When talking about reports of tools that break into iPhones, it is very important to remember that the seller may be inclined to overemphasize its capabilities. It is also wise to keep in mind that the more sensational claims are the ones that tend to be picked up, and perhaps amplified, by the press. In this light, let’s talk about, a cracking/forensics tool for extracting data from iOS and Android devices.XRY, despite its recent press attention, does not appear to represent anything new. Everything that we said in still holds true. Your 1Password data remains encrypted. That is, even if an attacker gets through all of the the iOS security, including capture of the device passcode, he or she would still have to break your 1Password Master Password to get at your 1Password data. News of XRY has been circulating since Andy Greenberg of Forbes to it and to Micro Systemation’s video demonstration.The demo shows discovery of an iPhone’s passcode in a matter of second.
![]()
Don't drop it! Shocking repair prices for the iPhone X. The cost to fix a cracked screen at an Apple store is $279. The cost to repair a cracked screen on iPhone 8 is $169 and other damage. Question: Q: Cracked Screen and Water Damaged iPhone! So I had previously cracked my screen a month ago and now I accidentally dropped it in the toilet. I immediately took it out and dried it and it was still working for a minute but then the screen started to show lines. I then turned it off and then put it into rice.
![]()
This should naturally cause concern for everyone who cares about their privacy.But I’m going to try to sort out what the real concerns are, and what you can do to to better protect yourself. Cracking passcodesEven though your 1Password data remains protected, tools like XRY or do represent a threat to the secrecy of other data stored on your device. Furthermore, most people will have weaker 1Password Master Passwords on their phones than they will on their desktop systems.
This means that we do need to be a bit more concerned about what happens if people steal your encrypted 1Password data from your iOS device than if they steal your encrypted 1Password data from your desktop or Dropbox. Therefore it is worth spending a bit of time talking about device passcodes and the security of your iOS device in general.Note that when I talk about your “device passcode” I’m talking about the passcode that is used to unlock your iPhone, iPad or iPod touch in the first place (assuming you set one, of course). I am not talking about your 1Password unlock code or master password. Those are different things. The tools described are all about breaking the device passcode and what can be done once that is available.First, these tools jailbreak the device. This allows the user to then run a brute force attack on the device passcode.
That attack must be run on the phone itself because it is tied to a unique device key. You may think that running through all of the passcodes, 0000—9999 would just take a fraction of a second, and under normal circumstances you would be absolutely correct.
But Apple has protected the passcode with, which forces each trial to perform thousands of complex computations. Although things will differ from device to device, Apple appears to have tuned things so that it takes about one quarter of a second to process a single guess.Without having hands on experience with XRY I can’t be absolutely certain of this, but I strongly suspect that the reason that it was able to discover the passcode so quickly in the demonstration was because the passcode was “0000”. That is, “0000” may be the first passcode it tried. At four guesses per second, it would take about 40 minutes to try all possibilities, with an average break time of 20 minutes. As we’ve seen, sometimes it can hit upon the correct guess quickly, but in other cases it may take the full 40 minutes.
Not so simple passcodes. Twenty minutes to break into your device is still too quick for many of us to be comfortable with. Fortunately it is easy to set a longer passcode on your device. Launch the Settings app and go to General Passcode Lock. You will be asked to re-enter your passcode at this point; after all, you wouldn’t want anyone who picks up your unlocked phone to be able to fiddle with its security settings.
Once you’ve done that, you will have a screen with lots of options. One is called “Simple Passcode”—switch that to “Off” (the Simple Passcode means using a simple 4-digit number). Once you switch Simple Passcode to “Off” you can have longer and more complex passcodes.
Let’s suppose that you wanted to use a six digit passcode. It would take almost three days to attempt all one million possible six digit passcodes. The average crack time would be half that, at about 35 hours. All the while, the phone needs to be attached to the attacker’s computer. For an eight digit passcode, it would take on average about four and a half months to crack. Each additional digit multiplies the attack time by ten.If you want to use just lowercase letters and the space key, then with a five letter passcode it would take about three weeks to guess, and for six lowercase letters it would take about a year and a half on average.
Each additional letter (or space) multiplies the crack time by 27.The table below gives some sample average crack times. Assuming that your passcode is random, I count 27 possible lowercase “letters” (26 letters, plus the spacebar) and 53 mixed case “letters” (52 letters, plus the space bar). Although we don’t know how XRY guesses, Elcomsoft has previously advertised that when confronted with a non-simple passcode, their system will try some commonly used non-simple passwords first. So what kind of passcode is right for me?When trying to figure out what the best kind of passcode works for you, there are a couple of things to keep in mind.
The first one is that for someone to launch this attack they need to be in full possession of your phone during the whole time. The attacker can’t just grab your phone briefly and then do the rest of the attack later. So you need to think realistically about how much time and effort someone would put into getting at your data.Also remember that this is just to get at your device’s passcode. It is not about your 1Password data which is protected separately in a number of ways, including your Master Password.You must consider how easy the passcode is for you to enter.
One very convenient feature of iOS is that if your passcode is digits only, you will be presented with a numeric keypad, making it much easier and quicker to enter. Likewise, if you keep your passphrase to lowercase letters only, you don’t have to shift keyboards.
The passcode that I’ve personally been using falls into the ‘months to crack’ category. Your choice may be different.
What about 1Password data?Your 1Password data is protected by several layers, the device passcode is only one of them. IOS prevents one application from seeing the data belonging to another application on the device. This can also be a layer of defense, but it is not one which will withstand most jailbreaks.So finally we come to your 1Password Master Password for the data on your device.
This is the final layer of protection. Note that if you use a 4-digit 1Password unlock code, it is just a convenience feature to allow you to do some things within 1Password without having to enter your full Master Password; it is not intended to be a meaningful layer of security.Put simply: you should use the longest master password on your device that you are comfortable typing regularly. If it is a real chore to type, you won’t use 1Password enough to get its security benefits. Because typing on a desktop system, an iPhone, and an iPad are very different experiences, we have set things up so that you can have a different Master Password for each.
The Master Password that I use on Mac and Windows is complex enough to be entirely unusable on an iPhone. This means, however, that my Master Password on my iPhone and iPad are substantially weaker than what I use on the desktops, which brings us back to why I am concerned with overall security of iOS devices.As we’ve often said before,. So look for further security enhancements in 1Password for iOS in the not too distant future. As usual, I don’t want to say anything more specific until this is delivered.
![]() Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2023
Categories |