Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

AlexNguyenAlexNguyen Member Posts: 358 ■■■■□□□□□□
Knowledge has no value if it is not shared.
Knowledge can cure ignorance, but intelligence cannot cure stupidity.

Comments

  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    Well I always thought of a pass code as a way to prevent snooping and to stop those less technical from accessing your phone. I never assumed it was fail proof especially if somebody gets a hold of the actual device.
  • demonfurbiedemonfurbie Member Posts: 1,819
    tpatt100 wrote: »
    Well I always thought of a pass code as a way to prevent snooping and to stop those less technical from accessing your phone. I never assumed it was fail proof especially if somebody gets a hold of the actual device.
    you never did but most people do

    i do this kinda work daily for the court and you would be surprised what people think is secure and not, most of the time the pass codes can be broken by social engineering or looking at the screen when they eat and unlock there phone
    wgu undergrad: done ... woot!!
    WGU MS IT Management: done ... double woot :cheers:
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Or finger prints making the code visible from swiping on it :)
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    tpatt100 wrote: »
    Well I always thought of a pass code as a way to prevent snooping and to stop those less technical from accessing your phone. I never assumed it was fail proof especially if somebody gets a hold of the actual device.

    It isn't like an encryption key, its just a simple password. Maybe it is hashed when stored and the hashes are compared, but obviously that isn't a problem for this software. Passcode is really intended to keep a snooping friend/coworker out anyway. Government should be able to crack in ito it provided they have a search warrant.
    Decide what to be and go be it.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    It's just a 4 digit pin.. A 4 digit numeric pin only has 13 bits of entropy. 10^4 possible combinations... At 10 guesses per second (which is slow), assuming a 50% chance of getting it right before completing half the guesses and no lockout, you are looking at a hack in an average of 8 minutes or so.

    But this hack is pretty cool. What sort of lockout policy does an iOS device have?
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    It's just a 4 digit pin.. A 4 digit numeric pin only has 13 bits of entropy. 10^4 possible combinations... At 10 guesses per second (which is slow), assuming a 50% chance of getting it right before completing half the guesses and no lockout, you are looking at a hack in an average of 8 minutes or so.

    But this hack is pretty cool. What sort of lockout policy does an iOS device have?


    It has an option to enable stronger pass codes and after a number of attempts it disables the device temporarily. I need to check my Android phone to see what options I have on there come to think of it...
  • powerfoolpowerfool Member Posts: 1,665 ■■■■■■■■□□
    Well, it would be extremely easy to create a rainbow table for a four-digit PIN, as well. Then, that comes down to a matter of seconds, once you grab the hash. Given how quickly the PIN was nabbed, I would think that the software likely had one.
    2024 Renew: [ ] AZ-204 [ ] AZ-305 [ ] AZ-400 [ ] AZ-500 [ ] Vault Assoc.
    2024 New: [X] AWS SAP [ ] CKA [ ] Terraform Auth/Ops Pro
  • powerfoolpowerfool Member Posts: 1,665 ■■■■■■■■□□
    tpatt100 wrote: »
    It has an option to enable stronger pass codes and after a number of attempts it disables the device temporarily. I need to check my Android phone to see what options I have on there come to think of it...

    Well, I think this technique is bypassing the system load. For that matter, if it is bypassing the iOS load, why even bother with cracking the PIN? Just copy the data off... They cannot possibly be using the PIN for full-disk encryption... it loads up without the PIN.
    2024 Renew: [ ] AZ-204 [ ] AZ-305 [ ] AZ-400 [ ] AZ-500 [ ] Vault Assoc.
    2024 New: [X] AWS SAP [ ] CKA [ ] Terraform Auth/Ops Pro
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    powerfool wrote: »
    Well, I think this technique is bypassing the system load. For that matter, if it is bypassing the iOS load, why even bother with cracking the PIN? Just copy the data off... They cannot possibly be using the PIN for full-disk encryption... it loads up without the PIN.

    The person in the article says
    After bypassing the iPhone’s security restrictions to run its code on the phone, the tool “brute forces” the phone’s password, guessing every possible combination of numbers to find the correct code, as Dickinson describes it. In the video above, the process takes seconds. (Although admittedly, the phone’s example passcode is “0000″, about the most easily-guessed password possible.)

    Dicksinson acknowledges that users who set longer passcodes for devices can in fact make the devices far tougher to crack. “The more complex the password, the longer and harder it’s going to be to access the phone,” he says. “In some cases, it takes so long to brute force that it’s not worth doing it.”

