Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cops Can Crack an iPhone In Under Two Minutes

Soulskill posted more than 2 years ago | from the can-i-see-that-for-a-minute dept.

Cellphones 375

Sparrowvsrevolution writes "Micro Systemation, a Stockholm-based company, has released a video showing that its software can easily bypass the iPhone's four-digit passcode in a matter of seconds. It can also crack Android phones, and is designed to dump the devices' data to a PC for easy browsing, including messages, GPS locations, web history, calls, contacts and keystroke logs. The company's director of marketing says it uses an undisclosed vulnerability in the devices it targets to run a program on the phone that brute-forces its passcode. He says the company's business is 'booming' and that it's sold the devices to law enforcement and military customers in 60 countries. He says Micro Systemation's biggest customer is the U.S. military."

Sorry! There are no comments related to the filter you selected.

sounds great (0)

Anonymous Coward | more than 2 years ago | (#39490149)

Any "smart" phones actually secure? Openmoko

Re:sounds great (5, Informative)

rhook (943951) | more than 2 years ago | (#39490417)

Android 4.x includes the option to encrypt the filesystem.

Re:sounds great (5, Informative)

DJRumpy (1345787) | more than 2 years ago | (#39490457)

Certainly. Even an iPhone allows you to set any password of any length that you like. The 4 digit passcode is the default but you don't have to use it. I always set at least an 8 character code.

From TFA:

Dicksinson acknowledges that users who set longer passcodes for devices can in fact make the devices far tougher to crack. “The more complex the password, the longer and harder it’s going to be to access the phone,” he says. “In some cases, it takes so long to brute force that it’s not worth doing it.”

In short, longer passwords tougher to crack by brute force and potentially not worth the time. Seriously this is a non-story other than the fact that there should be a warning on all mobile phones that a 4 digit pin is this decades WEP.

okay (0)

Anonymous Coward | more than 2 years ago | (#39490157)

Make an app that will encrypt all your information, SSH all your stuff to dropbox then brick the phone. Cops can't do jack.

Not much good if the passcode is easy to guess (1)

daninaustin (985354) | more than 2 years ago | (#39490471)

If you can brute force the passcode because it is only a 4 digit number it's not much use to have secure encryption.

Re:Not much good if the passcode is easy to guess (5, Interesting)

vux984 (928602) | more than 2 years ago | (#39490603)

If you can brute force the passcode because it is only a 4 digit number it's not much use to have secure encryption.

While if you have a 40 character passphrase you have enter everytime you want to unlock it, its not terribly useful as a mobile phone.

Not really sure what the solution is. Some sort of balanced approach... 4 digits to unlock the basic functionality... place and answer calls... use preselected apps...

full passphrase to get deeper in...

with some user options to control where exactly the boundary is...

but this is of course "complicated" which disqualifies it from being ideal too... so I'm not really sure what the solution is.

Existing tech already in use in USA (0)

Anonymous Coward | more than 2 years ago | (#39490159)

http://en.wikipedia.org/wiki/Cellebrite

Maybe the delay is in the UI (5, Interesting)

Anonymous Coward | more than 2 years ago | (#39490169)

undisclosed vulnerability

Maybe the delay between login attempts in only in the UI, and using API level access they can brute force the combinations without the delay from wrong passcodes, making it much quicker?

Pshaw (5, Funny)

TechHawk (570290) | more than 2 years ago | (#39490173)

I can crack any smart phone in under 15 seconds.

With a sledgehammer...

Re:Pshaw (2)

someone1234 (830754) | more than 2 years ago | (#39490321)

Either that, or the owner's fingers.

Re:Pshaw (0)

Anonymous Coward | more than 2 years ago | (#39490489)

Its called Gravity.

Re:Pshaw (1)

agm (467017) | more than 2 years ago | (#39490667)

My son cracked his iPod touch by leaving it in his pockets which ended up in the washing machine. Ouch. Not a happy chappy.

