Mobile Password Protection

  • Comments posted to this topic are about the item Mobile Password Protection

  • Does the password encrypt the critial data files on the iPhone, or is it just a means to prevent someone from accessing the folders via the operating system?

    If the data isn't encrypted, it seems a law enforcement agency with a warrant should be able to have one of their tech guys pop open the phone and stick the flash card (memory chip or whatever) into an external reader without having to turn to a 3rd party company for assistance.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • This is simply a specific instance of the generalized case of offsite remote access/offsite data storage, combined with what are often some of the least useful "security" measures every kludged together.

    As always, evaluate what threat resources you must mitigate, what threats you wish to mitigate, and which threats you are not mitigating.

    Evaluate what laws and regulations you must follow, and what best practices you wish to follow.

    No Insider vs. One Insider vs. Multiple Insider

    Single top end machine ($2500, outfitted optimally) vs ten ($25k) vs. a thousand ($2.5m) vs. a first world government

    Realtime online attacks vs. offline attacks.

    Unskilled vs. moderately skilled vs. expertly skilled

    Vandalism vs. data theft vs. data theft plus vandalism

    Note that your average teenage cracker is going to fall into Single top end machine, both realtime and offline attacks, moderately to expertly skilled, and whatever they feel like. At least one may well find it amusing to devote several weeks of computer power to it... and they may have friends who feel like joining them. Late teen/early twenties crackers may have access to scores of machines; we call them college computer labs, and at night, it's not difficult to get around 100 machines trying to crack a specific piece of data. 30 or more may have serious graphics cards, as well.

    Then stop thinking in terms of what you'd like the threat to do or not do, and what you hope they might do or not do, and instead think in terms of what the threat can do.

    As far as mobile devices with a 4 digit password, we will generously assume the following:

    No Insider, Less than a single machine, offline attacks, moderately skilled.

    A) Take the battery out of your phone - no remote wipe.

    B) Take it out of contact range; perhaps a basement or inside a sheet metal shed - no more remote wipe even with a battery in.

    C) If the data's on any standard storage, make an offline copy first (which lets them bypass any password lockout and ignore any remote or /auto-wipe with multiple bad passwords you might have).

    D) If your password isn't an encryption password... they _already_ have all your data.

    E) If your password is an encryption password, even trying _by hand_ at a try every 2 seconds, with 12 characters possible for each of 4 places with replacement, it's less than 12 hours.

    E1) With a computer trying, the time will likely be near zero. Note that step C means the attempts will be made offline; no delay the phone itself puts in will be active (or, if computational, significant on the more powerful processor).

    Yes, remote wipe is valuable; but only if you do so before an attacker gets the phone and removes the battery/wraps it in aluminum foil inside a ziplock bag inside a metal cookie tin.

    Seriously: how many people are going to ask for, much less get, a wipe absolutely as soon as they realize the phone's missing? Instead of turning around to try and find where they left it, or looking around for it for a couple hours, or being embarrassed about it and not reporting it quickly, etc.?

  • Nadrek (5/7/2012)


    Seriously: how many people are going to ask for, much less get, a wipe absolutely as soon as they realize the phone's missing? Instead of turning around to try and find where they left it, or looking around for it for a couple hours, or being embarrassed about it and not reporting it quickly, etc.?

    Few, though some companies will do it in a relatively short time. An hour or so if you've lost control.

  • Steve Jones - SSC Editor (5/7/2012)


    Few, though some companies will do it in a relatively short time. An hour or so if you've lost control.

    I assume that's at most an hour or so after you've both realized and reported you've lost control?

  • If a theif gained access to someone's smart phone, I'm sure they would be more than just a little curious about what kind of junk would be stored on it. Maybe screw around with it for a few days before flipping it at a pawn shop or 3rd party crook. They could send an email to everyone on the victim's contact book with a crazy story about being detained in a Mexican jail on bogus drug charges and ask them to pleeez wire some money ASAP. Imagine the possibilities...

