Feeds

back to article iOS 4 hardware encryption cracked

Russian security outfit ElcomSoft is shipping a toolset that cracks open the hardware encryption protecting iOS4-based iPhones – but it's only for spooks and law enforcement. In an announcement that will have black-hats working to replicate its results, the company says its tool can “extract all relevant encryption keys from …

COMMENTS

This topic is closed for new posts.

This post has been deleted by its author

Go

Or you can just use this...

http://www.sit.fraunhofer.de/en/forschungsbereiche/projekte/Lost_iPhone.jsp

0
0
Anonymous Coward

Different problem

That's a completely different issue and it only gives access to some parts of the keychain. In particular see their FAQ question 2.15.

This one gives access - after cracking the key - to the whole keychain plus everything else.

But it does take quite a while. If it's really just brute force by just adding the standard alphabet to the password instead of just digits we're talking 4 days to crack, or almost 8 with capitalization. Make the password longer than 4 characters and that increases exponentially.

0
0
Silver badge
Headmaster

Typo?

Should the last sentence say "by a _plod_ suffering a rush of blood to his head. ®"?

2
0

whatever

the author probably wanted to make a portmanteau word from "plod" and "clot".

0
0
(Written by Reg staff) Gold badge

Re: whatever

Clever and kind - but wrong.

Typo now corrected

1
0
Silver badge

Errr...

Sorry, but are you saying hackers which are providing cracking methods to governments and snoop services are the white hats?

7
0
Thumb Up

Grey is the best description. They are white by Russian standards though

Elcomsoft is the company which was involved in the Adobe DRM bypass bru-ha-ha a while back.

http://www.theregister.co.uk/2002/12/10/im_no_hacker_sklyarov_tells/

http://www.theregister.co.uk/2002/10/16/sklyarov_denied_us_visa/

It is an interesting company. It has demonstrated some key differences between UK and let's say Russia from a management perspective. The company director actually went to testify, took the charges onto himself and the company and face the charges so his software developer arrested on that case is released:

http://www.wired.com/politics/law/news/2001/12/49122

I do not see a nowdays UK manager who treats his staff as human resource doing that. The ones I know are more likely to chew and swallow their MBA diploma without ketchup instead.

4
0
Black Helicopters

@AC 08:45

Well you don't know the whole story do you?

Maybe the software dev had some bigger dirt on the director that would make the charges seem almost like stealing candy from a child.

It is Russia we're talking about right?

1
1
Thumb Down

I do not know the whole story, but I have worked both places

Let me explain you the difference between UK and Russia in terms of management.

In Russia (and many other European countries, especially towards the Eastern side), traditionally, the staff is disposable, the manager is doubly so. The spell Responsibility with a capital R.

There the manager gets a bullet in the back of the head (literally or not so literally) FIRST when things go wrong. As a result he has no choice but to care about his staff and be responsible. If they are sent to "certain death" he will actually tell them where are they going. There if staff defects to a competitor there they usually go altogether led by the manager. And so on. I have seen it first hand for many years.

In UK, traditionally, staff is disposable the manager is _NOT_ so. He gets a promotion and is moved to a different job FIRST when things go wrong. I have also seen that first hand for many years.

USA is either way by the way. I have seen both cultures there. You have Jobs "shooting managers in the back of the head" for failing a project in front of the whole company while retaining the grunts and you have people carefully floating about on golden parachutes and moving "to have more time with the family" or "pursue new ventures" after they miserably failed at what they are doing. Well... we have all seen that one too...

0
0

This post has been deleted by its author

Bronze badge
Pint

Why bother with this?

Let's face it, under UK law, if threatened by the plod or the courts, you have hand over your passwords anyway, so what's this achieve?! The Plod are still going to reach for the rubber baton or the line "Sorry, Guv he fell down the stairs/walked into the cell door just before he gave us the password."!

4
0

4 digit passcode

Surely if you have sensitive data on your iPhone you wouldn't have the 'Simple 4 digit Passcode' enabled anyway. When you use the more complex passcode you're able to have an unlimited length alphanumeric & special charachter passcode.

OR

Simply activate the 'Erase Data' feature to wipe all data on the iPhone after 10 failed passcode attempts, stopping brute-force attacks.

2
1

errr

"Simply activate the 'Erase Data' feature to wipe all data on the iPhone after 10 failed passcode attempts, stopping brute-force attacks"

The brute-forcing would be done offline against the specific files - you'd only be putting the derived key into the device. Hence this would be no defence.

3
0
Gold badge
Joke

Thankfully for trusted organisations only!

“we made a firm decision to limit access to this functionality to law enforcement, forensic and intelligence organisations and select government agencies”.

Oh, sorry my mistake.

2
0
Happy

We don't want it to fall...

But we will quite happily sell it!

1
0
Joke

Am I the only one...

...who gets a funny feeling when he sees the phrase "Russian security outfit"?

2
0

Probably not

Doesn't mean it's OK to get that feeling, though.

1
0
Anonymous Coward

re: Am I the only one

If you are over 50 it gives you a feeling of nostalgia for the days when things worked, personal freedom was taken for granted in the West, and we had sane opponents to deal with.

1
0

This post has been deleted by a moderator

Hard to get right

A really watertight encryption of the file system is hard to do. Either you have the key on the device (which is mainly good for quick wiping and not much more) or you have an external key (like a strong password) and nobody wants to type a 64 characters alphanumeric password each time he wants to make a call.

Many people seem to find even a 4-digit password as too inconvenient.

2
0
Joke

Title is required but can no longer be bought from politicians

"a plod suffering a rush of blood to the head" - so that'll be away from his brain then?

2
0
This topic is closed for new posts.