Wasted taxpayer money (5, Insightful)

deathtopaulw (1032050) | more than 2 years ago | (#39490175)

What happens when these vulnerabilities are fixed and the kits become useless? I assume our overlords will have to pay for a new version.

Re:Wasted taxpayer money (0)

Anonymous Coward | more than 2 years ago | (#39490297)

Right? I highly doubt its a REAL vulnerability though. I would picture it more akin to mounting the device as a secondary drive, and reading it like we do live disks. I'll bet the vunerability term, was used as a flashy 'hey look, spooky!' for greater media bandwidth.

Re:Wasted taxpayer money (0)

Anonymous Coward | more than 2 years ago | (#39490373)

it's supposed to be fully encrypted when you use a non-simple passcode

Re:Wasted taxpayer money (0)

Anonymous Coward | more than 2 years ago | (#39490317)

You pay XRY a yearly update license of around 5000 USD per license (physical dongle), and that includes upgrades to the latest version. If the the vulnerability is fixed, you'll have to wait until they find another one.

Re:Wasted taxpayer money (4, Insightful)

dougmc (70836) | more than 2 years ago | (#39490401)

What happens when these vulnerabilities are fixed and the kits become useless? I assume our overlords will have to pay for a new version.

Serious answer, they probably get a support contract when they buy the software that entitles them to support and updates during the length of the contract. That's the way commercial Enterprise software generally is licensed, I see no reason why this would be different.

It's entirely possible that their vulnerability could be fixed and they end up with nothing they can use for a while, and there's probably a clause in the contract that says this could happen but that they promise to make a good faith effort to find more vulnerabilities and "fix" their software as soon as possible. (But I seriously doubt it offers their money back -- after all, the rest of the software will probably still work, and even this part will still work on unpatched phones.)

Re:Wasted taxpayer money (0)

Anonymous Coward | more than 2 years ago | (#39490645)

The vulnerabilities will not be fixed.
"For national security reasons."

Undisclosed? (5, Insightful)

ichthus (72442) | more than 2 years ago | (#39490195)

If the manufacturers (Apple and Google) were truly interested in patching these "undisclosed" vulnerabilities, they could purchase this software and run it on test/dev devices to see how it's done.

Re:Undisclosed? (1)

Anonymous Coward | more than 2 years ago | (#39490265)

What do you want to bet you sign a license saying you wont reverse engineer the device, or at least click through one?

Re:Undisclosed? (1)

Anonymous Coward | more than 2 years ago | (#39490407)

What do you want to bet you sign a license saying you wont reverse engineer the device, or at least click through one?

Please, not even the lawyers who write those would think twice before ignoring it.

Re:Undisclosed? (2)

gnick (1211984) | more than 2 years ago | (#39490565)

Exactly.

1) Buy a device
2) Figure out what it's doing
3) Coincidentally discover a bug in your phone and offer a patch

Re:Undisclosed? (1)

rhook (943951) | more than 2 years ago | (#39490447)

Doesn't the DMCA already make doing do illegal?

Re:Undisclosed? (2)

Rouphis (2501464) | more than 2 years ago | (#39490537)

DMCA don't apply to "the man".

Re:Undisclosed? (5, Interesting)

Anonymous Coward | more than 2 years ago | (#39490453)

You think a company that produces a program that bypasses the user's pass-code on an iPhone is going to sue Apple for violating a EULA and win?

You do realize that iOS has a EULA too, and that bypassing a password lock to gain access to a computer system a felony right? Even if Apple couldn't throw money at the problem until it goes away (they can), they's still be in a position where their openents broke the same law they accused Apple of and developed a product that has illegal uses. Not to mention that Apple could probably argue lost revenue and or brand damages if it seems likely people would choose not to buy an iPhone because of the existence of this software.

Re:Undisclosed? (0)

Anonymous Coward | more than 2 years ago | (#39490613)

Interesting. So the police are committing a felony when they crack your device?

