Security researcher bypasses iPhone’s limit on passcode attempts

Security researcher bypasses iPhone’s limit on passcode attempts

https://ift.tt/2K2U9Ka


Shutterstock / ymgerman

It’s not easy breaking into a locked iPhone. Try too many times and you can get locked out for years, even decades, or lose the device’s data altogether. That’s why law enforcement had to put pressure on Apple to unlock the San Bernardino shooter’s iPhone, and why cops across the country are buying an affordable iPhone cracker called GrayKey. Hacker House cybersecurity firm co-founder Matthew Hickey, however, has discovered a way to bypass the device’s security measures, even if it’s running the latest version of Apple’s mobile platform. Apparently, a hacker will only need “a turned on, locked phone and a Lightning cable.”

Hickey said that when an iPhone is plugged in and a hacker sends it passcode guesses using keyboard input (as opposed to typing on the screen), the action triggers an interrupt request that takes precedence over everything else. That means the iPhone would be too busy to erase the device if the attacker sends it one passcode guess after another. As a result, they can guess as many times as they want instead of being limited to 10 guesses.

Hickey said he already reported the vulnerability to Apple, noting that the bug isn’t difficult to identify and that there are probably other people who’d already found it before he did. Companies like Cellebrite, which unlocked the San Bernardino shooter’s phone for the feds, and GrayKey’s maker might even be using a similar brute force technique and taking advantage of the same bug to break into iPhones.

Cupertino might also be already aware of the vulnerability, which is why iOS 12 will feature a Restricted mode that will cut off an iPhone’s ability to connect to a USB accessory plugged into it after an hour. Since it takes much more than an hour to send a device every passcode combination possible, the new feature could prevent hackers and cracking devices from force unlocking iPhones.

Check out Hickey’s method in action below:

Tech

via Engadget http://www.engadget.com

June 23, 2018 at 01:51PM

A Major Privacy Win, a Vault 7 Indictment, and More Security News This Week

A Major Privacy Win, a Vault 7 Indictment, and More Security News This Week

https://ift.tt/2IjeGVc

What’s that? A week with nearly as much good news as bad in the world of privacy and security? It’s true! Especially the privacy part.

On Friday, the Supreme Court issued a hotly anticipated ruling in Carpenter v. United States, establishing that the government will need to get a warrant if it wants to track your location with cell sites. Meanwhile in California, it looks like residents might soon benefit from a privacy law that grants unprecedented power—in the US, anyway—over what data companies collect and what they do with it. And while this isn’t privacy related, strictly speaking, Apple’s new partnership with startup RapidSOS will push iPhone owners’ locations to dispatchers during 911 calls, saving first responders valuable minutes and almost certainly saving lives.

It’s not all sunshine and lollipops, of course. The same hacker group that meddled with the PyeongChang Olympics appears to be back, this time swinging at biochem labs in Europe. The hacking threat from China has escalated in step with trade war rhetoric. Pretty much every streaming device is vulnerable to the same type of DNS rebinding attack. Iran’s ban of encrypted messaging app Telegram has had a serious, layered impact on the country’s citizens. And deep fakes will make the already complicated issue of Twitter mob justice even more so.

But wait, there’s more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

After a public blow-up around the sharing of location data with third parties—and pressure from senator Ron Wyden—all four major US carriers have pledged to stop the practice. The change won’t happen overnight; all of these companies have long-term contracts to unwind. But it’s a rare bit of good privacy news at a time when that has seemed increasingly hard to come by.

Former CIA employee Joshua Adam Schulte was indicted this week; authorities allege that he was responsible for the devastating Vault 7 leak that revealed many of the agency’s hacking secrets. Schulte had previously been held on child pornography charges. The indictment also alleges that Schulte had surprisingly lax security practices for a CIA vet; he apparently reused a less secure password from his cell phone to protect the encrypted materials on his computer as well. He faces up to 135 years in prison.

In 2012, Google acquired VirusTotal, a site that scans online malware and viruses. This week, it announced a new spinoff product, VirusTotal Monitor, that will help app developers avoid being accidentally flagged as malware. VirusTotal already aggregates what over 70 antivirus vendors consider malware, so devs can how compare their apps against that list for a little peace of mind.

While not exactly offering you higher levels of security, the new Google Account panel on Android—to be followed later on iOS and desktop—does make it easier to see exactly what your settings are, along with a “privacy checkup” and “security setup” that nudge you toward a more locked-down online experience. It also introduces a search function to make it easier to find whatever specific aspect of your account you want to vet.


More Great WIRED Stories

Tech

via Wired Top Stories https://ift.tt/2uc60ci

June 23, 2018 at 08:39AM

A Major Privacy Win, a Vault 7 Indictment, and More Security News This Week

A Major Privacy Win, a Vault 7 Indictment, and More Security News This Week

https://ift.tt/2IjeGVc

What’s that? A week with nearly as much good news as bad in the world of privacy and security? It’s true! Especially the privacy part.

On Friday, the Supreme Court issued a hotly anticipated ruling in Carpenter v. United States, establishing that the government will need to get a warrant if it wants to track your location with cell sites. Meanwhile in California, it looks like residents might soon benefit from a privacy law that grants unprecedented power—in the US, anyway—over what data companies collect and what they do with it. And while this isn’t privacy related, strictly speaking, Apple’s new partnership with startup RapidSOS will push iPhone owners’ locations to dispatchers during 911 calls, saving first responders valuable minutes and almost certainly saving lives.

It’s not all sunshine and lollipops, of course. The same hacker group that meddled with the PyeongChang Olympics appears to be back, this time swinging at biochem labs in Europe. The hacking threat from China has escalated in step with trade war rhetoric. Pretty much every streaming device is vulnerable to the same type of DNS rebinding attack. Iran’s ban of encrypted messaging app Telegram has had a serious, layered impact on the country’s citizens. And deep fakes will make the already complicated issue of Twitter mob justice even more so.

But wait, there’s more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

After a public blow-up around the sharing of location data with third parties—and pressure from senator Ron Wyden—all four major US carriers have pledged to stop the practice. The change won’t happen overnight; all of these companies have long-term contracts to unwind. But it’s a rare bit of good privacy news at a time when that has seemed increasingly hard to come by.

Former CIA employee Joshua Adam Schulte was indicted this week; authorities allege that he was responsible for the devastating Vault 7 leak that revealed many of the agency’s hacking secrets. Schulte had previously been held on child pornography charges. The indictment also alleges that Schulte had surprisingly lax security practices for a CIA vet; he apparently reused a less secure password from his cell phone to protect the encrypted materials on his computer as well. He faces up to 135 years in prison.

In 2012, Google acquired VirusTotal, a site that scans online malware and viruses. This week, it announced a new spinoff product, VirusTotal Monitor, that will help app developers avoid being accidentally flagged as malware. VirusTotal already aggregates what over 70 antivirus vendors consider malware, so devs can how compare their apps against that list for a little peace of mind.

While not exactly offering you higher levels of security, the new Google Account panel on Android—to be followed later on iOS and desktop—does make it easier to see exactly what your settings are, along with a “privacy checkup” and “security setup” that nudge you toward a more locked-down online experience. It also introduces a search function to make it easier to find whatever specific aspect of your account you want to vet.


More Great WIRED Stories

Tech

via Wired Top Stories https://ift.tt/2uc60ci

June 23, 2018 at 08:39AM