Thursday 13 June 2013

How Thieves Unlock Passcodes on Stolen iPhones (And How to Protect Yourself Against It)

Last year, iOS developer Daniel Amitay developed a camera security app for iPhones that used an unlock screen almost identical to that of the iPhone. From this now-nonexistent app, Amitay recorded the passwordsanonymously that users typed in, and these were the results:
These ten iPhone passcodes make up 15% of the 200,000 passcodes that his application recorded. The most popular code was "1234", which almost 9,000 people used. The rest of the codes are either very simple (0000), create a pattern (2580) ,or in the case of "5683", make up a word (LOVE).

Using Brute Force to Bypass the iPhone Lock Screen

These results are staggering, because according to this study, these ten codes are used by 1 out of 7 iPhone users. Merely attempting these 10 passcodes gives you a pretty high chance of getting into someone's iPhone.
Your chances can exponentially increase if you know the owner of the iPhone well. Many people use 4-digit pins that they are familiar with: birthdays, anniversaries, addresses, the last four of their social security numbers, and even the last 4 digits of their own phone number. iPhone users unlock their cell phones dozens of times a day, making a simple and memorable passcode beneficial.
You have 6 tries to access the phone before you'll see the red "try again" warning, and then a few more before the phone is disabled, so that gives plenty of chances for a good brute-forcer to gain access.
Even if you see the disabled screen, you still can hack into it. Scroll down to the Completely Resetting the iPhone with iTunes section for more info.
Protect Yourself
Much like any PIN (i.e. debit cards), you need to make it hard to guess by thieves.
  • Don't choose any of the ten passcodes listed above.
  • Don't use any important dates or any other numbers that can be linked back to you.
  • Steer away from passcodes that make shapes, like "1397" or "7139" (a square).
  • Instead of an easy 4-digit number, choose an alphanumeric code. Go to Settings -> General -> Passcode Lock -> Turn Simple Passcode Off, then enter a new alphanumeric passcode.

Using Siri to Bypass the iPhone Lock Screen

You can use Siri to bypass any code on the iPhone 4s and 5, but only to a certain extent, and only if the user has allowed Siri access when the phone is locked. If so, you can just press down on the home button and ask Siri to make a phone call, send a text, and look through notes. Simple stuff. You can't use Siri for things like looking through email, contacts, or the internet.
Protect Yourself
You can protect yourself from this by deactivating Siri while the phone is locked. Do this by going to Settings -> General -> Passcode Lock -> Turn Siri Off.

Completely Resetting the iPhone with iTunes

Resetting your iPhone can bypass the passcode, but will delete everything on the phone. This can come in handy if you forget your passcode and have everything backed up on your iTunes. So, if you get a message like this when connecting the device to iTunes...
You'll need to restore your iPhone back to factory settings:
  • Connect the USB cord to your computer and open iTunes.
  • Press and hold the Home and Power button to turn off the device.
  • Press and continue to hold the Home button while you reconnect the USB cable to your iPhone. This will turn it back on.
  • Continue to hold the Home button until an alert message in iTunes appears that an iPhone in recovery mode has been detected.
  • Now that the iPhone is in recovery mode, you must restore the device.
  • From iTunes, look under the “Summary” tab.
  • Click on the “Restore” button within iTunes.
This will take off the passcode, but will delete everything on the phone. Make sure to back up your iPhone at least once beforehand, or it will wipe to factory settings.
Protect Yourself
It's tough to protect yourself from a hard reset, especially if your phone is stolen. What you can do is to make sure that Find My iPhone is turned on. That way you cannot only track where the iPhone is, but also remotely delete all the information before someone has a chance to bypass the passcode, granted they don't just turn the device off and sell it for parts.

Using Passcode Hacking Apps

You can unlock the phone using redsn0w, which also jailbreaks the iPhone without deleting anything. This article has a video that shows how to install redsn0w on any iPhone with iOS 5, while this one will show you how to do it on iOS 6 devices. It bypasses the code and doesn't delete any of the information stored on the iPhone.
You can also use a program called Gecko iPhone Kit (for iOS 5), which can be downloaded here. This will actually give you the code and doesn't jailbreak or delete anything from the iPhone. Below is a video tutorial of this process.

Have you found another way to gain access to the lock screen on your iPhone? Let us know.
Photo by NakedSecurityIncase

No comments:

Post a Comment