Re:Undisclosed? (4, Insightful)

FunPika (1551249) | more than 2 years ago | (#39490343)

Looking at Micro Systemation's website, they verify who you are and what you are going to use it for before they even start discussions on selling it. Something tells me getting contacted from an Apple email saying that they want to render the software useless is not going to get past that.

Re:Undisclosed? (4, Interesting)

Khyber (864651) | more than 2 years ago | (#39490429)

Apple's got enough money to just sink Micro Systemation. I have the feeling if Apple wanted this thing closed, they'd have done it long ago.

Re:Undisclosed? (1)

AngryDeuce (2205124) | more than 2 years ago | (#39490635)

Something tells me getting contacted from an Apple email saying that they want to render the software useless is not going to get past that.

Why would Apple do that? They have their own police to get it for them. [wsj.com]

Previous Android gesture lock story (5, Interesting)

manekineko2 (1052430) | more than 2 years ago | (#39490207)

Weren't we reading just two weeks ago about how the FBI utterly failed in cracking an Android phone's gesture lock, and had to go demanding Google to help them?

http://yro.slashdot.org/story/12/03/14/2222229/fbi-tries-to-force-google-to-unlock-users-android-phone [slashdot.org]

Re:Previous Android gesture lock story (4, Informative)

Sez Zero (586611) | more than 2 years ago | (#39490399)

Weren't we reading just two weeks ago about how the FBI utterly failed in cracking an Android phone's gesture lock, and had to go demanding Google to help them?

http://yro.slashdot.org/story/12/03/14/2222229/fbi-tries-to-force-google-to-unlock-users-android-phone [slashdot.org]

That's actually referenced in the article, probably a case of a long/strong passcode.

Dicksinson acknowledges that users who set longer passcodes for devices can in fact make the devices far tougher to crack. “The more complex the password, the longer and harder it’s going to be to access the phone,” he says. “In some cases, it takes so long to brute force that it’s not worth doing it.” That may have been the situation, for instance, in one recent case involving the phone of Dante Dears, a paroled convict accused of running a prostitution ring known as “Pimping Hoes Daily” from his Android phone; The FBI, apparently unable or unwilling to crack the phone, asked Google to help in accessing it.

Re:Previous Android gesture lock story (0)

Anonymous Coward | more than 2 years ago | (#39490497)

In the story link, it says they use brute force to find the passcode and admit sometimes it takes too long and is not worth the time.

Re:Previous Android gesture lock story (1, Interesting)

SuricouRaven (1897204) | more than 2 years ago | (#39490539)

There are only 9!+8!+7!+6!+5!+4!+3!+2+1 possible combinations. That's... 409113.
409k combinations. It may sound like a lot, but in computer terms that's less than 2^19.

Twenty-bit encryption. Hmm. Unimpressive.

Re:Previous Android gesture lock story (0)

Anonymous Coward | more than 2 years ago | (#39490587)

Yes and now thanks to the Slashdot article, they know where to purchase a tool that can automate it!! :D Great job!

Re:Previous Android gesture lock story (4, Informative)

milkmage (795746) | more than 2 years ago | (#39490605)

no you weren't. did you read the linked piece?

the phone locked because they struck out too many times on the gesture lock. the phone is now asking for the GOOGLE credentials. It's not like the guys pattern was so awesome it defeated the FBI - how many strikes do you get before the phone requires your google login? my BBerry gives me 5 before it nukes itself. 5 failed attempts is not "utter failure"

https://threatpost.com/en_us/blogs/can-google-be-forced-fbi-unlock-users-phones-031412 [threatpost.com]
"Once they failed enough times, the phone locked and now requires the user's Google username and password for access. As a result, the FBI is asking that Google be forced to hand over the information to get them into the phone."

great system (seriously) .. require stronger auth if the first lock thinks it's being attacked.

4-digit pass code... (0)

Anonymous Coward | more than 2 years ago | (#39490209)

Wow must be amazing technology that can brute force a four digit number password.

