Cracking Smartphone Passwords

Friday, March 30, 2012 @ 03:03 PM gHale

For those thinking their smartphone is secure, watch out for a new application that can crack the four-digit password on Apple’s iPhone in almost no time flat.

The password on the smartphone that keeps growing in popularity can probably keep a regular person who finds the device from breaking into it. However, the software from Sweden’s Micro Systemation, which it sells to law enforcement agencies, can break the code on an iPhone or a smartphone running Google’s Android mobile operating system within minutes.

RELATED STORIES
Android Malware Apps in Outside Markets
Mobile Apps Bring Security Woes
Smart Phones ‘Leak’ Crypto Keys
Smartphone Security Faces Big Problem

Micro Systemation’s XRY essentially jailbreaks the device in the same manner that regular jailbreakers do, officials said. It then runs every combination of four-digit passcodes (there are 10,000 of them) until it hits the right one. Once that happens, the attacker can get to all the data on the phone, the company said.

The data — from call logs and contacts to messages, files and GPS location — goes to a PC, decrypted and then displayed.

There are no “back doors” left open by the device manufacturers that XRY exploits, said Micro Systemation Marketing Director Mike Dickinson. Instead, the application finds the same security flaws regular jailbreakers do when they seek to get around any restrictions on applications that can download onto the smartphone.

The company spends a lot of time on finding these security flaws, Dickinson said — half of Micro Systemation’s 75 employees are in research and development.

“Every week, a new phone comes out with a different operating system, and we have to reverse-engineer them,” he said. “We’re constantly chasing the market.”

The company sells its passcode-breaking products in 60 countries, with interest among law enforcement agencies, according to Micro Systemation. Police departments in the United States are customers, as is the FBI and the U.S. military, which Dickinson said is the firm’s largest customer. About 98 percent of all police departments in the United Kingdom are customers.

“It’s a massive boom industry, the growth in evidence from mobile phones,” Dickinson said. “After 20 years or so, people understand they shouldn’t do naughty things on their personal computers, but they still don’t understand that about phones. From an evidential point of view, it’s of tremendous value.”

iPhone users are strongly encouraged by Apple to put in a four-digit passcode to protect their smartphones in case their devices are lost or stolen. However, according to a survey last year by the developer of the iPhone app Big Brother Camera, users aren’t being smart about the four numbers they choose.

The 10 most common passcodes used by iPhone users accounted for 15 percent of all the passwords analyzed, Daniel Amitay said. Amitay said on his Website in June 2011 the most common passcodes were 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212 and 1998.

“Formulaic passwords are never a good idea,” Amitay said, but his analysis found most users selected easy-to-guess codes.

Out of the 204,508 codes the app sent back anonymously to Amitay, “1234” was the most commonly used, with 4.3 percent of the users. The second-most-common code was “0000,” picked by 2.6 percent of the users.

Amitay’s Big Brother Camera Security app lets owners know who could be using the smartphone without permission. The app automatically takes a photo of anyone using the iPhone in the front-mounted camera; it also collects information about the passcodes used to protect the camera app. Amitay believes there’s a strong correlation between the four-digit passcode used for the app and the one used to lock up the iPhone.