Passcode lock not so secure. . .

Discussion in 'iPhone' started by barkomatic, Nov 16, 2008.

  1. barkomatic macrumors 68040

    Joined:
    Aug 8, 2008
    Location:
    Manhattan
    #1
    I was out last night with a friend when the two us met a guy at a bar in Manhattan. He saw me pull out my iphone to check a text and that was when he mentioned he worked at Apple. I use a passcode on my iphone and he said he could "guess" my passcode if locked my phone.

    I locked my phone, handed it over, and he was able to somehow either guess my passcode or bypass it somehow within about 3 minutes. He handed the phone back to me and I immediately changed my passcode-- and handed it to him again. He was able to get in again within about 5 minutes this time. I could not see how he was doing this and he left shortly after performing this trick. He wouldn't tell me how he did it.

    How?? Is there some type of "master code" that Apple technicians use to get into people's iphones to repair them? Or, are passcodes just really easy to hack? I don't know in what capacity this guy works for Apple--I assumed he worked at a local retail store as I didn't think Apple had any offices in NY.
     
  2. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #2
    There are two major possibilities...

    One, which is essentially just a limitation of a touchscreen and a short (four digit) passcode... he/she can always just read your fingerprint smudges. Nothing you or Apple can do about that, except possibly use some of the screen covers that don't smudge or else use a much longer password with repetition (making for too many variants to successfully be disambiguated).

    Two, I thought this was fixed in 2.1, but I'm not 100% sure...

    http://www.securecomputing.net.au/News/121615,iphone-emergency-flaw-to-be-fixed.aspx

    If this is still unfixed, the solution is fairly simple -- just change the behavior of the double tap. (EDIT: I'm pretty sure this vulnerability is fixed in 2.1 or later)
     
  3. fireshot91 macrumors 601

    fireshot91

    Joined:
    Jul 31, 2008
    Location:
    Northern VA
    #3
    The 2.1 fixed that for me.. maybe he actually works for Apple and knows how to do it?
     
  4. barkomatic thread starter macrumors 68040

    Joined:
    Aug 8, 2008
    Location:
    Manhattan
    #4
    I suppose he *could* have read the fingerprint smudges though that seems unlikely. I had been using my phone extensively all day and my screen should have been covered with smudges--plus the bar was not well-lit. I just tried to bypass the passcode with the "emergency call" method but that didn't work for me. Oddly, double tapping the home button started a random song playing but no access to the homescreen.

    This is a little disturbing to me--
     
  5. firewood macrumors 604

    Joined:
    Jul 29, 2003
    Location:
    Silicon Valley
    #5
    Might not work as well with me. I always start to type the wrong passcode (usually the previous one), then have to backspace and reenter the correct one.
     
  6. heaven macrumors 6502a

    heaven

    Joined:
    Jun 20, 2004
    #6
    Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5F136 Safari/525.20)

    just out of curiosity: what time do you set to require the passcode and do you enable the 'erase data' function?
     
  7. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #7
    Yes, being a klutz definitely can help you here, although arguably it gives people more time to just watch you enter your PIN. ;)

    Minimal credible deterrent... that's all it is with the 4-digit PIN. If you use your iPhone with Exchange, I think you get a longer password, which doesn't suck as much. But the password lock on the iPhone is hardly an impenetrable fortress.
     
  8. barkomatic thread starter macrumors 68040

    Joined:
    Aug 8, 2008
    Location:
    Manhattan
    #8
    I set the passcode to lock immediately and I also enable it to erase all data.
     
  9. Bryan Bowler macrumors 68040

    Joined:
    Sep 27, 2008
    #9
    If there was a "master code", he would have gotten into your phone nearly instantly. Not 3 minutes the first time and 5 minutes the next time around.

    Just a thought...
     
  10. Eso macrumors 68000

    Eso

    Joined:
    Aug 14, 2008
    #10
    Lmao

    Hrm, I could just imagine...

    "Hey, I know how to bypass the passcode lock on your iPhone, wanna see?"

    "Sure!" *sets a passcode*

    "OK, hand it over!" *proceedes to enter the wrong PIN 10 times in a row, erasing data*

    OWNED.
     
  11. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #11
    This is a good reason not to let people play with your phone if it has sensitive data on it...
     
  12. yOyOYoo macrumors 6502a

    yOyOYoo

    Joined:
    Feb 13, 2005
    Location:
    CA
    #12
    hahahah sucka!
     
