Simple hack bypasses iOS passcode entry limit, opens door to brute force hacks [u]

2

Comments

  • Reply 21 of 50
    SoliSoli Posts: 8,680member
    eightzero said:
    Why all the fuss?

    The police, if they want, can search my phone.   Their biggest challenge would be boredom.  There's nothing there that would interest them.


    Are you sure? The location data in there could put you near the scene of a crime. Your search on the google last week for "how to sell anything fast" brought up links to kiting boosted goods. Oh, and police would never, never steal your credit card number. Everyone knows police officers are well paid, and never in the need of a little side money.
    Just google "tsa caught stealing" for some whoopers. Or, isolate that to Apple products since there are so many.


  • Reply 22 of 50
    GeorgeBMacGeorgeBMac Posts: 4,154member
    eightzero said:
    Why all the fuss?

    The police, if they want, can search my phone.   Their biggest challenge would be boredom.  There's nothing there that would interest them.


    Are you sure? The location data in there could put you near the scene of a crime. Your search on the google last week for "how to sell anything fast" brought up links to kiting boosted goods. Oh, and police would never, never steal your credit card number. Everyone knows police officers are well paid, and never in the need of a little side money.


    But I'm a white dude living in a white suburb. 
  • Reply 23 of 50
    tallest skiltallest skil Posts: 43,399member
    eightzero said:
    Why all the fuss? The police, if they want, can search my phone.   Their biggest challenge would be boredom.  There's nothing there that would interest them.
    Are you sure? The location data in there could put you near the scene of a crime. Your search on the google last week for "how to sell anything fast" brought up links to kiting boosted goods. Oh, and police would never, never steal your credit card number. Everyone knows police officers are well paid, and never in the need of a little side money.
    But I'm a white dude living in a white suburb. 
    So you’re racist and you don’t even know why personal privacy exists. That explains a hell of a lot about your views.
    SpamSandwich
  • Reply 24 of 50
    SoliSoli Posts: 8,680member

    From Netflix's Anon (2018):

    The Girl: "It's not that I have something to hide. I have nothing I want you to see."
    lostkiwimacguiAlex1N
  • Reply 25 of 50
    GeorgeBMacGeorgeBMac Posts: 4,154member
    eightzero said:
    Why all the fuss? The police, if they want, can search my phone.   Their biggest challenge would be boredom.  There's nothing there that would interest them.
    Are you sure? The location data in there could put you near the scene of a crime. Your search on the google last week for "how to sell anything fast" brought up links to kiting boosted goods. Oh, and police would never, never steal your credit card number. Everyone knows police officers are well paid, and never in the need of a little side money.
    But I'm a white dude living in a white suburb. 
    So you’re racist and you don’t even know why personal privacy exists. That explains a hell of a lot about your views.
    ROFL...  How's that alternative reality working for you?
  • Reply 26 of 50
    gatorguygatorguy Posts: 20,282member
    Question for everyone here.

    Has any AI member ever had anyone other than a  nosy boyfriend-girlfriend/spouse/ child try to break into their iPhone? Ever?

    It seems like such an unlikely scenario where anyone is going to try to break into your phone that all this hand-wringing I see here coupled with inconvincing yourself with all these long creative passcodes doesn't seem worth it. A simple 6 digit passcode is all that almost anyone needs IMHO. 
    edited June 2018 GeorgeBMac
  • Reply 27 of 50
    macguimacgui Posts: 1,157member
    Soli said:

    From Netflix's Anon (2018):

    The Girl: "It's not that I have something to hide. I have nothing I want you to see."
    This is one of my core beliefs, though I've never seen it stated or thought it so concisely.

    Absolutely brilliant. It always astounds me when someone drops that 'If you have nothing to hide...' crap. I've known people who say that's how they roll. But that changes the second or maybe the third time that's put to the test.
  • Reply 28 of 50
    SoliSoli Posts: 8,680member
    gatorguy said:
    Question for everyone here.

    Has any AI member ever had anyone other than a  nosy boyfriend-girlfriend/spouse/ child try to break into their iPhone? Ever?

