
Stop using 6-digit iPhone passcodes - sc90
https://twitter.com/hprange/status/1291366930058825730
======
aeternum
There's no evidence the 6-digit passcode was the issue here. It is more likely
the thieves immediately turned off the device then used an (offline) chain of
vulnerabilities to pull sensitive data off the phone. That's typically how
these hacks go.

If no vulnerabilities are available, the thieves will often just keep the
phone offline until one becomes available.

~~~
piracy1
But it's likely cheaper easier and more reliable to just brute force the 6
digits. Apple used to slow down such attacks with timeout periods of 60
seconds then 10 mins then hours but it seems they've entirely eliminated this
cooldown process. I wonder if this was done at the advice of law enforcement.
Why keep a fleet of exploits and post-ex ready when you could just plug in the
phone and leave it for a few hours? Also, if you're concerned about such an
attack, enable delete all data after 10 passcode attempts

------
easton
Why didn’t he click to wipe the device but keep it in lost mode? I could’ve
sworn that was an option, and based on the attackers movements, they would
have had to put the iPhone back on the internet at least for a couple minutes
to get the Apple ID reset, which would’ve been enough time for the wipe
command to process.

------
rvz
This.

Use a complex password never written down just like you do with a master
password for a password manager.

Also set it to wipe your phone after 10 tries so that thieves can never obtain
your details like this.

~~~
sushid
Agreed although I don't think the delete after 10 tries will do anything if
they're using a cracking software.

------
salmon30salmon
Wait. If his phone was unlocked while it was swiped, the thief could have
simply kept it unlocked through interaction throughout the entire heist. Why
make it more complex than that?

------
2OEH8eoCRo0
Shouldn't the security chip use it's own timer to make you wait longer and
longer between failed attempts?

~~~
easton
It does[0]. Something is fishy about this story. Either the guy was targeted
by someone who had a guess at the passcode for the device, or there’s some way
that the Gray Key (which is only easily available to LEO and government
agencies) can bypass the rate limiting (would a hard reset do the trick? I
don’t think so, but I don’t hack iPhones. But the iPhone is disabled screen
sticks whether or not the device is on).

0: [https://support.apple.com/guide/security/passcodes-
sec20230a...](https://support.apple.com/guide/security/passcodes-
sec20230a10d/1/web/1)

~~~
evanreichard
There was no reference to the iPhone model in the Twitter thread that I
noticed besides the logo, which could be an iPhone X.

The iPhone X is vulnerable to an unpatchable BootROM exploit (checkm8), which
could bypass the need to even brute force.

EDIT: I haven't actually done this, and I'm not sure it would allow you to
bypass a PIN, so just a theory.

~~~
colejohnson66
AFAIK The bootrom exploit doesn’t allow getting around the _hardware-based_
lockout. But I’m open to be proven wrong.

~~~
n3k5
No, you're right: Checkm8 only lets you boot into a custom OS, but to decrypt
any data from the installed iOS, you'd need to hack the secure enclave, which
it doesn't touch.

(Technically you could boot a fake OS with a passcode skimmer, but developing
this into an actual exploit isn't any easier than simply observing the user
entering their passcode.)

------
jtsiskin
Why spend $2,500 on in-app purchases? This makes it seem like this app is
somehow colluding with the thieves?

~~~
kfarr
Get in game currency, trade or send to accounts you control, cash out

------
RandomBacon
Maybe the theives are on the lookout for anyone entering their passcode into
the phone in public. If they manage to see the passcode or swipe pattern, then
they'll steal the phone.

I've never seen anyone take steps to prevent others from seeing their passcode
or swipe pattern in public.

------
n3k5
Grubby wrote about this yesterday:

> _I [used a 6-digit passcode] thinking, basically, that even though a 6-digit
> passcode is less secure, anything truly dangerous like disabling Find My
> iPhone requires my iCloud password as well. It simply never occurred to me
> that if a thief (or law enforcement, or any adversary) has the device
> passcode, and your iCloud password is in your keychain, they can get your
> iCloud password from your keychain. All you need is the device passcode to
> access all of the passwords in iCloud keychain._

— [https://daringfireball.net/linked/2020/08/24/can-thieves-
cra...](https://daringfireball.net/linked/2020/08/24/can-thieves-
crack-6-digit-iphone-passcodes)

Btw., I'm sceptical about this part of the original Twitter thread:

> _why [is a weak passcode] an acceptable alternative to biometric
> verification to decrypt your keychain_

This assumes that biometric verification is better for this purpose. I don't
think that's the case when the attacker grabbed the device right out of your
hand and then gets to work on it for several hours. What your face or
fingerprints look like isn't all that secret. Fooling the device into
accepting a clone as the real thing takes some expertise and special equipment
and time — but so does “using some kind of device like the GrayKey”.

When it comes to somewhat sophisticated attacks (as opposed to keeping your
shoulder-surfing kids from making in-app purchases), Touch ID and Face ID are
merely improvements for people who would otherwise use _no_ passcode (or
‘00000’). I hope what they'll actually be used for, eventually, is sparing you
from having to re-enter the same code you just unlocked your device with ten
minutes ago in cases where you had it in your hand or in front of your face
that whole time.

This would allow for more nuanced threat models. For example, just seeing your
home screen and then opening your podcast feed could have a _way_ longer time-
out, whereas toggling ‘Find My …’ still requires a password every single time.
That sort of convenience would convince me to use these features.

But for now, if you want an alternative to a 6-digit code that's definitely
more secure, use an alphanumeric passphrase. Quoting Gruber's post once more:

> _a 6-character alphanumeric passphrase would take on average 72 years to
> crack by brute force because it takes 80-milliseconds for the secure enclave
> to process each guess._

~~~
innagadadavida
This seems more like a UI bug that Apple needs to fix. If the UI doesn’t give
any indication of how many digits are expected and _always_ allows me to input
both numbers and alpha, then no one can guess these things.

Instead there are 4 separate UIs here: 4-digit, 6-digit, 7+ digits, alpha-
numeric. Each of them gives an attacker lots of hints. Insecure by design.

