This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
Security: iOS lock codes
One question raised (for me) by the recent blog post [url="http://blog.agilebits.com/2012/03/30/the-abcs-of-xry-not-so-simple-passcodes/"]The ABCs of XRY: Not so simple passcodes[/url] was does the described technique work if you have [b]Erase Data[/b] set in your passcode settings (presuming they don't hit gold on the first 10 guesses)?
I realise that this setting gives someone a very easy DOS type attack - 2 minutes with your phone (locked) and I can create a ton of work for you putting it back to normal (and presumably make it untraceable by the apple fine your iphone tools).
Nigel.
I realise that this setting gives someone a very easy DOS type attack - 2 minutes with your phone (locked) and I can create a ton of work for you putting it back to normal (and presumably make it untraceable by the apple fine your iphone tools).
Nigel.
Flag
0
Comments
-
Hi Nigel! That is a very good question.
The attack of the sort used by XRY gets beneath the software that would keep that count of attempts, so "Erase after N failed attempts" does [b]not[/b] protect against this kind of attack.
You are absolutely correct that if you do set "Erase after N failed attempts" someone could maliciously or accidentally destroy the data on your phone. This is why I don't particularly recommend it. Accidental erasure could come from a child playing with the phone or from the owner of another iPhone who thought they were working on their own.
Find My iPhone can help you if your phone is taken by naive criminals, who wouldn't be using these kinds of cracking tools, but even a moderately sophisticated criminal will remove the SIM card, thus making the device untraceable. Removing the SIM card will also get around "Remote Wipe" as well.
It's actually for reasons like this that we never built in such features into 1Password; they [i]don't[/i] add much additional security against sophisticated attackers, but they do dramatically increase the chance that someone will accidentally lose their data.
Cheers,
-jFlag 0 -
Oops! I meant to say, [color=#282828][font=helvetica, arial, sans-serif]"'Erase after N failed attempts' does [i]not [/i]protect against this kind of attack."[/font][/color]Flag 0
-
Thanks! Exactly what I was wondering too.Flag 0
-
Hey - one more question. Any update on this http://9to5mac.com/2012/04/02/xrys-two-minute-iphone-passcode-exploit-debunked/ and that A5 and newer devices don't have this exploit? I imagine you would still recommend keeping a non-simple passcode on iOS devices. But can you corroborate that this exploit isn't possible on newer devices?Flag 0
-
Thanks jesselperry2!
I had been suspicious about the device choices in their demos, so I am not at all surprised by the results of a careful, hands-on, analysis.
But we need to remember that XRY isn't the only forensics tool out there, and rootkits that run on newer model hardware may appear any day. So I consider the advice for a longer passcode still very meaningful.
I should also note that Micro Systemation have removed their demo video from YouTube. I also note that they are a UK based company. And while we are talking about the UK, let me mention some entirely random and irrelevant trivia I learned when living there. The Great Ouse flows slowly, but it does not, in fact, ooze. The UK has much tougher advertising standards laws than the US does.
Cheers,
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.comFlag 0 -
You are very welcome. I suspect that these (pretty much useless) remote wipe features are the consequence of business requirements. Some organizations won't let their people store any business data on a device that doesn't meet a checklist of features. Some items on the checklist haven't been properly thought through.
Cheers,
-jFlag 0