    It seems like such an unlikely scenario where anyone is going to try to break into your phone that all this hand-wringing I see here and in convincing yourselfal or your better half with all these long creative passcodes doesn't seem worth it. A simple four digit passcode or 6 digit passcode is all that you need IMHO. 
    I've never had my house broken into before but I do lock up when I leave the house. Nor do I advertise on social media when I'm leaving, and then only post pictures of my trip after I've gotten back. Additionally, I've never my identity stolen, but I also take the time to make stealing my identity too much trouble for attackers looking for an easy win.

    Would I have been safe had I never locked my doors, publicly posted when I'd be out of my house, and never locked down my credit or periodically monitored access to my accoun? Maybe, but I'm not going to take that risk.

    Do you really only keep a 6-digit PIN for logging into my Mac/WinPC/Linux server? How about for web-facing accounts, like your bank? Sure, you can't do that, but would you make it a simple 6-digit PIN if you could? Do yo use the simplest password they allow and reuse the same ones over again because you feel the personal risk is too low to care about the effort and cost of using a password manager? I sure hope not.
    edited June 2018
  • Reply 29 of 50
    SoliSoli Posts: 8,680member
    macgui said:
    Soli said:

    From Netflix's Anon (2018):

    The Girl: "It's not that I have something to hide. I have nothing I want you to see."
    This is one of my core beliefs, though I've never seen it stated or thought it so concisely.

    Absolutely brilliant. It always astounds me when someone drops that 'If you have nothing to hide...' crap. I've known people who say that's how they roll. But that changes the second or maybe the third time that's put to the test.
    The movie has some plot holes and its missing something, but overall it was decent with that one line succinctly summing up the reason why citzens should not be made out as criminals for wanting their privacy.

    Note: That's the second noir, sci-fi thriller starting Amanda Seyfield that was highly intriguing, fairly low-budget, and enjoyable while also seeming to be missing something.
    edited June 2018 Alex1N
  • Reply 30 of 50
    mac_128mac_128 Posts: 3,399member
    gatorguy said:
    Question for everyone here.

    Has any AI member ever had anyone other than a  nosy boyfriend-girlfriend/spouse/ child try to break into their iPhone? Ever?

    It seems like such an unlikely scenario where anyone is going to try to break into your phone that all this hand-wringing I see here coupled with inconvincing yourself with all these long creative passcodes doesn't seem worth it. A simple 6 digit passcode is all that almost anyone needs IMHO. 
    If it’s so unlikely, why have a password at all then? I’m concerned about that one occasion where I’m venerable to someone who steals iPhones for the express purpose of mining data from them with these tools, or even just being able to break in and effectively wipe it for resale. I want my phone to be as unappealing to someone as possible, if only to prevent the inconvenience the theft would cause — but I certainly don’t want to add pain to misery as I worry whether they’ll also be able to recover something that turns out to make the theft a much more complex problem for me down the line. It’s peace of mind.

    I have airbags on my car that I’ve never used in over a decade even after being in a few fender benders. It’s unlikely I will ever need them, but I sure do prefer the security of knowing they are there, than run the risk of further injury if the unlikely happens.
    edited June 2018 mac_dognetmageAlex1N
  • Reply 31 of 50
    entropysentropys Posts: 1,619member
    k2kw said:
    So did anybody test this on Android phones using the USB port.   I bet google will fix it by 2022 and phone makers will sell/include it by 2025 and all google phones will be secure by 2030.
    Maybe, but I don’t care. I use an iPhone and one of the reasons I use an iPhone is I expect it to be the best. I am confident this will be fixed.
  • Reply 32 of 50
    tallest skiltallest skil Posts: 43,399member
    ROFL...  How's that alternative reality working for you?
    I wouldn’t know; I’m not the one foolish enough to fall for “nothing to hide; nothing to fear” propaganda.
    Alex1NRayz2016
  • Reply 33 of 50
    mac_dogmac_dog Posts: 669member
    yeah. 
    edited June 2018
  • Reply 34 of 50
    irnchrizirnchriz Posts: 1,581member
    Soli said:
    Use the full keyboard for your passcode! Even add a simple long press character to make it crazy hard to crack without invoking much of a hassle for you.
    @Soli, I have seen you mention this a few times in these forums. Could you please explain this a little more? I have a 6-digit password (numeric, though, which I guess I need to change), so I would like to try your suggestion. But, I am not sure I understand what 'use the full keyboard' and 'add a simple long press character' mean. I use an iPhone 6, running iOS 10.x.
    It is simple math, the more entropy the longer it takes to crack a password.
    A password like
    banana,horse,spangle-1723!
    will take centuries to crack vs a password like
    996643
    or even
    Bl0t50ms 