Now for anyone that has a clue and is using something a little bit more complex...

Re:4-digit pass code... (1)

gnud (934243) | more than 2 years ago | (#39490259)

Well, iphones are often set to wipe "automatically" after 4 failed attempts.

Re:4-digit pass code... (1)

countach (534280) | more than 2 years ago | (#39490347)

That may not happen if they've jailbreaked and are hacking it from internally.

Re:4-digit pass code... (3, Insightful)

X0563511 (793323) | more than 2 years ago | (#39490355)

Does it actually wipe it, or merely disable your ability to unlock it without help from Apple?

Re:4-digit pass code... (0)

Anonymous Coward | more than 2 years ago | (#39490633)

If it was merely a disable it wouldn't be called "wipe", numbnuts. So, yes, it does actually wipe the device. That's the whole point behind a feature that says "wipe data".

Re:4-digit pass code... (1)

dougmc (70836) | more than 2 years ago | (#39490421)

Well, iphones are often set to wipe "automatically" after 4 failed attempts.

And people who do this probably find their iPhones wiped quite often ...

And this software probably bypasses that anyways.

Re:4-digit pass code... (1)

gnick (1211984) | more than 2 years ago | (#39490591)

If they're somehow imaging the drive it's easy - Just run every attempt against the same image instead of the one counting fails.

Re:4-digit pass code... (1)

msheekhah (903443) | more than 2 years ago | (#39490261)

like the alphanumeric passcode on the iPhone

Re:4-digit pass code... (1)

X0563511 (793323) | more than 2 years ago | (#39490379)

... or android.

Though typing out a proper password every time you want to unlock the phone gets annoying FAST.

Keystroke Logs? (4, Insightful)

steevven1 (1045978) | more than 2 years ago | (#39490211)

Um, why do these even exist on the phones in the first place?

Re:Keystroke Logs? (1)

crazyjj (2598719) | more than 2 years ago | (#39490319)

Presumably to make it just hard enough to hack to give you time to deactivate it before your local crackhead's fingers get tired.

Not an undisclosed vulnerability, it's a feature! (1)

Anonymous Coward | more than 2 years ago | (#39490217)

I'm pretty sure they're just using interfacing with it the same way consumers do to transfer messages, photos, etc to a computer. Maybe the software being used is different, and displays other folders that are usually hidden from novice users and maybe it does it automatically. Not much different that what happens at the store when you upgrade your cell phone.

So, they Jailbreak it. (0)

Anonymous Coward | more than 2 years ago | (#39490223)

Okay, well, that was easy. They jailbreak the phone (or Root it, for Android peeps) and then have their way with it. That's pretty straight forward for an expensive piece of software.

Security 101 (0)

Anonymous Coward | more than 2 years ago | (#39490227)

Use long passwords and limit the number of attempts without some sort of timeout period or lockout after too many unsuccessful attempts.

Which makes me wonder, on iPhone and android, how long can these codes be? Is there a lock if there are too many unsuccessful attempts? What sort of other features does the phone have to prevent this brute forcing?

Re:Security 101 (3, Informative)

leenks (906881) | more than 2 years ago | (#39490359)

The attack boots an alternative firmware onto the device. I doubt an unsuccessful attempt lock is much use...

4 digit integer passcode (1)

alienzed (732782) | more than 2 years ago | (#39490229)

10000 possible passcodes... most systems can try that many in a few seconds. What slow ass computer are they using that it takes 2 minutes?

Re:4 digit integer passcode (0)

Anonymous Coward | more than 2 years ago | (#39490279)

It probably takes 119 seconds to image the drive to an external device and then less than 1 second to crack the pass code.

X tries then wipe? (1)

xtal (49134) | more than 2 years ago | (#39490313)

I'd be much more interested in how they're getting around that feature. That requires memory access or code injection, and as others have mentioned, it's a jailbreak or blatantly intentional.

