Posted on

iOS passcode bug squashed once again with iOS 6.1.3 release

More than a month after security researchers pointed out a new passcode bug in iOS, Apple has patched it with the release of iOS 6.1.3. The software update, released over the air or via iTunes, is mainly aimed at addressing the security vulnerability that allowed attackers to get around an iOS device's passcode by performing a series of steps. Apple says that iOS 6.1.3 also comes with "improvements to Maps in Japan."

It was mid-February when reports began to spread that an old vulnerability in the iPhone's emergency call feature had resurfaced as part of iOS 6.1. As we wrote at that time, "[w]ith the right sequence of button clicking, it's possible to get to an iPhone user's voicemails, contacts, and photos—even if the iPhone is locked and password protected." A couple weeks later, different researchers pointed out another way to get around the iPhone's lock screen based on the same vulnerability. Apple released iOS 6.1.2 in the meantime, but it did not fix the passcode bug with that update.

As rumored, however, iOS 6.1.3 does in fact address the passcode lock screen vulnerability. Since this is a security concern that could affect many iOS device users, we certainly recommend installing it as soon as you get the chance. But be warned: if you've jailbroken your iOS 6.1.x device, we're hearing that 6.1.3 update fixes one of the security holes that enables the evasi0n jailbreak. In that case, update at your own risk.

Read on Ars Technica | Comments

Posted on

Researchers find yet another way to get around iOS 6.1 passcode

There's a second passcode lock vulnerability in iOS 6.1, according to Vulnerability Lab CEO Benjamin Kunz Mejri (hat tip to Kaspersky Lab's threatpost). Mejri had recently outlined the vulnerability in an e-mail to the Full Disclosure list, highlighting yet another way for attackers to get past the lock screen and access a user's contacts, voicemails, and more.

Yet another iOS 6.1 passcode bug.

As detailed by Mejri, this new bug appears to be slightly different from the one highlighted earlier this month. The two start out in a similar way—by following a set of steps that utilizes the Emergency Call function in addition to the lock/sleep button and the screenshot feature. When making an emergency call, an attacker could cancel the call while holding the lock/sleep button in order to access data on the phone.

The difference between the first exploit and this one is how it can make the iPhone screen go black, allowing an attacker to plug the device into a computer via USB and access the user's data without having their PIN or passcode credentials.

Read 2 remaining paragraphs | Comments

Posted on

The top 10 passcodes you should never use on your iPhone

Are you one of the many people who is using a dangerously easy-to-guess passcode on your iPhone?

Maybe you should do something about it – sooner rather than later.

The warning comes after new research suggested that 15% of all iPhone owners use one of just ten passwords on their lock screen:

Passcode chart

Apple iPhone app developer Daniel Amitay published the interesting research, looking at the four digit passcodes that users choose to secure their systems with.

Fortunately, he didn’t snoop on the actual passcodes used by iPhone users to lock their devices – but instead anonymously collected the codes chosen by users to secure the “Big Brother Camera Security” app he develops. In all, Amitay collected over 204,000 passcodes.

Amitay postulated that as Big Brother’s password setup and lock screen are nearly identical to the actual iPhone lock screen, the likelihood is that the passcodes used would most likely correlate with the codes used to lock iPhones.

Now, I can think of strong arguments why some people would choose different passcodes for an app than the one they use to lock their smartphone, but my hunch is that many people don’t bother.

Regardless of those quibbles – Amitay’s findings are worthy of exploring.

Passcode entrySome of the passcode choices that Amitay’s research has thrown up are sadly predictable. People who are choosing the likes of “1234”, “0000” and “1111” as their passcode, for instance, are doing the equivalent of locking up their cars with a piece of thin string.

Those who have chosen “0852” and “2580” aren’t doing much better – they’ve just chosen their passcode by sweeping up and down the keypad.

What I couldn’t immediately understand, however, was any rhyme or reason behind “5683” and “1998”.

Fortunately, Amitay has a theory on this. He points out that “5683” spells out “LOVE” on the keypad, and that may be why it’s so widely used.

And “1998”? Well, it turned out that 199* represented the highest frequency of choices that could represent a decade (the 1990s) – so maybe this is an indication of birth years or the year of graduating college.

Turn simple passcode offI hope you’re not using an easy-to-crack passcode on your iPhone.

Maybe you should switch to using a passphrase for your phone’s security instead? At the very least that won’t restrict you to four numeric digits – so you can make things a little more complex.

If you want to turn the simple passcode off on your iPhone, click on the Settings icon, followed by General to reach the Password Lock options.

With the Simple Passcode option disabled, you’ll be able to choose a longer, more complex password which can comprise upper- and lowercase letters, numbers and even special characters.

Of course, you’ll still need to be sure you don’t choose one of the top 50 passwords you should never use.

Oh, and one final thought.. What’s the 4 digit PIN you use at the bank’s ATM cash machine?