn it! Apple is evil ... EVIL!
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
It isnâ(TM)t enabled by default. So apparently you didnâ(TM)t.
From the comments and stuff I'm reading, Apple needs to step up and fix their junk.
>So I can wipe someone's phone without their consent? Is this a feature or a bug?
A feature, obviously. That's what lets you repair a hopelessly borked device.
Physical access to the device voids virtually all security on any electronic device - the best you can hope for is to keep the new owner from accessing existing data on the device (which Apple does fairly well). Guess what - anyone with physical access to your laptop, desktop, flash drive, phone, tablet, etc. can do the exact same thing, and do so far more quickly and easily than by attempting to log in with an invalid password several times over the course of a few hours.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
caches a succesful PIN entry and then verifies subsequent PIN entries autonomously without submitting them to the card
They might do this to improve login performance due to the SIM card having a slow response time ---
cache the user's correct PIN and verify it locally before submitting to the card, but if a SIM card change is
detected then expunge the cache.
Yup. Slashdot has obviously been taken over and since people who actually understand technology don't use Apple solutions... lets just say it may be time to move on.
Didn't we already put "BendGate" to bed? The iPhone 6 Plus wasn't even the least likely to bend of the tested phones.
I don't remmeber Apple "shouting to the high heavens" about "KeyboardGate" (I assume the current keyboard problem?) or "BatteryGate" (not sure what this is? The performance throttling to stop the phone from shutting off?). AntennaGate I'm assuming is the "you're holding it wrong" and I'm with you on that one, my recollection of that was a huge PR mess for Apple with lots of blaming the user.
So you've never taken your eyes off your phone for more than 3 hours at a time? Say, while sleeping?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
And if the sim card is removed, PIN changed on another phone, and SIM card is reinserted, all while the phone is off? SIM change not detected.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Having been hit by KeyboardGate, I implore you to apply that theory to me. Even if we say I'm 29, the upper end of your assertion for that to be true I would have to have been 12 when I joined Slashdot after lurking for 4 years, starting at age 8. If you go back to my early posts (I'm not sure it's even possible to go back that far, I can only seem to go as far back as the end of 2008 for post history; my UID dates my account, though), you'll note that they were likely not written by a 12 year old.
Since one of your baseless assertions is clearly incorrect, it would be reasonable to assume that the other two are equally incorrect, as they are equally baseless.
One might also infer projection.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
We did, until Apple documents came to light showing that they knew the phones bent too easily.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
I would assume that the people who enable it (yes you have to enable it) have made a decision that the risk of having the phone accidentally wiped is less than the risk of the information on it getting leaked. There is also this odd thing called backups that you can do which will severely lessen the problem of a deliberate wipe.
Now there's a reasonable argument. You see, the one I replied to was not.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
I did? Where?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Phone requires a reboot if the SIM is removed and reinserted, before it will read the SIM; if we were talking about cache in RAM, this conversation wouldn't be happening.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Rotten to the core you might say.
Maybe it is a non-story, then; the voice of a man crying out in the wilderne--wait, he's got cable.
WARNING: Smartphones have side effects--most of them undocumented.
The company found that the iPhone 6 is 3.3 times more likely to bend than the iPhone 5s, and the iPhone 6 Plus is 7.2 times more likely to bend than the iPhone 5s, according to the documents.
But being more likely to bend isn't necessarily a problem. The Macbook Air is more likely to bend than a Macbook Pro, but that doesn't make it a failure or poor engineering. Materials and engineering choices are made all the time. Every company chooses a particular level their device will bend or break at. In the iPhone 6 they choose to make a larger device, thinner, and were wlling to accept that it was more likely to break, assuming it is still within reasonable tolerances. Which is what Consumer Reports found, that it wasn't more likely to bend than other premium phones from other manufacturers. Just because it now wasn't 5x or 7x better than the competition doesn't make it a poor product.
But for some reason people seem to hold Apple to some higher standard of quality, usually while simultaneously complaining about how poor quality their products are.
If the SIM was plugged into another phone and then modified and saved with a new PIN, then the result of the
SIM Status and READ commands which the phone can check prior to PIN authentication to retrieve the base files
on the SIM filesystem will no longer be matching files, if the cached data includes their checksum and/or
SIM status information, and the CCID and Update timestamps; they will reflect that some update has
been written to the card, and the phone could be designed to expunge the cache in this case.
Somehow, it just doesn't seem that secure to hint at your contents prior to authentications. You sure that's how it works?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Somebody got it wrong, and my money is on the company with a decades-long history of flubbing these sorts of tests.
But for some reason people seem to hold Apple to some higher standard of quality,
Probably because the company itself, along with its group of obnoxious fanbois, insist that they have always met that standard, and that they still do today.
usually while simultaneously complaining about how poor quality their products are.
Probably because quality is relative and a lower-middle-tier product that would be perfectly acceptable if that's what you had paid fo and expected to get becomes complete crap when it's advertised and priced as high-end. Think about it: nobody complains when their $20 pair of Wal Mart shoes only lasts a year; everybody would be bitching if that were true of a $200 pair, though.
Go look at some objective side-by-side comparisons of Apple and non-Apple laptops sometime. Look at the best Apple has to offer vs the best LeNovo or Dell has to offer, and tell me you still think Apple isn't junk for the price. Do they compare to the lower-middle-end of the typical PC manufacturer's range? Sure; but they're not sold as that and they cost considerably more than that. That's why it's a problem.
Sent from my 2016 MacBook Pro which, thankfully, isn't having keyboard issues this week.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Somehow, it just doesn't seem that secure to hint at your contents prior to authentications. You sure that's how it works?
The PIN is used only to gain authorization required to perform management operations on the card's secure applications or to perform cryptographic operations using the secure keypair from write-only key storage in order to prove the user's identity to the network.
The SIM card's Status can be queried and the files and contents of the SIM filesystem, The names and Phone numbers of any contacts stored on the card, etc. Are not encrypted or locked by the PIN and could technically be read in without even authenticating ---- that's just ancillary information available on the card which is separate from the Network Identity and cryptographic material that the SIM card is designed to secure.
good information; so updating only the PIN leaves visible traces elsewhere on the card? still seems like bad design.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.