iOS 4 hardware encryption cracked Russian security outfit ElcomSoft is shipping a toolset that cracks open the hardware encryption protecting iOS4-based iPhones – but it's only for spooks and law enforcement. In an announcement that will have black-hats working to replicate its results, the company says its tool can “extract all relevant encryption keys from …
This post has been deleted by its author
That's a completely different issue and it only gives access to some parts of the keychain. In particular see their FAQ question 2.15.
This one gives access - after cracking the key - to the whole keychain plus everything else.
But it does take quite a while. If it's really just brute force by just adding the standard alphabet to the password instead of just digits we're talking 4 days to crack, or almost 8 with capitalization. Make the password longer than 4 characters and that increases exponentially.
Elcomsoft is the company which was involved in the Adobe DRM bypass bru-ha-ha a while back.
http://www.theregister.co.uk/2002/12/10/im_no_hacker_sklyarov_tells/
http://www.theregister.co.uk/2002/10/16/sklyarov_denied_us_visa/
It is an interesting company. It has demonstrated some key differences between UK and let's say Russia from a management perspective. The company director actually went to testify, took the charges onto himself and the company and face the charges so his software developer arrested on that case is released:
http://www.wired.com/politics/law/news/2001/12/49122
I do not see a nowdays UK manager who treats his staff as human resource doing that. The ones I know are more likely to chew and swallow their MBA diploma without ketchup instead.
Let me explain you the difference between UK and Russia in terms of management.
In Russia (and many other European countries, especially towards the Eastern side), traditionally, the staff is disposable, the manager is doubly so. The spell Responsibility with a capital R.
There the manager gets a bullet in the back of the head (literally or not so literally) FIRST when things go wrong. As a result he has no choice but to care about his staff and be responsible. If they are sent to "certain death" he will actually tell them where are they going. There if staff defects to a competitor there they usually go altogether led by the manager. And so on. I have seen it first hand for many years.
In UK, traditionally, staff is disposable the manager is _NOT_ so. He gets a promotion and is moved to a different job FIRST when things go wrong. I have also seen that first hand for many years.
USA is either way by the way. I have seen both cultures there. You have Jobs "shooting managers in the back of the head" for failing a project in front of the whole company while retaining the grunts and you have people carefully floating about on golden parachutes and moving "to have more time with the family" or "pursue new ventures" after they miserably failed at what they are doing. Well... we have all seen that one too...
This post has been deleted by its author
Let's face it, under UK law, if threatened by the plod or the courts, you have hand over your passwords anyway, so what's this achieve?! The Plod are still going to reach for the rubber baton or the line "Sorry, Guv he fell down the stairs/walked into the cell door just before he gave us the password."!
Surely if you have sensitive data on your iPhone you wouldn't have the 'Simple 4 digit Passcode' enabled anyway. When you use the more complex passcode you're able to have an unlimited length alphanumeric & special charachter passcode.
OR
Simply activate the 'Erase Data' feature to wipe all data on the iPhone after 10 failed passcode attempts, stopping brute-force attacks.
"Simply activate the 'Erase Data' feature to wipe all data on the iPhone after 10 failed passcode attempts, stopping brute-force attacks"
The brute-forcing would be done offline against the specific files - you'd only be putting the derived key into the device. Hence this would be no defence.
A really watertight encryption of the file system is hard to do. Either you have the key on the device (which is mainly good for quick wiping and not much more) or you have an external key (like a strong password) and nobody wants to type a 64 characters alphanumeric password each time he wants to make a call.
Many people seem to find even a 4-digit password as too inconvenient.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