  13. benflick macrumors 68020

    benflick

    Joined:
    Jul 11, 2008
    Location:
    Cincinnati, Ohio
    #13
    Or he could just walk away with the damn thing...
     
  14. question fear macrumors 68020

    question fear

    Joined:
    Apr 10, 2003
    Location:
    The "Garden" state
    #14
    I agree with the smudges theory. That or he watched you enter your passcode, saw where your fingers were pressing, and deduced a certain number of possible combos from there.
     
  15. cWeems macrumors 6502a

    cWeems

    Joined:
    Jun 8, 2008
    Location:
    FLORIDA, USA
  16. firewood macrumors 604

    Joined:
    Jul 29, 2003
    Location:
    Silicon Valley
    #16
    Most people can only quickly remember 7 to 9 keystrokes. If you use a sequence that's longer, separated by a random mix of backspaces, only a memory expert would pick it up easily.

    .
     
  17. CocoaPuffs macrumors 68010

    Joined:
    Aug 23, 2008
    #17
    This is a simple case of gullible mind.

    If there is such thing as "master code", he wouldn't need 3 minutes and then 5 minutes to unlock your phone.

    This is how GOP installs fear to the "conservatives", thus they fear the liberals.
     
  18. barkomatic thread starter macrumors 68040

    Joined:
    Aug 8, 2008
    Location:
    Manhattan
    #18
    OMG, so by creating this thread about my iphone being unlocked I am actually trying to install fear in the electorate so that I can influence national politics? :) How did you guess? Blast!

    Seriously, I have no idea how this guy got in. He never saw me enter my code and he didn't watch when I changed the code to something entirely different. He actually *did* get to the home screen--and did not set off the "erase data" function.

    I thought there might have been something obvious that I just missed, but apparently not. He's a magician I guess!
     
  19. daisuke07 macrumors regular

    Joined:
    Oct 25, 2008
    #19
    which would take like 24 hours to do
     
  20. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    First university coding class = 46 years ago
    #20
    Hint: you shouldn't have played this game while drinking.

    I mean, PINs like '1234' and '1111' aren't exactly hard to guess.

    :D

    PS. Seriously, I used to design casino systems and we'd watch the logs of what people used for PINs. Over half would use something simple like the above, especially '7777' for luck.

    PPS. Do you wear glasses? My brother used to "guess" my cards by watching their reflection.
     
  21. gilkisson macrumors 65816

    gilkisson

    #21
    I wish. I use it with Exchange, and I get 4 digits for my passcode. Suckage level still kinda high.
     
  22. elbirth macrumors 65816

    Joined:
    Jan 19, 2006
    Location:
    North Carolina, US
    #22
    it wouldn't seem nearly as impressive if he simply typed in the "master code" and handed it back to her. by appearing as though he was actually figuring it out, it came across as more dramatic, since the fact that the iPhone didn't erase the data shows that he wasn't just randomly typing in a bunch of codes. of course, this isn't to say that there *is* a master code, but I'd be interested in what was up here as well, assuming the OP wasn't just drunk and imagined it all :p
     
  23. barkomatic thread starter macrumors 68040

    Joined:
    Aug 8, 2008
    Location:
    Manhattan
    #23
    Hey now! ;) I was not drunk nor did I imagine it. There was actually a friend of mine with me who was also quite impressed by this fellow. The original code I used as well as the code I changed it to did not follow a simple pattern like "7777" or "1234" either.

    I have no idea if a "master code" exists--I was just throwing out theories. I really have no idea how he did it but since he was able to--then others can as well.
     
  24. TheSpaz macrumors 604

    TheSpaz

    Joined:
    Jun 20, 2005
    #24
    How is this possible? He guessed it BOTH times without erasing the iPhone... hmm... that's weird. Aren't there like thousands of 4 digit combinations?

    0-9999 = 10,000 numbers... so that means there are 10,000 choices for a passcode and he guessed it twice... there must be a bug in 2.1 that he knows about to bypass this code.
     
  25. barkomatic thread starter macrumors 68040

    Joined:
    Aug 8, 2008
    Location:
    Manhattan
    #25
    I don't know but he made sure that I couldn't see what he was doing on the screen while he was performing his trick. Whatever he did, he wanted to make sure I didn't find out about it.
     

Share This Page