My guess is that Apple is only synchronizing after the failure animation completes. Should be easy to patch.
>Further research suggests this could be the issue detailed in CVE-2014-4451 but this has yet to be confirmed. We plan to test the same attack on an 8.2 device and will update with our progress.
It was fixed in 8.1.1
When BT Cellnet mobiles came out.
If sending an SMS, you pulled out the battery, you'd get it for free, a bit annoying but still a cool trick when you were on PAYG.
Many, many enterprises bet their data on passcodes combined with the 10-guess wipe defense. You can bet that they've already called Apple many times about this.
It'll be patched very soon.
This is where a longer pass-code + TouchID is valuable.
(Download MP4 and use a desktop player, it contains an English translation)
If you're only concerned about thieves, sure, TouchID is probably fine.
edit: at most 18 weeks; actual time will probably be shorter
The obvious fix is to write the attempt count first, before even bothering to check if the PIN is correct. The flash on iOS devices is a bit slow but not slow enough to matter in this case.
You don't even need a fancy machine to guess the most common pins if that's the case! Just let the battery run out and start again. Seems like a really poor setup if that's true.
Note for those not good at dividing hours by 24 in your head: 111 hrs is 4.65 days
> Utterly staggering at the lack of imagination ... nearly 11% of the 3.4 million passwords are 1234 !!!
Not so staggering. Those people probably did not want a PIN to begin with. I know someone with the PIN 1234. Why does she have a PIN at all? Because the phone requires it to store Exchange credentials (if I remember correctly). I've suggested it changing it to 1111 because it's even faster to type, but she never got around to it.
I too have a pattern lock, the simplest one I could come up with. Easily broken. Why? It's required to store VPN credentials in Android.
And there is a second advantage: by trying a PIN, even a default one, you are gaining unauthorized access to an automated system. This is illegal by Dutch law, even if the only security was a warning message on the lock screen saying "Do not unlock."
Now that I have TouchID I can use a strong password for unlock since I don't have to enter it every 30 seconds
One workaround is to use IMAP, if available (also up to the admin), but you lose the calendar capability, which is arguably the killer feature of Exchange.
Another workaround is to increase the time your phone will require a password after inactivity to something large, like 30 minutes or an hour. You still have to enter a PIN once in a while, but it's more convenient and will still be effective in some cases when lost or stolen.
I'd be willing to guess that most phones have a passcode that's like "1234", or between the numbers 1900 and 2100. 300 tries can easily get a vast majority of 4 digit passcodes, let alone 4 days' worth of tries.
I wonder how much that is reduced by starting off with more likely combinations, e.g. "1111", "1234", "9999".
Doing a graphical integration on
I get ~28 hours.
Well, I'll say I don't have to punch in my 4 digit PIN much, perhaps that's what you meant. But the 'full password' - the Apple ID password - I have to put that in all the time. The touchID verification for apple store downloads seems to only hold for an hour or so, then I gotta punch in the full painful password again... :(
1) ask for password on phone reset
2) ask for password if it hasn't been used for an authentication for ~72 hours
something about people forgetting their passwords if they never got asked for them at all
What's crappy about it is that they force a moderately complex password strength which is much harder to input on a touch screen keyboard. I'm constantly having to enter that - the 'touch id' for using the apple store, to me, is effectively uselesss. For unlocking the device, it's fine.
The reality is most people aren't security conscious until AFTER something bad happens, even if you warn them ahead of time. But this also seems to be human nature. Life is complicated enough that we try to balance things towards convenient until it's clear something has to change. This will happen with global warming, industrial foods, water policy, oil-based economies, all-your-life-online etc just like it has with lead, atomic/chemical weapons, and the lack of regulatory bodies.
The police, btw, wouldn't do anything. We even have the person's IP address on Comcast, so it's easy for law to find out the address of the actual thief. They won't waste their time on mobile theft, despite the fact that he lives in a small rich town that doesn't really have any crime!
I think "rich" could be the case.
I probably unlock my phone 50 times a day (incurring 100 writes under my scheme), and that is negligible in the grand scheme of things.
Just to get some other numbers, let's assume I sleep 7 hours a day on average, and look at my phone every 5 minutes the rest of the day.
Then we're looking at 204 extra writes a day (17 * 12), and ~74.5k extra writes a year, and ~150k writes over the lifetime of the phone.
This isn't a negligible change, but seems within the acceptable number of writes for the phone to perform over its lifetime to properly implement a key piece of security.
If they really wanted to write it to flash, they could make it so that the first failure isn't written at all, the second has a 50% chance, the third a 100% chance.
Or make it so that if the device has only been running a short period of time, then all failures require a thirty second wait until you can retry.
There are plenty of ways to make it impractical without necessarily reducing the lifetime of the device.
That being said, I can't imagine that flushing to flash each time would substantially reduce its lifetime.
Records it in photo EXIF data, for some reason.
Perversely, "Lost Mode" incentivize thieves to do whatever necessary to unlock your phone, since they can't just wipe it and resell it. Apparently it's common for thieves to phish the contact phone number displayed on a "Lost Mode" iPhone: http://www.symantec.com/connect/blogs/cybercriminals-phish-i...
Even using just lowercase letters, the maximum time expands from 111 hours to about 132,000 hours (15 years) per passcode.
Going to six letters expands it to about 390 years.
But it also has a lockout. If you mess up too many times (5-10?) then TouchID gets temporarily disabled and you must login once with pin/password as if the phone was reset.
That means their 'reboot the phone' attack is worthless against TouchID. By the time you figure out the password you've already unlocked the phone and TouchID is no longer relevant to you unless you're somehow trying to reverse engineer someone's fingerprint.
Well yeah basically. I mean, it's just recognizing some pattern as "the fingerprint" right? So if you can replicate a matching pattern you can beat a fingerprint scanner. I'm just curious what resolution the scanner/recognizer pattern is at.
I'm assuming Apple uses some kind of capacitive sensor. From googling it looks like it's a 500ppi sensor. The sensor isn't even 1"x1", it's maybe 1/2"^2. Which gives us 62,500 "pixels" or whatever the sensing elements are called.
That's 2^62,500 (assuming the sensors are binary) combination. That's a big number, and probably uncrackable.
But maybe there's some fuzziness in the sensor or the software and the effective resolution is more like 100ppi. That's still a huge number (753 digits).
But then maybe you can apply some smart guesses or some reverse engineering and concentrate patterns in the middle of the sensor (where good contact might be made), maybe down to a 1/32" section. Now we're within brute force distance.
All you need now is a tool at that resolution to input fingerprint patterns, or just provide signals to the sensor lines.
After all, this is possible , why not fingerprints?
1 - http://gizmodo.com/this-is-what-happens-when-you-reverse-eng...
The attack in the article does not work to get around this, because Touch ID does not work at startup until you have entered the code.
So brute forcing it is not going to work unless you have the passcode, in which case brute forcing it isn't super useful.
Reverse engineering someone's fingerprint can be done from a simple photo , as demonstrated in this talk. 
The number pad presented resembles a standard DTMF keypad. Which means that it also has all the letters on it. Some people might prefer using those to numbers. E.g. a long time ago a friend had a phone number of "tinyhat". Much easier for me to remember, even after nearly 40 years, than the 7 digits that translated to.