Re:4 digit integer passcode (1)

LostCluster (625375) | more than 2 years ago | (#39490331)

Apple needs to implement a common blocking scheme. Maybe 10 wrong then wipe is too extreme for some users, but even Mac OSX respects 3 wrong then hide the input box for a delay.

Re:4 digit integer passcode (2)

PNutts (199112) | more than 2 years ago | (#39490415)

Apple needs to implement a common blocking scheme. Maybe 10 wrong then wipe is too extreme for some users, but even Mac OSX respects 3 wrong then hide the input box for a delay.

They do.

Re:4 digit integer passcode (2)

leenks (906881) | more than 2 years ago | (#39490337)

The iPhone. The summary even explains that... The article and video demonstrate even more. It loads alternative firmware onto the device and uses that to crack the passcode stored on the device. Most of the time is spent loading the code onto the device, not cracking the code.

I wonder how well it works with a complex iPhone passcode though (if at all?) - I confess to not watching all of the video or reading the article properly.

Re:4 digit integer passcode (2)

countach (534280) | more than 2 years ago | (#39490365)

Err... the iPhone's "slow ass" computer?

Re:4 digit integer passcode (1)

rgbrenner (317308) | more than 2 years ago | (#39490491)

A few seconds?! I was just testing # of rounds w/ SHA512 for password encryption. The system has a AMD Sempron 140 [newegg.com] -- a $30, single core processor. Plus, it runs XenServer... so subtract some % for the virtualization overhead.

Results: 10,000 rounds of SHA512 in 96ms

Re:4 digit integer passcode (1)

viperidaenz (2515578) | more than 2 years ago | (#39490597)

a $30 2.7GHz CPU, which is many times more powerful than the $5 ARM processor in the phone this thing runs on.

Not suprised (1)

Anonymous Coward | more than 2 years ago | (#39490243)

Once you have physical access, compromise is only a matter of time. For legitimate warranted arrests and seizures let the pigs have their point and click exploit tools to catch the dumb criminals.

What we need to guard against is having some ruggedized handheld handheld pig fob handed out to every meter maid and traffic cop. Imagine being stopped for a traffic violation and having the fucker ask for "license registration, and your phone please" and have him snoop/dump your device while he runs your plates.

Re:Not suprised (1)

bhcompy (1877290) | more than 2 years ago | (#39490345)

Sorry, I don't have my battery(except poor iPhone users can't even attempt to pull that off). Also, I don't have the key to undo my hoodpins so you can't see if I removed my smog equipment.

Re:Not suprised (1)

dougmc (70836) | more than 2 years ago | (#39490445)

What we need to guard against is having some ruggedized handheld handheld pig fob handed out to every meter maid and traffic cop. Imagine being stopped for a traffic violation and having the fucker ask for "license registration, and your phone please" and have him snoop/dump your device while he runs your plates.

Sounds like a job for the Fourth Amendment, which is already in place.

(Of course, the other half of the equation is to not be tricked by the cop into giving permission to search the device, of course, but that's a problem with physical searches now.)

Re:Not suprised (1)

SuricouRaven (1897204) | more than 2 years ago | (#39490573)

They can always arrest you for breaking some other law.
Not sure which? Oh, there will be one, somewhere. Everyone is a potential criminal, it's just a matter of hunting hard enough. Ever dropped some litter and been caught on CCTV? How many times? I'm sure those fines all add up to a fair bit.

Re:Not suprised (1)

Anonymous Psychopath (18031) | more than 2 years ago | (#39490679)

They can always arrest you for breaking some other law.
Not sure which? Oh, there will be one, somewhere. Everyone is a potential criminal, it's just a matter of hunting hard enough. Ever dropped some litter and been caught on CCTV? How many times? I'm sure those fines all add up to a fair bit.

Arrest doesn't invalidate your Fourth Amendment rights. If you have a passcode, they need a warrant. They cannot legally force you to unlock your phone yourself without one.

