Yeah. When the FBI start complaining about their inability to unlock android phones and trying to change laws to force Google to write Android ‘G’overnment Edition, then maybe android’s security can be hyped.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Researcher Discovers Method for Brute Forcing iPhone Passcode in iOS 11 [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
Thank you Matthew Hickey! Nice to see this get identified so Apple can squash it.
Its an interesting bug, since the passwords are getting parsed (its not handled as one big string) and used. Should be an easy direct fix for Apple.
The security culture around iOS is getting stronger and stronger - which is really great to see. In any OS there's always going to be holes, but having a large enough group of folks constantly pounding on it to find holes will help keep the number of those holes to a minimum.
Its a different world over in Android (my work phone) - a friend has an unlocked s9+ that hasn't gotten an update since the release day update, security update is from February, OS version behind by 1 (soon 2) and that's the top of the line Samsung. Google's Pixels are much better but few people have them.
Its an interesting bug, since the passwords are getting parsed (its not handled as one big string) and used. Should be an easy direct fix for Apple.
The security culture around iOS is getting stronger and stronger - which is really great to see. In any OS there's always going to be holes, but having a large enough group of folks constantly pounding on it to find holes will help keep the number of those holes to a minimum.
Its a different world over in Android (my work phone) - a friend has an unlocked s9+ that hasn't gotten an update since the release day update, security update is from February, OS version behind by 1 (soon 2) and that's the top of the line Samsung. Google's Pixels are much better but few people have them.
Last edited:
Yep. Apple not signing 11.3 anymore, so make sure iOS is properly updated and move on.
The following analysis is based on common sense:
If the bug is still not patched, then the "researcher" would clearly mentioned 11.4 instead of 11.3?
When law enforcement agencies complain about iPhone security or ask Apple to help, they already have access to a GrayKey box. That makes iPhone users believe the police can't access a locked iPhone but they can.
And soon it will be fixed. last time I looked at Android, it was chock full of vulnerabilities. Is the standard for one vendor absolute perfection, when for others, is meh? Did you ever administer a Windows PC, it seems they get 100s of security patches and is still considered less secure than Mac. And Intel chips and ARMs themselves can be hacked? I'm still better off with MAC and iOS, its so much harder to get in.
the real shame in the article is that no mention was made of responsible behavior on the security researchers part. Professionally, the are supposed to report the defect to the vendor before releasing to the public. This provides an opportunity to patch before it is out in the wild. Of course, if this guy found it, others probably have as well, but responsibility is important.
the real shame in the article is that no mention was made of responsible behavior on the security researchers part. Professionally, the are supposed to report the defect to the vendor before releasing to the public. This provides an opportunity to patch before it is out in the wild. Of course, if this guy found it, others probably have as well, but responsibility is important.
Tim Cook's Apple leaving the key under the door mat once again for governments and law enforcement. Seems like everything positive that Tim Cook says is just a PR move, and not substantiated with what's really going on. The pretend like privacy is one of their top values, and they allow this sort of thing to slip by. Just like they claim that they're energy demands are supplied "100% by clean renewable resources," but in reality they use old-fashioned, reliable energy sources like coal and try to make it look like they're "offsetting" that dirty energy by buying "clean energy credits." Tim Cook needs to go for so many reasons.
Really? Thanks captain obvious. I guess you missed the day when they taught about sarcasm in school.
You don't see them getting into Android phones, but do they seem to be getting into iPhones left and right?! Oh yeah
A USB-based vulnerability that allows for the brute forcing of a passcode on an iOS device has been discovered by security researcher Matthew Hickey, reports ZDNet.
The method, which bypasses the 10-entry attempt that erases an iOS device when the setting is enabled, allows a hacker to plug an iPhone or iPad into a computer and send all passcodes, from 0000 to 9999, all at once, triggering an input routine that takes priority over anything else on the device. Hickey demos the hack in the video below.
All that's required to use this brute force password cracking method is an iPhone or iPad that's turned on and locked and a Lightning cable, according to Hickey. It works on iOS devices up to iOS 11.3.
Hickey's iPhone cracking method takes between three and five seconds for each four-digit passcode, which means it's slow and not as advanced as other passcode cracking methods employed by companies like Grayshift, which makes the GrayKey box. For this method to guess a six-digit passcode, Hickey says it would take weeks.
