Or you can just use this...
Russian security outfit ElcomSoft is shipping a toolset that cracks open the hardware encryption protecting iOS4-based iPhones – but it's only for spooks and law enforcement. In an announcement that will have black-hats working to replicate its results, the company says its tool can “extract all relevant encryption keys from …
That's a completely different issue and it only gives access to some parts of the keychain. In particular see their FAQ question 2.15.
This one gives access - after cracking the key - to the whole keychain plus everything else.
But it does take quite a while. If it's really just brute force by just adding the standard alphabet to the password instead of just digits we're talking 4 days to crack, or almost 8 with capitalization. Make the password longer than 4 characters and that increases exponentially.
Should the last sentence say "by a _plod_ suffering a rush of blood to his head. ®"?
the author probably wanted to make a portmanteau word from "plod" and "clot".
Clever and kind - but wrong.
Typo now corrected
Sorry, but are you saying hackers which are providing cracking methods to governments and snoop services are the white hats?
Elcomsoft is the company which was involved in the Adobe DRM bypass bru-ha-ha a while back.
It is an interesting company. It has demonstrated some key differences between UK and let's say Russia from a management perspective. The company director actually went to testify, took the charges onto himself and the company and face the charges so his software developer arrested on that case is released:
I do not see a nowdays UK manager who treats his staff as human resource doing that. The ones I know are more likely to chew and swallow their MBA diploma without ketchup instead.
Well you don't know the whole story do you?
Maybe the software dev had some bigger dirt on the director that would make the charges seem almost like stealing candy from a child.
It is Russia we're talking about right?
Let me explain you the difference between UK and Russia in terms of management.
In Russia (and many other European countries, especially towards the Eastern side), traditionally, the staff is disposable, the manager is doubly so. The spell Responsibility with a capital R.
There the manager gets a bullet in the back of the head (literally or not so literally) FIRST when things go wrong. As a result he has no choice but to care about his staff and be responsible. If they are sent to "certain death" he will actually tell them where are they going. There if staff defects to a competitor there they usually go altogether led by the manager. And so on. I have seen it first hand for many years.
In UK, traditionally, staff is disposable the manager is _NOT_ so. He gets a promotion and is moved to a different job FIRST when things go wrong. I have also seen that first hand for many years.
USA is either way by the way. I have seen both cultures there. You have Jobs "shooting managers in the back of the head" for failing a project in front of the whole company while retaining the grunts and you have people carefully floating about on golden parachutes and moving "to have more time with the family" or "pursue new ventures" after they miserably failed at what they are doing. Well... we have all seen that one too...
Let's face it, under UK law, if threatened by the plod or the courts, you have hand over your passwords anyway, so what's this achieve?! The Plod are still going to reach for the rubber baton or the line "Sorry, Guv he fell down the stairs/walked into the cell door just before he gave us the password."!
Surely if you have sensitive data on your iPhone you wouldn't have the 'Simple 4 digit Passcode' enabled anyway. When you use the more complex passcode you're able to have an unlimited length alphanumeric & special charachter passcode.
Simply activate the 'Erase Data' feature to wipe all data on the iPhone after 10 failed passcode attempts, stopping brute-force attacks.
"Simply activate the 'Erase Data' feature to wipe all data on the iPhone after 10 failed passcode attempts, stopping brute-force attacks"
The brute-forcing would be done offline against the specific files - you'd only be putting the derived key into the device. Hence this would be no defence.
“we made a firm decision to limit access to this functionality to law enforcement, forensic and intelligence organisations and select government agencies”.
Oh, sorry my mistake.
But we will quite happily sell it!
...who gets a funny feeling when he sees the phrase "Russian security outfit"?
Doesn't mean it's OK to get that feeling, though.
If you are over 50 it gives you a feeling of nostalgia for the days when things worked, personal freedom was taken for granted in the West, and we had sane opponents to deal with.
A really watertight encryption of the file system is hard to do. Either you have the key on the device (which is mainly good for quick wiping and not much more) or you have an external key (like a strong password) and nobody wants to type a 64 characters alphanumeric password each time he wants to make a call.
Many people seem to find even a 4-digit password as too inconvenient.
"a plod suffering a rush of blood to the head" - so that'll be away from his brain then?
fscked by SHA-1 collision? Not so fast, says Linus Torvalds