| |||||||||||||
Security quotes of the weekSecurity quotes of the weekPosted Sep 26, 2013 17:07 UTC (Thu) by dvdeug (subscriber, #10998)Parent article: Security quotes of the week
As for the iPhone, bah. The face unlock on my phone can probably be beat a similar way; I look at the phone at an angle and can see the smear left by the swipe unlock. An actual password is surely stronger, assuming no camera is watching when I type it in. Maybe someone paranoid enough can hide the phone completely every time they type in their password, but most of us aren't going to look that silly. Elcomsoft claims they can crack the encyption on iOS 5 with a 6-digit PIN in 22 hours; you want to type in a 9-digit PIN every single time you open your phone?
There are people out there who need this level of security. For most of us, securing the phone against the government or the CCC is a farce. We're simply not going to curl up into a little ball and type in a 9-digit PIN everytime we want to use our phone.
(Log in to post comments)
Security quotes of the week Posted Oct 3, 2013 2:33 UTC (Thu) by eternaleye (guest, #67051) [Link]
There _are_ nice, simple ways to improve the security of unlocking a phone; there's even a nice article in Forbes with a link to a research paper about it: http://www.forbes.com/sites/andygreenberg/2011/06/03/andr...
I'm particularly fond of the one that arranges the buttons vertically like this:
[ 1 ]
and after you type in the code, you need to drag a slider from the top to the bottom as the final unlock step.
Simple, doesn't mess with you by reordering the buttons, and self-securing.
Security quotes of the week Posted Oct 3, 2013 3:00 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
That's still a toy. You are still going to get only a couple bytes worth of key data from this, so it can be brute-forced in a short amount of time by an attacker that can read your device hardware.
Security quotes of the week Posted Oct 3, 2013 18:59 UTC (Thu) by nybble41 (subscriber, #55106) [Link]
You're never going to get users to memorize and enter a secure key as their unlock code, but there are ways around that. Assuming you have something like a TPM, have it generate and store a secure key and use that to encrypt everything. When locking the device, tell the TPM to disable the decryption key until presented with a valid unlock code. The TPM can enforce rate limits and wipe the key (or require a more secure form of unlock) if there are too many failures; even a four-digit code can be reasonably secure if attackers only get a handful of guesses. Bypassing the unlock screen would then mean bypassing the TPM, which requires not only extended physical access but extremely expensive and specialized tools and a few unusual skills.
Security quotes of the week Posted Oct 7, 2013 10:47 UTC (Mon) by etienne (subscriber, #25256) [Link]
> store a secure key
If the secure key is stored, it can be read back - maybe using a complete different channel (external bus emulator), "they" won't even need to guess the 4 digits unlock code...
Security quotes of the week Posted Oct 7, 2013 14:52 UTC (Mon) by nybble41 (subscriber, #55106) [Link]
> If the secure key is stored, it can be read back...
TPM chips are specifically designed to protect their secure memory from external access. There is no interface to read back the key; it is generated and used entirely within the TPM.
Sure, with unlimited physical access and the proper tools (like an electron microscope) you might be able to read the key from the raw silicon, or a defect in the implementation of the TPM could leak the key through changes in timing or power consumption. Either way you'd need to fully disassemble the device and employ tools rather more sophisticated than a mere external bus emulator.
|
|||||||||||||