  • Reply 35 of 50
    mac_128mac_128 Posts: 3,399member
    irnchriz said:
    Soli said:
    Use the full keyboard for your passcode! Even add a simple long press character to make it crazy hard to crack without invoking much of a hassle for you.
    @Soli, I have seen you mention this a few times in these forums. Could you please explain this a little more? I have a 6-digit password (numeric, though, which I guess I need to change), so I would like to try your suggestion. But, I am not sure I understand what 'use the full keyboard' and 'add a simple long press character' mean. I use an iPhone 6, running iOS 10.x.
    It is simple math, the more entropy the longer it takes to crack a password.
    A password like
    banana,horse,spangle-1723!
    will take centuries to crack vs a password like
    996643
    or even
    Bl0t50ms 

    Exactly. I work for a company with over 260,000 employees worldwide. We recently had company wide training about precicesly this. It was recommended that we all adopt simple pass-phrases over the silly habit of 6-12 alphanumeric nonsense characters, for which method even the inventor apologized about being wrong. Easy for us to remember and harder for a brute force attack.

    Unfortunately, most password systems are geared toward this now debunked method, limiting passwords to a specific length, rejecting common words, and requiring one of every kind of character, but in some cases limiting the special characters available. And it was for this reason the top recommendation was that we use a password manager for all of our passwords, along with two-factor authentication. Unfortunately, that doesn’t really work for an iPhone.
    netmage
  • Reply 36 of 50
    SoliSoli Posts: 8,680member
    mac_128 said:
    irnchriz said:
    Soli said:
    Use the full keyboard for your passcode! Even add a simple long press character to make it crazy hard to crack without invoking much of a hassle for you.
    @Soli, I have seen you mention this a few times in these forums. Could you please explain this a little more? I have a 6-digit password (numeric, though, which I guess I need to change), so I would like to try your suggestion. But, I am not sure I understand what 'use the full keyboard' and 'add a simple long press character' mean. I use an iPhone 6, running iOS 10.x.
    It is simple math, the more entropy the longer it takes to crack a password.
    A password like
    banana,horse,spangle-1723!
    will take centuries to crack vs a password like
    996643
    or even
    Bl0t50ms 

    Exactly. I work for a company with over 260,000 employees worldwide. We recently had company wide training about precicesly this. It was recommended that we all adopt simple pass-phrases over the silly habit of 6-12 alphanumeric nonsense characters, for which method even the inventor apologized about being wrong. Easy for us to remember and harder for a brute force attack.

    Unfortunately, most password systems are geared toward this now debunked method, limiting passwords to a specific length, rejecting common words, and requiring one of every kind of character, but in some cases limiting the special characters available. And it was for this reason the top recommendation was that we use a password manager for all of our passwords, along with two-factor authentication. Unfortunately, that doesn’t really work for an iPhone.
    The "entropy" notion in irnchriz's comment doesn’t account for anything other than a static base count. As noted, when you choose form 210 possible characters instead of 72 or 10, the complexity increases dramatically even with a shorter passcode. All things being equal, a longer passcode is harder to crack, but you're better off with a more diverse character palette, which means this works really well for the iPhone (and Mac).
    edited June 2018 Alex1NRayz2016
  • Reply 37 of 50
    DAalsethDAalseth Posts: 508member
    Æg5bŁ(ßw7°§ for example. That is a brillient idea. Now maybe some outside systems would not take those charactors, but for locking your phone they should be fine.
    edited June 2018 Soli
  • Reply 38 of 50
    SoliSoli Posts: 8,680member
    DAalseth said:
    Æg5bŁ(ßw7°§ for example. That is a brillient idea. Now maybe some outside systems would not take those charactors, but for locking your phone they should be fine.
    But only one of those very special characters will make things uneasonably tough for any bruteforce system... and I have serious doubts that GreyKey is designed to even try those long-press characters.

