

How Apple and Google help police bypass iPhone, Android lock screens - rdl
http://news.cnet.com/8301-31921_3-57408370-281/how-apple-and-google-help-police-bypass-iphone-android-lock-screens/

======
rdl
As far as I am aware, there is no public, non-destructive way way to do this
with the iPad 2 or iPad 2012, or the iPhone 4S.

The memory of the phone is encrypted. There is a tamper-resistant chip in the
iPhone which contains that code, as well as device-specific passcodes (e.g.
the 4-digit unlock passcode), in the Keystore API.

Prior to the above devices, there was a way to plug the phone into a host
computer and image the memory (even while locked), then brute-force the unlock
passcode (often a 4 digit numeric). The brute force still requires the
physical phone, but the "10 tries and delete device" protection doesn't apply,
because you've already imaged it. ElcomSoft among others make software to do
this (it's about $1k). You can do about 5-15 attempts per second, so 10k
search space goes fast.

After the iPad 2, that was fixed -- the only way to attack the phone is to
brute force the passcode on the device itself, and the "10 tries and erase"
protection DOES apply.

There may still be a backdoor (such as a way to disable the "10 tries and
erase" function), or an implementation flaw.

The only way I know of to recover the passcode technically is to attack the
secure processor, which I think is a FIPS 140-2 level 2 thing. Maybe $3k per
device, and physically destructive to the phone.

I would kill for a FIPS 140-2 level 3 phone (hardware and software
protection), or at least something which protected Keystore to that level (or
higher). All source code and chip masks would need to be published, if not
open source, because otherwise it would be a really tempting product to
backdoor.

