Apple patent stashes passwords in chargers Apple has filed a patent on a power adapter that helps users to get back forgotten passwords. The system works by storing login information in a memory chip in the power supply and a key on the computer or server to unlock the secret. The documentation describes one scenario in which a computer user's login password is …
It seems like this *might* actually increase security problems, rather than reduce. If nothing else, you'd have to buy more power adapters so that you kept your "good one" locked in a safe. :) Pretty interesting nonetheless. Looks like a legit patent filing from Apple as well. Don't know if there is a prior art problem or not since there have been plenty of dongles in the past for this, but good on them for filing something that didn't involve rounded corners. (As much grief as I've given Apple on "look and feel" pseudo-patents, I do feel obligated to give credit where credit is due.)
From the linked article, apparently it is supposed to have a security question like "what was the name of your first pet?" prior to letting you get in, and can distribute the ciphers around the network to make sure you are who you think you are... Seems like the increased complexity of that will ensure it won't get used though, unless you can push the policies down through AD, or Tivoli, or whatever.
Ugh. If your power adapter has your password on it (and its a known disclosed feature), it shouldn't be stored (or even used) with your laptop in a situation where it might be stolen. Hence the safe comment. (admittedly overkill unless in the CIA)
The current solutions of using a USB dongle, or CD's or post-its are less homogenous in nature being different solutions to the issue. There is diversity there, and the crook probably wouldn't know what to do with them anyway (except the post it note, and then only if on the bottom of the keyboard/laptop). This idea gives you a known single attack vector, hence lack of diversity and a single security point to focus on. Think about it, if your power adapter has your passwords on it, then you'd have to secure it differently than your power adapters today.
"Looks like a legit patent filing from Apple as well."
I must say, it is a legit patent idea from Apple, for once. The reason no one else thought of it first? They did, but it's obviously a terrible idea, as noted in the article. Lose the adapter with the PC (carrying case anyone?) and you're toast. This may make more sense for a USB-charged phone (as you can have many USB cables, but only one wall-wart USB adapter that is toted around in a bag, but your phone is usually separate in a pocket on one's person. Then again, how many people actually lock their phone with anything harder than 1234 or a 1379 swipe?
But does the PSU have rounded corners???
But I also think this only the first step in devilishly clever crApple plan, next crApple will add a display to the PSU so that you can see your password and they will iPatent that, then they will add a monitor (with rounded corners) so you can enter and update the password and iPatent that…
You can see where this going, can’t you.
That's a bit OTT even for an iPSU.
You might, however, consider the viability of a thumb or finger reader to permit the required digit to be scanned, and the password locked to said digit...you know, once they realise what a dumb security fail this could be (but then, so many of the juicier stories about The Big Fruit are security fails - it makes me, a Windows user, feel warm and cosy ;) ).
PS: if there is a finger reader in a power supply to unlock a stored password, remember, you read it here first!
Why not just tell the user to log on to one or more network resources of the phone's owner? For instance, with my HTC EVO 4G, I locked myself out and then just as I had a sinking feeling that I would have to go to a Sprint store to have it unlocked, a Google notice popped up telling me of the lockout after 3 (3 IIRC) failed log-on attempts. In order to get back into my phone, I was to enter my email address to which the phone was tethered, then log in to my gmail account (gmail acct, IIRC). Voila! I was in, and was prompted to reset my password.
Even if HTC and Sprint were to conspire to tie the phone to fobs/dongles and the wall-side block that is detachable from the USB side fo the charging wire, it would not necessarily mean trying to tie the user to a specific charger. If they did so, it theoretically could cause supply-chain issues if factory employees or the plant conveyors somehow mixed up chargers and devices. And, the plant routing system would have to be programmed to join up the relevant parts at the device's packing and sealing-up area. If stores later broke open devices to verify recept of genuine devices or to further customize them, then the chargers might be inadvertently (or malicously?) commingled.
Now, the idea of tethering the password chip and wire/cord to the device might work IFF the retail outlet or the direct-sales areas could re-sync the suspected-commingled wires just before re-sealing the phones, but that means they'd have to be given privileged access to some more proprietary stuff.
Also, mix-ups could happen in service areas when the phone or other device is brought in for repairs. A mixup might doom the retailer or repair facility to giving the customer a free charger or dongle if re-programming was a one-shot deal from each wire. That might imply that an abundance of disposable charger wires or blocks would be manufactured. So, I doubt Apple would be THAT nasty
A good idea, though, would be to brick that phone automatically and simultaneously factory-reset at NSA grade (boot & nuke?) on user-predefined conditions:
-the device is put into a shielded bag while still on and still on for over 5 minutes
-- the device loses network connectivity, and the input interface detects random/ad-hoc sleuthing patterns not matching the owner's pre-defined pattern
-- the device is hooked up to a cable or another machine or even a so-called "master machine" and does not have the user's first-set Ultimate ID password (one use on initial config, not the day-to-day master password)
-- the device is spuriously probed by outside wired or wireless devices and after a warning tone not 'suspended' by the owner's MASTER master password
-- if the battery is tampered with or replaced....
This could prevent owers' devices from being read by uninvited forces/parties.
As for protecting the microSD card, some sort of hidden pin/button or pre-removal swipe sequence needs to be configured, or the phone needs to come with so much RAM that the paranoid or very defensive user won't be tempted to even USE as microSD card. But, that would make non Apple phones more like Apple phones.
An iWotsit's battery performance isn't all that amazing if you're actually using the thing. A day or so if you're the type to play Angry Birds on the bus. My Arc S seems to last about the same length of time.
I've solved the problem myself with an external USB battery, one of the Energizer XPal things. £70, 8Ah and it'll charge the tablet once from empty or the phone about three or so times. Apparently the 16-20V output will power low-juice netbooks and laptops for "up to 3 hours" and Energizer promise "two free tips per year for life" for new products, but that's probably something for Reg Hardware to cover in more detail.
More on-topic though, I'm looking at this patent and scratching my head a bit. What measure could ensure that a stolen phone+PSU could not be used by the thief to recover a password, and how is this more convenient than putting the password recovery abilities in the phone itself? Especially considering what happens if you lose the charger?
We can install malicous code in Apple keyboards that can't be removed. (2009)
We can install updated potentially malicious firmware in Apple batteries (July 2011).
Now we have a new power supply with built-in firmware and processor....
Perhaps we can coordinate the firmware in the battery and power supply to blow up the battery, perhaps through charging it too quickly.
Now frankly I would never go near it, but I also don't buy Apple stuff ever. I know people who use all Apple gadgetry who are frankly clueless about security etc, and being able to press an "I don't know - ask the charger" lazyboy button would be right up their streets.
I can see a place for this in the "at home" charger, then having a sleeker, lighter, regular charger for on the road use. However knowing Apple's fondness for vendor lock-in, good luck if the charger ever dies.
Also, I can see this as another attack surface
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