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • From examining several phones belonging to various people, I have determined that the "fingerswipe password" is essentially useless as security. It can perhaps prevent someone from accidentally opening your phone by just picking it up, but anyone who really wants to use it can find your password pattern quickly because the smears on the screen will reveal the pattern (look carefully at your phone if you use the fingerswipe password - you will "see" your pattern on the screen ... especially if you're the type of person who has never bothered to clean the phone screen.. (ewwwwwwwwwwwww) )

  • LadyRuna (5/7/2012)


    From examining several phones belonging to various people, I have determined that the "fingerswipe password" is essentially useless as security. It can perhaps prevent someone from accidentally opening your phone by just picking it up, but anyone who really wants to use it can find your password pattern quickly because the smears on the screen will reveal the pattern (look carefully at your phone if you use the fingerswipe password - you will "see" your pattern on the screen ... especially if you're the type of person who has never bothered to clean the phone screen.. (ewwwwwwwwwwwww) )

    Similar in concept to a lock on a filing cabinette; it's enough to block casual snoopers from screwing around with your phone, if you leave it lying around somewhere at work or at the pool. When my daughter was six years old, she got hold of my wife's iPhone and downloaded several Justin Bieber music tracks for $1.99 a pop. I think she started out wanting to play some video game, but then started clicking on advertisment links.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • LadyRuna (5/7/2012)


    From examining several phones belonging to various people, I have determined that the "fingerswipe password" is essentially useless as security. It can perhaps prevent someone from accidentally opening your phone by just picking it up, but anyone who really wants to use it can find your password pattern quickly because the smears on the screen will reveal the pattern (look carefully at your phone if you use the fingerswipe password - you will "see" your pattern on the screen ... especially if you're the type of person who has never bothered to clean the phone screen.. (ewwwwwwwwwwwww) )

    All serious key entry password systems use randomized keypads; the old way used red 7 segment LCD displays under each button, and the new way uses the regular device touchscreen, like the Datalocker portable USB drive does. Thus, even seeing the very latest fingerprint pattern shouldn't* help determine either what numbers were in which place at the time it was done, nor help figure out where they'll be next time.

    *Unless someone uses a poor random number generator or seed.

  • Nadrek (5/7/2012)


    Steve Jones - SSC Editor (5/7/2012)


    Few, though some companies will do it in a relatively short time. An hour or so if you've lost control.

    I assume that's at most an hour or so after you've both realized and reported you've lost control?

    Yes, though in practice, I think most people that use their phones heavily know they've lost them quickly. Your scenario definitely means that a targeted attack will likely succeed, but in most cases, losses occur from random thievery or chance.

    I've had more than a few friends realize their phone is gone inside minutes, and they spend tens of minutes (usually 30-40) looking for it before calling it in. Remote wipes occur relatively quickly, but it's a help desk ticket. It processes, and if it ever connects to the network, it's wiped.

    Not perfect, but then most crimes aren't perfect either, and with a little protection, the casual problems are mostly handled.

  • Guys,

    This topic made me think about how much personal stuff (never mind the work databases!!!) is on my iPhone that I wouldn't want anyone else to see. I looked at the remote wipe comments and realised that (a) I can't really afford a decent option and (b) it probably wouldn't work in time.

    Then I found that, on the iPhone, you can get it to do a wipe after ten failed attempts. As I backup my phone on iTunes, this fixes it for me. 🙂

    Hope this helps someone else,

    Kerry Hood

  • Personally, I don't own an iPhone, Android device, or whatever. If I did, I'd keep my Hotmail or Gmail account stuff in the cloud and not have it setup to download emails to the phone. There are some remote console client software available for smart phones that would allow one to access their desktop, which would be cool for a DBA or tech support guy who can be on-call 24x7. I think that's the best way to use a smart phone, just as a thin client with minimal local storage and keep your sensitive data in a cloud service or a remote PC locked in a closet somewhere. If someone steals the phone, then all they get is a piece of metal and plastic; no sensitive or irreplaceable data.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell (5/9/2012)


    Personally, I don't own an iPhone, Android device, or whatever. If I did, I'd keep my Hotmail or Gmail account stuff in the cloud and not have it setup to download emails to the phone.

    Fair enough, and that will work for you, but that isn't the reality for most people, so it does pay to think about what you can do to secure things for clients, customers, etc. that won't do that.

Viewing 13 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic. Login to reply