Why? It's 10,000 combinations, it has timeouts by default for too many failed attempts, you can make erase the phone if need be, and can turn off the simple password option.
There are a few products on the security/forensic market that can brute force a 4 digit pass code and bypass the 10 attempts rule. With a new pass attempt every 80 milliseconds they should be able to get the code in 18 to 20 minutes. This is by connecting their cracker to the phone (the pass code is entangled with the UDID so taking a copy of the phone and attempting to hack the image on a desktop won't work).
If you change to a complex password you should be fine and the AES encryption will keep you safe. The protocols Apple have put in place since the A5 chip are pretty impressive, but as with all things you need a decent password.
Really the 4 digit code is to stop friends/taxi drivers from getting into your phone, anything more you need a complex password. One benefit is that turning on even a simple pass code turns on data protection so that will help a lot.
The 3GS and 4 are pretty hackable though- good reason to upgrade!
There are a few products on the security/forensic market that can brute force a 4 digit pass code and bypass the 10 attempts rule. With a new pass attempt every 80 milliseconds they should be able to get the code in 18 to 20 minutes. This is by connecting their cracker to the phone (the pass code is entangled with the UDID so taking a copy of the phone and attempting to hack the image on a desktop won't work).
If you change to a complex password you should be fine and the AES encryption will keep you safe. The protocols Apple have put in place since the A5 chip are pretty impressive, but as with all things you need a decent password.
Really the 4 digit code is to stop friends/taxi drivers from getting into your phone, anything more you need a complex password. One benefit is that turning on even a simple pass code turns on data protection so that will help a lot.
The 3GS and 4 are pretty hackable though- good reason to upgrade!
How does this get past the 1 minute wait period for failed attempts? How does this get past the erasing of the contents after its attempted 10x?
Well, I don't work for any of the respective companies but I do know they have specialised software which can bypass the password attempt restriction if they are connected to the phone directly. If you are interested, look up these companies:
XRY (Sweden)
Elcomsoft (Russia)
Cellebrite/UFED (Israel)
I believe Cellebrite is the company used by most LEOs stateside, but in the UK there is a home grown sec company called Radio Tactics. They use a different approach where officers load up the SIM into their specific handset and get subscriber info off that. It is a lot easier with all the non iPhones as they store a lot more data on the SIM. However, even if all they had was the subscriber information they can use that to get the persons details from the carrier and get all of the normal texts and calls made over the network sent to them for analysis, meaning they won't need access to the encrypted phone anyways. There is quite a scary article about it on the beeb here.
Comments
If you change to a complex password you should be fine and the AES encryption will keep you safe. The protocols Apple have put in place since the A5 chip are pretty impressive, but as with all things you need a decent password.
Really the 4 digit code is to stop friends/taxi drivers from getting into your phone, anything more you need a complex password. One benefit is that turning on even a simple pass code turns on data protection so that will help a lot.
The 3GS and 4 are pretty hackable though- good reason to upgrade!
Obviously before this iTunes two-step change convenience mattered more.
How does this get past the 1 minute wait period for failed attempts? How does this get past the erasing of the contents after its attempted 10x?
Well, I don't work for any of the respective companies but I do know they have specialised software which can bypass the password attempt restriction if they are connected to the phone directly. If you are interested, look up these companies:
XRY (Sweden)
Elcomsoft (Russia)
Cellebrite/UFED (Israel)
I believe Cellebrite is the company used by most LEOs stateside, but in the UK there is a home grown sec company called Radio Tactics. They use a different approach where officers load up the SIM into their specific handset and get subscriber info off that. It is a lot easier with all the non iPhones as they store a lot more data on the SIM. However, even if all they had was the subscriber information they can use that to get the persons details from the carrier and get all of the normal texts and calls made over the network sent to them for analysis, meaning they won't need access to the encrypted phone anyways. There is quite a scary article about it on the beeb here.