Archive for March, 2015

jc-blog-iphoneSecurity professionals have been begging people to secure their mobile devices with a strong passcode for years. Yes, it’s a pain to have to type in all those characters on a tiny keyboard but the alternative is that anyone who can put their hands on your phone could read all your emails, texts, pics, view phone history, see everywhere you’ve gone and install malware that will keep track of all of this remotely (plus turn on your mic to listen on your conversations even when you aren’t making a call — ditto with the camera).

Maybe your life is an open book and you don’t care about privacy. Surely you care about your bank account, your reputation and your company’s confidential information, which, if not protected, could, at minimum, cost you your job (if not bankrupt the organization). Yes, a bad guy could use your phone’s mobile banking app to raid your funds or satisfy the second factor login requirement your financial institution’s web site requires for users of a web browser (assuming you bothered to set up those protections).

Many think, “OK, I’ll do a 4-digit PIN and that will be enough, right?” On the surface it sounds like a reasonable compromise. It’s not as inconvenient as an 8-character, alphanumeric passcode, but it still would mean that a hacker would have to try, on average, 5,000 different numeric combinations (half the total of 10,000 possibilities since the odds would be 50-50 of a correct guess at that point) to break in and who has that kind of time? Better still, the reasoning goes, “I’ve turned on that setting that automatically wipes the device after 10 incorrect tries, so the bad guy would have to be incredibly lucky to guess the right sequence that quickly.”

As the saying goes, “there’s nothing more dangerous than presumed security.

What is being assumed, in this case, is that someone won’t come along and build a box that could automate the process of entering all those possible PINs and, here’s the kicker, disconnect the power supply on the device before it has a chance to wipe the phone’s storage after an incorrect guess. In other words, unlimited tries with no penalty. And what if the process of trying all 10,000 combinations could be done in roughly 4.5 days (bearing in mind that this is the worst case for the bad guy and the best case could be just a few seconds)? And what if this box only cost about $300?

IMG_1602What this means is that anyone who steals your phone (or just has access to it for some reasonable period of time, such as while you are asleep) could do all the nasty stuff described above to your bank account, company, Twitter feed, emails, photos and so forth. Well, that scenario exists.

So, while it may be a royal pain to enter that complex, 8 character passcode, it is, unfortunately, necessary. As an alternative, if you have one of the newer iPhones, you could simplify things with a fingerprint scan using the built-in Touch ID sensor. No, it isn’t perfect either. Nothing in security ever is, but it
could be a better trade off than the venerable but broken, 4-digit PIN.

Advertisements