If you do not have a passcode, any data on your phone is considered to be in plain sight and a warrant is not required. Use a passcode.

What about stronger passcodes? (5, Interesting)

tlhIngan (30335) | more than 2 years ago | (#39490251)

iOS (and I guess Android) have another layer of passcode lock that's more secure than the 4-digit PIN, though it requires a bit more work. They're basically passwords (or pass phrases?) and while they're a pain, they are supposedly much stronger than the PIN.

How does this thing fix that?

Also - it seems if they can run a program using it, it's a perfect jailbreak hole. Because the standard kernels now in iOS don't allow running unsigned programs. So either the dongle has to inject code into the kernel or other already-running process (if you can do that, it's a jailbreak avenue) in order to disable the signature check functionality, or they're running some sort of secret signed code ...

Re:What about stronger passcodes? (1)

Sez Zero (586611) | more than 2 years ago | (#39490419)

iOS (and I guess Android) have another layer of passcode lock that's more secure than the 4-digit PIN, though it requires a bit more work. They're basically passwords (or pass phrases?) and while they're a pain, they are supposedly much stronger than the PIN.

How does this thing fix that?

It doesn't. They basically say that if there's a tough passcode, it might take so long as to be not worth guessing.

Dicksinson acknowledges that users who set longer passcodes for devices can in fact make the devices far tougher to crack. “The more complex the password, the longer and harder it’s going to be to access the phone,” he says. “In some cases, it takes so long to brute force that it’s not worth doing it.”

10 wrong then wipe rule? (2)

LostCluster (625375) | more than 2 years ago | (#39490255)

Unclear from the article is whether this hack would get anything if the 10-wrong rule for wiping everything is in effect.

This software needs to be released/leaked (1)

Galestar (1473827) | more than 2 years ago | (#39490281)

If any Joe Shmoe can crack an iPhone/Android, it might put public pressure on device manufacturers to close these holes.

Re:This software needs to be released/leaked (1)

mrbester (200927) | more than 2 years ago | (#39490383)

How about Google and Apple team up to sue? I'm sure they wouldn't be happy about some hacker group making money from undisclosed vulnerabilities so why would this company be any different?

Re:This software needs to be released/leaked (1)

rhook (943951) | more than 2 years ago | (#39490511)

I wonder if Google could sue them and force them to release the source code?

Re:This software needs to be released/leaked (0)

Anonymous Coward | more than 2 years ago | (#39490389)

Wouldn't that mess up their business model?

Re:This software needs to be released/leaked (1)

PNutts (199112) | more than 2 years ago | (#39490393)

That's true, but we're talking about Guberments and Militards. The folks that did Stuxnet don't have issues getting into your phone and the ability to do this has been around for years.

Taking code from the iPhone Dev Team? (4, Informative)

grei9715 (688827) | more than 2 years ago | (#39490311)

The process is identical to what you do to jailbreak an iPhone - which makes sense. In both cases, the device would need to be put in DFU (eg, the "help, I'm broken, iTunes please fix me") mode. You have to wonder if these guys actually do the R&D for the iPhone, or just take the work that's already been done by others like the iPhone Dev Team.

Since this is pretty much a guaranteed vulnerability anyway (at least, every iOS up to now can be jailbroken with a tether), a much more interesting question is how much harder is a longer/more complicated password to break? If this is literally a bruteforce enumeration, a reasonable password (that could be used for a computer) would be fairly safe.

Re:Taking code from the iPhone Dev Team? (2)

JohnnyLocust (855742) | more than 2 years ago | (#39490465)

It may actaully be possible they have the means to just perform a backup of the phone and decrypt that via a brute force method. These guys here seem to be able to that: http://www.elcomsoft.com/eppb.html [elcomsoft.com]

I'll give you my phone... (0)

axlr8or (889713) | more than 2 years ago | (#39490323)

When you can pry it from my cold, dead hands.

