New security hole allows for Apple ID password reset using Apple's iForgot page [u]

2»

Comments

  • Reply 21 of 26
    clemynxclemynx Posts: 1,552member
    Wow they really should tighten up security. Why do they still fail on web services?
  • Reply 22 of 26
    lostkiwilostkiwi Posts: 639member
    solipsismx wrote: »
    Why? It's 10,000 combinations, it has timeouts by default for too many failed attempts, you can make erase the phone if need be, and can turn off the simple password option.
    There are a few products on the security/forensic market that can brute force a 4 digit pass code and bypass the 10 attempts rule. With a new pass attempt every 80 milliseconds they should be able to get the code in 18 to 20 minutes. This is by connecting their cracker to the phone (the pass code is entangled with the UDID so taking a copy of the phone and attempting to hack the image on a desktop won't work).

    If you change to a complex password you should be fine and the AES encryption will keep you safe. The protocols Apple have put in place since the A5 chip are pretty impressive, but as with all things you need a decent password.

    Really the 4 digit code is to stop friends/taxi drivers from getting into your phone, anything more you need a complex password. One benefit is that turning on even a simple pass code turns on data protection so that will help a lot.
    The 3GS and 4 are pretty hackable though- good reason to upgrade!
  • Reply 23 of 26
    Likely now that Apple are going to allow you to buy 'Tangible goods' with an NFC competitor.


    Obviously before this iTunes two-step change convenience mattered more.
  • Reply 24 of 26
    freediverxfreediverx Posts: 1,423member
    How about updating your headline to show that Apple fixed this immediately?
  • Reply 25 of 26
    solipsismxsolipsismx Posts: 19,566member
    lostkiwi wrote: »
    There are a few products on the security/forensic market that can brute force a 4 digit pass code and bypass the 10 attempts rule. With a new pass attempt every 80 milliseconds they should be able to get the code in 18 to 20 minutes. This is by connecting their cracker to the phone (the pass code is entangled with the UDID so taking a copy of the phone and attempting to hack the image on a desktop won't work).

    If you change to a complex password you should be fine and the AES encryption will keep you safe. The protocols Apple have put in place since the A5 chip are pretty impressive, but as with all things you need a decent password.

    Really the 4 digit code is to stop friends/taxi drivers from getting into your phone, anything more you need a complex password. One benefit is that turning on even a simple pass code turns on data protection so that will help a lot.
    The 3GS and 4 are pretty hackable though- good reason to upgrade!

    How does this get past the 1 minute wait period for failed attempts? How does this get past the erasing of the contents after its attempted 10x?
  • Reply 26 of 26
    lostkiwilostkiwi Posts: 639member


    Well, I don't work for any of the respective companies but I do know they have specialised software which can bypass the password attempt restriction if they are connected to the phone directly.  If you are interested, look up these companies:


     


    XRY (Sweden)


    Elcomsoft (Russia)


    Cellebrite/UFED (Israel)


     


    I believe Cellebrite is the company used by most LEOs stateside, but in the UK there is a home grown sec company called Radio Tactics.  They use a different approach where officers load up the SIM into their specific handset and get subscriber info off that.  It is a lot easier with all the non iPhones as they store a lot more data on the SIM.  However, even if all they had was the subscriber information they can use that to get the persons details from the carrier and get all of the normal texts and calls made over the network sent to them for analysis, meaning they won't need access to the encrypted phone anyways.  There is quite a scary article about it on the beeb here.

Sign In or Register to comment.