Four-digit passcodes remain a weak point in iOS 8 data encryption

Posted on by

The strength of Apples revised encryption scheme in iOS 8 hinges on users choosing a strong passcode or password, which they rarely do, according to a Princeton University fellow.

Apple beefed up the encryption in its latest mobile operating system, protecting more sensitive data and employing more protections within hardware to make it harder to access. The new system has worried U.S. authorities, who fear it may make it more difficult to obtain data for law enforcement since Apple has no access to it.

Despite the new protections, data is still vulnerable in certain circumstances, wrote Joseph Bonneau, a fellow at theCenter For Information Technology Policy at Princeton, who studies password security.

Users with any simple passcode have no security against a serious attacker whos able to start guessing with the help of the devices cryptographic processor, he wrote.

If an iPhone is seized when its turned off, its unlikely that the keys can be derived from its cryptographic co-processor called the Secure Enclave, which does the heavy lifting to enable encryption.

But if an attacker can boot the phone and get access to the Secure Enclave, it would be possible to start guessing passwords in a brute-force attack, and thats where the weakness lies.

Apple doesnt make it easy to completely copy all of the data on a device and boot it up using external firmware or another operating system, which would be an attackers first step, Bonneau wrote.

His theory of how easy it would be to obtain the data from a device is dependent on an attacker being able to bypass the complicated secure boot sequence of an iOS 8 device.

Well assume this can be defeated by finding a security hole, stealing Apples key to sign alternate code or coercing Apple into doing so, he wrote.

If that is possible, the attacker can begin guessing passcodes or passwords against the Secure Enclave. Apples documentation suggests that such guesses could be conducted at a rate of either 12 guesses per second or 1 guess every five seconds.

Read more from the original source:
Four-digit passcodes remain a weak point in iOS 8 data encryption

Related Posts
This entry was posted in $1$s. Bookmark the permalink.