    So doesn't it sound just like a brute force attack for the passcode? The vulnerability is just the lack of complexity of using four choices?
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    Wait now I understand what you mean. If they can bypass the phone security to run the code that brutes the passkey why bother with cracking the pin..

    Maybe the exploit only allows access to the OS but not user data itself. So maybe user data is walled off or the vulnerability doesn't allow full system access to get to anything important.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    tpatt100 wrote: »
    The person in the article says



    So doesn't it sound just like a brute force attack for the passcode? The vulnerability is just the lack of complexity of using four choices?
    My understanding is that they are getting the hash of the pin and brute forcing it from there so that the phone can be unlocked. It seems like they already have access to the data, they are just getting the unhashed version of the pin for convenience's sake to allow the "attacker" to open the phone.
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    My understanding is that they are getting the hash of the pin and brute forcing it from there so that the phone can be unlocked. It seems like they already have access to the data, they are just getting the unhashed version of the pin for convenience's sake to allow the "attacker" to open the phone.

    Is it just me but does that not sound logical? I mean that is like a burglar getting access to the inside of my house just so they can look for a spare key I might have laying around?
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    yes from what I can see they are bypassing the restrictions (such as three tries and it locks etc.)

    Most OS/Software that slows down brute force attempts making them impractical to use, or in the case of the likes of a Blackberry wipe the date if you have two many attempts.

    If you can get past these such as getting the hash of the device, you can use the full speed and power of a second device to run the brute force, until you have the code and use to then unlock the device and access the data.

    this is more like getting a picture/mold of the inside of your door lock with the location of all the pins, taking it away and making a key that will fit, then coming back opening the door and walking in.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • erpadminerpadmin Member Posts: 4,165 ■■■■■■■■■■
    Has an application been developed that could encrypt the entire device (iOS or Android) that would defeat this exploit?

    If not, then I see a potential app coming....
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    erpadmin wrote: »
    Has an application been developed that could encrypt the entire device (iOS or Android) that would defeat this exploit?

    If not, then I see a potential app coming....

    no it can't be. becasue the password hash its self cant be further encrypted (apart from the standard manafactures OS ) as the OS needs to read it to compare it against the one you enter. there are various methods to try hide it and I am sure the manafactures do protect it in some fashion. But it will always be in the same way, so as soon as you break it on one phone, all other phones will be the same.

    This is the basic principle of jailbreaking devices or cracking DVD/Blueray keys. They are static methods so once broken they are hard to lock down again. Do you not think if there was a way to protect against them I think it would long ago been implemented by every manufacture under the sun.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    tpatt100 wrote: »
    Is it just me but does that not sound logical? I mean that is like a burglar getting access to the inside of my house just so they can look for a spare key I might have laying around?

    There are several scenarios where this might be needed.

    1. I have access to your phone and you don't know it. I want to be able to easily access your phone at another point in time, so I recover the password allowing me to browse your phone whenever I want to.

    2. I forgot my password, can you please recover it for me?

    It's the same sort of thing with Windows passwords. Just because I can reset the password or have access to the data does not mean I don't want to recover the password. This would give me access to files encrypted using EFS as well as the user's saved passwords in IE, etc. There are a number of reasons to recover the password.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    DevilWAH wrote: »
    no it can't be. becasue the password hash its self cant be further encrypted (apart from the standard manafactures OS ) as the OS needs to read it to compare it against the one you enter. there are various methods to try hide it and I am sure the manafactures do protect it in some fashion. But it will always be in the same way, so as soon as you break it on one phone, all other phones will be the same.

    This is the basic principle of jailbreaking devices or cracking DVD/Blueray keys. They are static methods so once broken they are hard to lock down again. Do you not think if there was a way to protect against them I think it would long ago been implemented by every manufacture under the sun.

    ERP is talking about a system like TrueCrypt for the IPhone. And stream ciphers like CSS (used by DVDs) are a really bad example as they use small keys and a bad algorithm for their encryption. At the time they were created there was an export law that prohibited the export of encryption technology that had keys larger than 40 bits. The system was shackled to the hardware implementation of that system ever after the first DVD player was sold commercially as you can't just change the standard or a person who bought a player in 1999 would not be able to watch a new DVD.

    Also, the attacks used on AACS (BlueRay) rely a lot on the fact that a BlueRay can be played on a PC and that means the data has to be unencrypted in memory somewhere. These sorts of exploits would not be usable against a device that was locked and had a reliable "shim" placed between it and the device's operating system. If that were not possible, the True Crypt could be hacked easily via this methodology and it cannot.
Sign In or Register to comment.