Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security Researcher Discovers Method for Brute Forcing iPhone Passcode in iOS 11 [Updated]

I agree with others who think the headline should be edited for accuracy. The update itself is a bit anemic and could be expounded upon, and really it should be above the article body because it casts doubt on the whole thing.


If the methodology can be proven faulty, a new post should have been made as a correction, in my opinion.
 
TrulsZK said:
That is exactly why I want eSIM in the iPhone and passcode requirement when switching your phone off + auto restart after force shut down.
Click to expand...
I have to wonder if it wouldn’t be a bad idea to start requiring TouchID/FaceID to turn on airplane mode from the lock screen.
 
  • Like
Reactions: Apple_Robert
Sasparilla said:
Thank you Matthew Hickey! Nice to see this get identified so Apple can squash it.

Its an interesting bug, since the passwords are getting parsed (its not handled as one big string) and used. Should be an easy direct fix for Apple.

The security culture around iOS is getting stronger and stronger - which is really great to see. In any OS there's always going to be holes, but having a large enough group of folks constantly pounding on it to find holes will help keep the number of those holes to a minimum.

Its a different world over in Android (my work phone) - a friend has an unlocked s9+ that hasn't gotten an update since the release day update, security update is from February, OS version behind by 1 (soon 2) and that's the top of the line Samsung. Google's Pixels are much better but few people have them.
Click to expand...
I'm unlocked on an s9+ and have June security patch and there is no 1 OS behind. It comes with oreo out of the box. If you'd like i could post a screen shot proving this
 
Last edited:
chucker23n1 said:
Correct (although some can be avoided altogether by choosing a safer programming language).



You seem to be implying here that developers at Apple are literally inputting zeroes and ones, which is not at all how it works, even at such low levels as security development.
[doublepost=1529830366][/doublepost]

Are you suggesting your original post was sarcastic? That doesn't make sense.
[doublepost=1529830581][/doublepost]

The manufacturer.

It's irrelevant that they use source code from third parties (which Apple also does), just like it's irrelevant that they source hardware components from third parties. You don't sue Joe Hacker and Jill Dev any more than you sue the component supplier of the camera module.



You don't. The manufacturer is responsible, and if push comes to shove, they can be compelled to take the product off the market, too.
Click to expand...

That was my point. Going after Apple is easier. One company is the entire package. Operating system and hardware manufacturer. It makes them easier to pursue for the desired accomplishment.

To pursue the same desired features on the Android platform, the government would have to go after all of the phone manufacturers individually, and also the Android operating system producer. It’s a huge web to cast. And a lot of individual companies to go after simultaneously in separate and parallel court battles.

Even if they succeeded in getting Android altered to provide an easier way into the system, any hardware manufacturer could implement they own protection mechanisms to counter that weakness and increase security.

So they need to simultaneously pursue everyone. And losing one case will cause the loss of other cases. It’s simply too big of a net to cast.

But targeting Apple is easy. Everything is in one tidy little package waiting for someone to grab it with their hand.

By not diversifying, Apple has made themselves weaker in that respect.

Compare the Android platform to the Internet. Try shutting down the Internet by taking out one server. It’s not going to happen. You have to hit every server. Because the Internet will simply reroute to compensate for the one loss.

Now imagine if the entire Internet was run by one computer. Now you can take it down with a single blow. That version is Apple.
 
audiophilosophy said:
Tim Cook's Apple leaving the key under the door mat once again for governments and law enforcement.
Click to expand...

audiophilosophy said:
...they claim that they're energy demands are supplied "100% by clean renewable resources," but in reality they use old-fashioned, reliable energy sources like coal and try to make it look like they're "offsetting" that dirty energy by buying "clean energy credits."
Click to expand...

Can you provide solid evidence to support these statements?
Or are these simply your opinions?

flyinmac said:
To pursue the same desired features on the Android platform, the government would have to go after all of the phone manufacturers individually, and also the Android operating system producer. It’s a huge web to cast. And a lot of individual companies to go after simultaneously in separate and parallel court battles.
Click to expand...

Going after Google and Samsung would likely suffice. Maybe Huawei and/or Xiaomi if they really want.
In fact, Google makes the device and OS in the case of the Pixel, so even just going after them may be enough.

flyinmac said:
Even if they succeeded in getting Android altered to provide an easier way into the system, any hardware manufacturer could implement they own protection mechanisms to counter that weakness and increase security.
Click to expand...

The extension of this is that they would have to pursue every secure email, IM, and encrypted voice app maker individually. A simpler solution is just to introduce legislation or regulatory requirements. No need to go after companies individually.

The data available publicly suggests that iOS/Apple is more secure than the large majority of Android devices (though the difference appears to be diminishing over time), in the same way that macOS is more secure than Windows (again, by a diminishing margin). These advantages are not necessarily due to Apples commitment to security or quality control; I would argue that, in many cases, the difference only exists because of even poorer performance by the non-Apple manufacturer.
 
Just use an alphanumeric passcode. With TouchID and FaceID, you don't need to input your long passcode every time you unlock your device, there is no real reason to still use a 4-digit passcode except if you're lazy.
 
  • Like
Reactions: reilogix and decafjava
BasicGreatGuy said:
While that is certainly a step in the right direction, it still wouldn't stop someone from accessing and using your phone with a different SIM.
Click to expand...

A different SIM will indeed allow someone to use your phone, but it will appear to be that person's phone number, rather than yours. This scenario also assumes that the phone's passcode has been compromised.

I believe locking one's SIM also prevents it from being used in another device without being unlocked first.
 
chucker23n1 said:
You seem to be implying here that developers at Apple are literally inputting zeroes and ones, which is not at all how it works, even at such low levels as security development.
Click to expand...
No, no that’s not what I’m implying at all. I’m just saying that lines of code are just a bunch of ones and zeros at the most fundamental level. I’m just illustrating the complexity of programming; that it involves so much more than just lines of code and that things can go wrong at each level.
 
Doc C said:
Thank you, this does address the clean power statement - though this is over two years old data, so the exact numbers may have changed slightly.

On the other hand, the initial statement I quoted is far more inflammatory, and would be a far more concerning issue to me. I have not seen any data that are supportive of this.
Click to expand...
Although if you check carefully the author of the piece is a pro-fossil fuel lobbyist of sorts-he wrote a book defending the use of fossil fuels so the peice is not without bias.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back