Apple in iOS 12 is introducing a new USB Restricted Mode that may put a stop to the vulnerability that Hickey has discovered, as well as vulnerabilities exploited by tools like the GrayKey Box.
With USB Restricted Mode, enabled by default on iOS devices running iOS 12, USB access to an iPhone or iPad is cut off if it's been more than an hour since the device was last unlocked.
That means computers and other accessories can't be used to access a locked iPhone if it's been locked for over an hour, disabling access via a USB to Lightning cable.
Article Link: Security Researcher Discovers Method for Brute Forcing iPhone Passcode in iOS 11
They need to make that one-hour time user-selectable; i.e., let users select how many minutes after locking it can wait before it must be unlocked to interface with anything (besides charging) via its port. Better yet, make it so that the iOS device must be unlocked each time a cable is plugged in to do anything but draw power from it.
The problem with people who don’t understand computer operating systems is that it’s hard for them to realise that no computer operating system is 100 percent secure. Luckily Apple has the most secure mass market smartphone operating system on the planet. And will keep working to make it more secure.
One target compared to millions. With Apple, they can target one company for the operating system and device.
If I were the government, Apple is an easier target than Going after Google and every other cell phone company.
Plus, Android is based on open source code. So who do you sue?? How many hands are in that open source code? Thousands of people involved who are not accountable to any one company.
Good luck getting all the parties involved into a court room. You’d spend forever trying to build a case.
Suing Android would be a mess.
Apple is one entity. And they are much easier to pursue because they control their entire platform from end to end.
The next three biggest vulnerabilities are going to be in the SIM card's OS, the BT stack and the WiFi stack. All three are active unless the phone is in Airplane mode. Hopefully the radios are physically disabled in Airplane mode. If not, then that's an opening.
In my opinion, people need to stop solely relying on Apple or any other entity to keep their devices and use thereof safe. People need to be proactive and stop using four (or even 6) digit passcodes. That kind of laziness could end up being the recipe for disaster for someone here. Use alphanumeric passcodes that are a lot longer that 8 characters.
Totally agreed about using alphanumeric passcodes! Seriously, do people STILL use 4-digit numeric passcodes?
You don't need an eSIM in your iPhone in order to lock it. My iPhone's SIM is passcode protected, so I have to enter the code whenever I power cycle my phone. Turn on your phone's SIM lock at Settings -> Phone -> SIM PIN.
While that is certainly a step in the right direction, it still wouldn't stop someone from accessing and using your phone with a different SIM.
You really don’t think law enforcement has a better success rate with android phones? That’s laughable. iPhone are nearly impossible to unlock. Even the method in this article would take weeks. Apple is ahead of the game in every way when it comes to security.
I tried to enable the alphanumeric code, and the system froze then locked me out of the passcode options for a minute. WTF.
So... when is MR going to publish a front page article about the fact that this story was bunk from the start? Because if you publish something that turns out to be incorrect as a front page story, you should issue a front page story about that too, not just update the existing post and push it to the side.
Correct (although some can be avoided altogether by choosing a safer programming language).
You seem to be implying here that developers at Apple are literally inputting zeroes and ones, which is not at all how it works, even at such low levels as security development.
[doublepost=1529830366][/doublepost]
Are you suggesting your original post was sarcastic? That doesn't make sense.
[doublepost=1529830581][/doublepost]
The manufacturer.
It's irrelevant that they use source code from third parties (which Apple also does), just like it's irrelevant that they source hardware components from third parties. You don't sue Joe Hacker and Jill Dev any more than you sue the component supplier of the camera module.
You don't. The manufacturer is responsible, and if push comes to shove, they can be compelled to take the product off the market, too.
It’s stansard practice to indicate that there’s an update to these articles. The rest of us can read to the bottom and don’t need a special write up. Also the original story is still right there on the front so what is being pushed aside?
It's still misleading not to change the headline. I assume they will.
The headline isn't true and the story's been moved to the "more stories" side bar, whereas it was previously a leading news item on the site. Given the importance of the original item, they should properly correct it by changing the headline on the existing article (not just adding "updated", which makes it seem like there's now more detail but that the nature of the story hasn't fundamentally changed) and then write a new leading news item that points out that what they previously published is now known to be false.