Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Passcode lock not so secure. . .

B

barkomatic

macrumors 601
Original poster
Aug 8, 2008
4,610
3,038
Manhattan
I was out last night with a friend when the two us met a guy at a bar in Manhattan. He saw me pull out my iphone to check a text and that was when he mentioned he worked at Apple. I use a passcode on my iphone and he said he could "guess" my passcode if locked my phone.

I locked my phone, handed it over, and he was able to somehow either guess my passcode or bypass it somehow within about 3 minutes. He handed the phone back to me and I immediately changed my passcode-- and handed it to him again. He was able to get in again within about 5 minutes this time. I could not see how he was doing this and he left shortly after performing this trick. He wouldn't tell me how he did it.

How?? Is there some type of "master code" that Apple technicians use to get into people's iphones to repair them? Or, are passcodes just really easy to hack? I don't know in what capacity this guy works for Apple--I assumed he worked at a local retail store as I didn't think Apple had any offices in NY.
 
There are two major possibilities...

One, which is essentially just a limitation of a touchscreen and a short (four digit) passcode... he/she can always just read your fingerprint smudges. Nothing you or Apple can do about that, except possibly use some of the screen covers that don't smudge or else use a much longer password with repetition (making for too many variants to successfully be disambiguated).

Two, I thought this was fixed in 2.1, but I'm not 100% sure...

http://www.securecomputing.net.au/News/121615,iphone-emergency-flaw-to-be-fixed.aspx

If this is still unfixed, the solution is fairly simple -- just change the behavior of the double tap. (EDIT: I'm pretty sure this vulnerability is fixed in 2.1 or later)
 
mkrishnan said:
There are two major possibilities...

One, which is essentially just a limitation of a touchscreen and a short (four digit) passcode... he/she can always just read your fingerprint smudges. Nothing you or Apple can do about that, except possibly use some of the screen covers that don't smudge or else use a much longer password with repetition (making for too many variants to successfully be disambiguated).

Two, I thought this was fixed in 2.1, but I'm not 100% sure...

http://www.securecomputing.net.au/News/121615,iphone-emergency-flaw-to-be-fixed.aspx

If this is still unfixed, the solution is fairly simple -- just change the behavior of the double tap. (EDIT: I'm pretty sure this vulnerability is fixed in 2.1 or later)
Click to expand...

I suppose he *could* have read the fingerprint smudges though that seems unlikely. I had been using my phone extensively all day and my screen should have been covered with smudges--plus the bar was not well-lit. I just tried to bypass the passcode with the "emergency call" method but that didn't work for me. Oddly, double tapping the home button started a random song playing but no access to the homescreen.

This is a little disturbing to me--
 
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5F136 Safari/525.20)

just out of curiosity: what time do you set to require the passcode and do you enable the 'erase data' function?
 
firewood said:
Might not work as well with me. I always start to type the wrong passcode (usually the previous one), then have to backspace and reenter the correct one.
Click to expand...

Yes, being a klutz definitely can help you here, although arguably it gives people more time to just watch you enter your PIN. ;)

Minimal credible deterrent... that's all it is with the 4-digit PIN. If you use your iPhone with Exchange, I think you get a longer password, which doesn't suck as much. But the password lock on the iPhone is hardly an impenetrable fortress.
 
If there was a "master code", he would have gotten into your phone nearly instantly. Not 3 minutes the first time and 5 minutes the next time around.

Just a thought...
 
Lmao

barkomatic said:
I set the passcode to lock immediately and I also enable it to erase all data.
Click to expand...

Hrm, I could just imagine...

"Hey, I know how to bypass the passcode lock on your iPhone, wanna see?"

"Sure!" *sets a passcode*

"OK, hand it over!" *proceedes to enter the wrong PIN 10 times in a row, erasing data*

OWNED.
 
Eso said:
Hrm, I could just imagine...

"Hey, I know how to bypass the passcode lock on your iPhone, wanna see?"

"Sure!" *sets a passcode*

"OK, hand it over!" *proceedes to enter the wrong PIN 10 times in a row, erasing data*

OWNED.
Click to expand...

hahahah sucka!
 
I agree with the smudges theory. That or he watched you enter your passcode, saw where your fingers were pressing, and deduced a certain number of possible combos from there.
 
mkrishnan said:
Yes, being a klutz definitely can help you here, although arguably it gives people more time to just watch you enter your PIN.
Click to expand...

Most people can only quickly remember 7 to 9 keystrokes. If you use a sequence that's longer, separated by a random mix of backspaces, only a memory expert would pick it up easily.

.
 
This is a simple case of gullible mind.

If there is such thing as "master code", he wouldn't need 3 minutes and then 5 minutes to unlock your phone.

This is how GOP installs fear to the "conservatives", thus they fear the liberals.
 
OMG, so by creating this thread about my iphone being unlocked I am actually trying to install fear in the electorate so that I can influence national politics? :) How did you guess? Blast!

Seriously, I have no idea how this guy got in. He never saw me enter my code and he didn't watch when I changed the code to something entirely different. He actually *did* get to the home screen--and did not set off the "erase data" function.

I thought there might have been something obvious that I just missed, but apparently not. He's a magician I guess!
 
Eso said:
Hrm, I could just imagine...

"Hey, I know how to bypass the passcode lock on your iPhone, wanna see?"

"Sure!" *sets a passcode*

"OK, hand it over!" *proceedes to enter the wrong PIN 10 times in a row, erasing data*

OWNED.
Click to expand...

which would take like 24 hours to do
 
Hint: you shouldn't have played this game while drinking.

I mean, PINs like '1234' and '1111' aren't exactly hard to guess.

:D

PS. Seriously, I used to design casino systems and we'd watch the logs of what people used for PINs. Over half would use something simple like the above, especially '7777' for luck.

PPS. Do you wear glasses? My brother used to "guess" my cards by watching their reflection.
 
Bryan Bowler said:
If there was a "master code", he would have gotten into your phone nearly instantly. Not 3 minutes the first time and 5 minutes the next time around.

Just a thought...
Click to expand...

it wouldn't seem nearly as impressive if he simply typed in the "master code" and handed it back to her. by appearing as though he was actually figuring it out, it came across as more dramatic, since the fact that the iPhone didn't erase the data shows that he wasn't just randomly typing in a bunch of codes. of course, this isn't to say that there *is* a master code, but I'd be interested in what was up here as well, assuming the OP wasn't just drunk and imagined it all :p
 
elbirth said:
it wouldn't seem nearly as impressive if he simply typed in the "master code" and handed it back to her. by appearing as though he was actually figuring it out, it came across as more dramatic, since the fact that the iPhone didn't erase the data shows that he wasn't just randomly typing in a bunch of codes. of course, this isn't to say that there *is* a master code, but I'd be interested in what was up here as well, assuming the OP wasn't just drunk and imagined it all :p
Click to expand...

Hey now! ;) I was not drunk nor did I imagine it. There was actually a friend of mine with me who was also quite impressed by this fellow. The original code I used as well as the code I changed it to did not follow a simple pattern like "7777" or "1234" either.

I have no idea if a "master code" exists--I was just throwing out theories. I really have no idea how he did it but since he was able to--then others can as well.
 
How is this possible? He guessed it BOTH times without erasing the iPhone... hmm... that's weird. Aren't there like thousands of 4 digit combinations?

0-9999 = 10,000 numbers... so that means there are 10,000 choices for a passcode and he guessed it twice... there must be a bug in 2.1 that he knows about to bypass this code.
 
I don't know but he made sure that I couldn't see what he was doing on the screen while he was performing his trick. Whatever he did, he wanted to make sure I didn't find out about it.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back