    PS: Being 11 characters that password is in a haystack 3.5 × 10^25 possibilities. For comparison, there are only 7.5 × 10^18 grains of sand on Earth. Anyone want to figure out long it would take GreyKey to solve half of them (50% chance)?
    edited June 2018 Alex1N
  • Reply 39 of 50
    GeorgeBMacGeorgeBMac Posts: 4,154member
    Soli said:
    gatorguy said:
    Question for everyone here.

    Has any AI member ever had anyone other than a  nosy boyfriend-girlfriend/spouse/ child try to break into their iPhone? Ever?

    It seems like such an unlikely scenario where anyone is going to try to break into your phone that all this hand-wringing I see here and in convincing yourselfal or your better half with all these long creative passcodes doesn't seem worth it. A simple four digit passcode or 6 digit passcode is all that you need IMHO. 
    I've never had my house broken into before but I do lock up when I leave the house. Nor do I advertise on social media when I'm leaving, and then only post pictures of my trip after I've gotten back. Additionally, I've never my identity stolen, but I also take the time to make stealing my identity too much trouble for attackers looking for an easy win.

    Would I have been safe had I never locked my doors, publicly posted when I'd be out of my house, and never locked down my credit or periodically monitored access to my accoun? Maybe, but I'm not going to take that risk.

    Do you really only keep a 6-digit PIN for logging into my Mac/WinPC/Linux server? How about for web-facing accounts, like your bank? Sure, you can't do that, but would you make it a simple 6-digit PIN if you could? Do yo use the simplest password they allow and reuse the same ones over again because you feel the personal risk is too low to care about the effort and cost of using a password manager? I sure hope not.
    While I agree with the general point of your post, to be confident that your "identity" (meaning your personal identifying information) has never been stolen (because you protect it) is likely misguided and incorrect.

    That is:  while I don't doubt that you protect it well, much of it is simply not under your control.  Every time you sign up for something or even just use your credit card and/or loyalty card, your personal information is being collected and stored on multiple servers -- and you have lost control of it.    So, hackers today go after the big servers:   Target, Home Depot, Equifax, government sites, etc., etc., etc.....

    Chances are your personal information is lying on at least one hacker's server waiting to be used.

    That is why, while I do try to protect my information, particularly financial information, I have shifted more towards detecting the use of that information for nefarious purposes.  But unfortunately even the ability to do that is limited.  For instance:   I have had credit agency monitoring in place for years.  But I saw the limitations of that when I opened a new credit card account -- but it never showed up on my monitoring system.   Further, a popular new scam is opening smart phone accounts - but since they don't go through the big 3 agencies, that won't be picked up either until the police show up asking about your drug deals....

    Basically, we have lost the ability to protect our personal information from being stolen.   Yet, government and law enforcement seem totally uninterested in doing anything to stop it.
  • Reply 40 of 50
    SoliSoli Posts: 8,680member
    Soli said:
    gatorguy said:
    Question for everyone here.

    Has any AI member ever had anyone other than a  nosy boyfriend-girlfriend/spouse/ child try to break into their iPhone? Ever?

    It seems like such an unlikely scenario where anyone is going to try to break into your phone that all this hand-wringing I see here and in convincing yourselfal or your better half with all these long creative passcodes doesn't seem worth it. A simple four digit passcode or 6 digit passcode is all that you need IMHO. 
    I've never had my house broken into before but I do lock up when I leave the house. Nor do I advertise on social media when I'm leaving, and then only post pictures of my trip after I've gotten back. Additionally, I've never my identity stolen, but I also take the time to make stealing my identity too much trouble for attackers looking for an easy win.

    Would I have been safe had I never locked my doors, publicly posted when I'd be out of my house, and never locked down my credit or periodically monitored access to my accoun? Maybe, but I'm not going to take that risk.
    While I agree with the general point of your post, to be confident that your "identity" (meaning your personal identifying information) has never been stolen (because you protect it) is likely misguided and incorrect.