We need full phone encryption. (1)

Karmashock (2415832) | more than 2 years ago | (#39490333)

We need versions of the android OS and apple iOS that are designed from the ground up to be secure. Full drive encryption would be a good start.

Re:We need full phone encryption. (1)

Sez Zero (586611) | more than 2 years ago | (#39490439)

We need versions of the android OS and apple iOS that are designed from the ground up to be secure. Full drive encryption would be a good start.

Like NSA's SE Android [informationweek.com] ?

Re:We need full phone encryption. (1)

Karmashock (2415832) | more than 2 years ago | (#39490513)

Is it encrypted? If I pull the memory chip out of the phone and load it by some means into another machine will the information be encrypted?

Anyway, it looks neat. Is it impossible to install? It looks complicated.

Re:We need full phone encryption. (0)

Anonymous Coward | more than 2 years ago | (#39490473)

This (the lack of block level strong encryption) is why I don't have a smart phone. It has always seemed spectacularly idiotic to walk around with
a device storing, at minimum, phone numbers of everyone youv'e called, and potentially a lot of other sensitive data such as when you've been
where... and NOT encrypt it.

Seriously... WTF? Why are millions of people so careless?

Re:We need full phone encryption. (1)

interval1066 (668936) | more than 2 years ago | (#39490499)

Until then we can use Encryption Manager [appbrain.com] .

Re:We need full phone encryption. (2)

spinkham (56603) | more than 2 years ago | (#39490533)

iOS has "full drive encryption" in iOS 4 and later.

It's just protected by a 4 digit pin which can be easily brute forced by default.

You can use a stronger passcode, but you have to type it on every unlock so few do.

Re:We need full phone encryption. (1)

Karmashock (2415832) | more than 2 years ago | (#39490577)

it would seem there are simple ways to make more complex passwords. For example, maybe you draw a picture with your fingers and the system unlocks if you get it close to right. Can you have "fuzzy" encryption? Something that locks a system with a "general" password? I ask because obviously with the picture idea you're never going to enter it in exactly the same every time.

Re:We need full phone encryption. (0)

Anonymous Coward | more than 2 years ago | (#39490535)

We need versions of the android OS and apple iOS that are designed from the ground up to be secure. Full drive encryption would be a good start.

It was already done 10 years ago - it's called a blackberry.

Maybe you should get a blackberry if you care about your data.

Re:We need full phone encryption. (1)

AndrewNeo (979708) | more than 2 years ago | (#39490631)

Android 3 and higher supports this.

Old news (0)

Anonymous Coward | more than 2 years ago | (#39490351)

PhoneView is a commercial utility that's been available for ages: it allows you to backup and browse the iPhone's data like iTunes should allow you to, completely painlessly. It does so using an exploit, and it's wonderfully useful to use:

http://www.ecamm.com/mac/phoneview/

Whenever I plug in my phone, it automatically backs up new text messages, and lets me browse my phone. Even though I have a passcode. The software vendors did not think to market it as a security breaching utility, but if they had, they would be making big bucks too.

Do I blame Apple? No of course not. If my phone had to be secure enough so that it'd couldn't be cracked if I lost it or it got stolen, then the device would be a fucking pain to use!!

Strong passcode option & delete after 10 attem (1)

blahbooboo (839709) | more than 2 years ago | (#39490375)

I believe these two options in iOS will make it a bit more secure

1) Strong passcode option (alphanumeric and more than 4 characters)

2) Delete all data after 10 incorrect passcode attempts

Re:Strong passcode option & delete after 10 at (1)

Sez Zero (586611) | more than 2 years ago | (#39490477)

I believe these two options in iOS will make it a bit more secure

1) Strong passcode option (alphanumeric and more than 4 characters)

2) Delete all data after 10 incorrect passcode attempts

Probably strong passcode option, but I'm guessing that this is done at a low enough level to bypass that other feature of iOS.