    That is:  while I don't doubt that you protect it well, much of it is simply not under your control.
    That's true, which is why I mentioned being "too much trouble for attackers looking for an easy win."

    I've used the analogy (possibly in this thread) that the best any of us can hope for is to not be the slowest and weakest of the herd. I also mentioned that if you're a celebrity (i.e.: someone that could be targeted directly) then your chances of being hacked or having your identity stolen increase considerably even if you have additional security measures. I even used the example that I shred all documents why any personal data before throwing them away, but if I was a celebrity I'd be burning them because my confetti shredder should still technically be used to put those papers back together again.

    But just because you can't guarantee absolute protection doesn't mean you shouldn't protect yourself. I implore all people to use a password manager, with unique and complex passcodes. After that's set up, I then implore people to start changing email linked to a website to include an alias (if the option is allowed) to make it harder for someone to guess, then change usernames (where allowed) to a unique or random string of characters, and finally recovery answers to something random (not actual answers that can looked up).

    Every time you sign up for something or even just use your credit card and/or loyalty card, your personal information is being collected and stored on multiple servers -- and you have lost control of it.    So, hackers today go after the big servers:   Target, Home Depot, Equifax, government sites, etc., etc., etc.....

    Chances are your personal information is lying on at least one hacker's server waiting to be used.
    1) The pro of the server-side hack for consumers is that we're not the direct target. I'd say worry more about not being a wildebeest with a bum knee. For example, when on public WiFi use a VPN. Same logic applies here as with server hacks as your home ISP server or the VPN service you use could have bad actors watching your data, but you can't stop that. You can, however, use a VPN to keep public WiFi traffic from being snooped. [Do you how many negative comments I got over the simple request on this forum to have AI add SSL?]

    2) It's somewhere, which is why I've been an advocate for taking responsibility for your own security for a long time. This "I haven't heard about a breach so there much not be a breach" mentality needs to go. I had all 4 of my credit bureaus locked before the Equifax breach, and I believe in the security benefits of *Pay (Apple Pay, Android Pay, Samsung Pay) so much that when I see that a place supports it (usually without their knowledge) I will either give them stickers I ordered for free from Apple. I do that for myself because I want more people using and expecting *Pay systems everywhere that I shop.

    Do you really only keep a 6-digit PIN for logging into my Mac/WinPC/Linux server? How about for web-facing accounts, like your bank? Sure, you can't do that, but would you make it a simple 6-digit PIN if you could? Do yo use the simplest password they allow and reuse the same ones over again because you feel the personal risk is too low to care about the effort and cost of using a password manager? I sure hope not.
    These questions I don't understand but I'll give it my best.

    1) I don't use a PIN for anything other than my Apple Watch, and even that I don't use the default of 4-digits because it also will unlock my Mac. I use the optional-length PIN, which means it won't submit after 4 digits, but will require you to hit 'OK' to submit your code, which makes a brute force attack here even harder. As for my examples with a 6-character passcode, they were just examples to show how secure your system can be when you're using a much larger character palette over just numbers or basic alphanumerics. That was the point of me doing the maths.

    2) My web-facing passwords as long and a secure as possible because I don't have to remember them. I wrote another post in this thread detailing my issues with how poorly password restrictions and requirements are relayed to password generators. Since not one website I'm aware of has 210 options per character they're not going to be as safe as what iOS and macOS can offer users for physical access to the device, but it's also not a bug deal if I'm making my password 48, 64, or 80 characters long using random characters. You can have a much stronger password with much fewer characters with iOS and macOS, but since I'm never having to type these in manually it's a moot point and those lengths keep me from being the weakest and slowest of the herd.

    3) What have I stated that indicates that I use any simple passcode for anything. My comments in this thread are all about increasing the complexity of your passcodes without increasing the effort you exert to make yourself more secure. As for reusing passcodes, see the first part of this post about how I try not to even reuse usernames, emails address tied to accounts, or security questions.
    edited June 2018
Sign In or Register to comment.