DMCA? (5, Insightful)

v1 (525388) | more than 2 years ago | (#39490377)

isn't this a violation of the (grossly over-broad) DMCA, in "bypassing a protective measure"?

I mean, technically, aren't they hacking it and selling an exploit?

It would be refreshin to see that law used to protect some of the public for once.

Re:DMCA? (2, Interesting)

Anonymous Coward | more than 2 years ago | (#39490467)

isn't this a violation of the (grossly over-broad) DMCA, in "bypassing a protective measure"?

I mean, technically, aren't they hacking it and selling an exploit?

Yes. But they aren't located in the USA, and they are (allegedly) only selling to law enforcement, so the DMCA doesn't apply.

It would be refreshin to see that law used to protect some of the public for once.

HAHAHAHAHAHHA! That's a good one. Got any more jokes?

Re:DMCA? (1)

viperidaenz (2515578) | more than 2 years ago | (#39490651)

But they are selling to USA entities. So importing should be illegal, right?

Wonder how they did Android... (3)

downhole (831621) | more than 2 years ago | (#39490395)

I'm curious how they managed to crack the Android phones. All of the rooting methods that I know of involve manually enabling Debug mode on the phone and then rooting around on the command line. If you have a screenlock enabled and have not left debug mode enabled, then I don't see any simple way to get access to the phone to even start to mess with exploits.

Then there's the question of how this relates to the FBI publicly having to go beg Google for help to get into some low-level criminal's Android phone that had the pattern lock enabled, which some have previously complained wasn't really all that secure. Are these guys blowing smoke about how easy it is to crack Android? Were the FBI guys working on this particular case just not on the ball? Has the Government decided not to break out their coolest tricks to solve a relatively minor crime? Did this guy have some particular model that's much harder to crack?

Re:Wonder how they did Android... (1)

toadlife (301863) | more than 2 years ago | (#39490589)

Well if it's a Samsung phone [slashdot.org] ....

Phones with locked bootloaders would probably require n actual kernel or Android system exploit.

I don't use smartphones but... (0)

Anonymous Coward | more than 2 years ago | (#39490397)

using a 4-digit passcode is like asking to be hacked.

Security just isn't a priority (5, Interesting)

syncrotic (828809) | more than 2 years ago | (#39490543)

How to make phone operating systems more secure:

1. Remove the mechanism by which a forgotten password can be bypassed. Forgot your password? Tough shit. Now that you've bricked your phone, maybe you won't be so forgetful next time.

2. No USB access of any kind when the phone is locked. It's a huge vulnerability.

3. Full disk encryption. Granted, the phone spends most of its time operating with the key in memory, but...

4. Phone turns off when you remove the back cover or otherwise try to get inside of it. Not hard to do.

An extremely dedicated attacker could potentially bypass these measures, but not your average traffic cop or border patrol agent on a fishing expedition.

Instead, phones are designed to make it inconvenient for John to pick up Suzie's phone and read her text messages, and to make sure Suzie can easily reset her password so her carrier doesn't have to deal with a whiny tech support call.

What you can do, however, if you have a reasonably user-serviceable phone, is cut the data lines going to the USB jack. It'll charge slower (500mA limit), but plugging in a USB cable won't grant a casual snoop any access. File transfer can be handled via wi-fi.

Re:Security just isn't a priority (2)

AndrewNeo (979708) | more than 2 years ago | (#39490643)

I'm curious how difficult it would be to have an alternate ROM for Android phones just have a 'USB toggle' that blocks access to the USB module entirely (add/remove kernel module?)

gravity (0)

Anonymous Coward | more than 2 years ago | (#39490621)

did they drop it?

20 minutes? (0)

Anonymous Coward | more than 2 years ago | (#39490655)

Psh. I could do it within seconds...

...using a sledgehammer, of course. ;>

I'm safe from this crack (2, Funny)

Yvan256 (722131) | more than 2 years ago | (#39490683)

My password is one, two, three, four, five.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?