Apple refutes claim of iPhone passcode hack


Apple has dismissed claims made by security researcher Matt Hickey who said he had found a way to bypass iPhone security protections to enter passcodes as many times as needed.

Hickey, co-founder of cyber security firm Hacker House, had tweeted a video on Friday showing how this can be done by sending a stream of all possible combinations to the device, which will trigger an interrupt request.


He explained that if all combinations are sent in one go using keyboard inputs while the device is plugged in instead of with pauses in between tries, it will trigger an interrupt request that takes precedence over everything else on the device.

However, Apple has since come out and refuted the claim and a spokesperson on Saturday said, "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing." 

Retracting his previous position, Hickey tweeted on Sunday that devices are still protected from brute-force attacks as not all passcodes that are being tested are sent.


This was in reference to a previous tweet by Stefan Esser, CEO of security firm Antid0te UG, where he explained that the command to erase iPhone data after 10 tries wasn’t triggered because the various combinations were all “ignored” and counted as a single try.


“The device doesn’t actually try those passcodes until you pause,” Stefan tweeted.

Aside from its initial statement, Apple has not provided any further explanations. The company is planning on including a feature called USB Restricted Mode in its upcoming iOS 12 update that will protect iPhones and iPads from USB-related exploits.


The Six-Digit iPhone Passcode now isn’t Secure; Users Recommended to Choose a Longer Alpha-Numeric Code




There is no doubt that Apple has consistently and relentlessly resorted to various ways in order to make its products more secure in the course of recent years, however the devices haven't been at any point of time, impervious . As recently Apple has expanded the iOS security after some time, the hackers and security researchers, thusly, have also stepped up and the final product is apparently an endless game wherein Apple tries to shore up security openings faster than the said programmers can misuse them.

Also, the way things are presently, it shows up as though Apple has a lot of catching up to do. For instance, Recently Cellebrite uncovered that it would now be able to access any locked iPhone running redundancy of iOS back-pedaling to iOS 5. All the more as of late, expression of another iPhone hacking machine named GrayKey started making waves on the web. GrayKey is a relatively simple device that can hack into most iPhones, the reports say.

And as anyone might expect, the device, which has a base cost of $15,000, has ended up being exceedingly favored among the law enforcement agencies.

Presently in case you're determined on keeping the contents of your iPhone protected from prying eyes, your most solid option is to utilize a password that is preferred to be longer than six digits. Furthermore, for additional security, you'd be encouraged to think of an alphanumeric password too.

The reason why is because  as indicated by Cryptographer Matthew Green of Johns Hopkins , here's to what extent it apparently takes GrayKey to crack iOS passwords of changing lengths. As confirmed in the tweet below, a 6-digit password can be cracked in around 11 hours on an average.






While longer passwords surely give an additional layer of security, but the reality is that most users will never pick a 10-digit password. And at one point, there should be a balance maintained amongst convenience and security. So, in case you're not in a situation to forfeit security for any reason, at that point you should simply try to think of a long alpha-numeric password.

While the default iOS password now remains at 6 digits, it used to be 4 a couple of years back, there is a possibility for the users to opt for a more extended alpha-numeric code. And so, to get to this alternative, go to Settings > Touch ID and Password. From that point, you would see a "Password Options" tag that should give you a chance to pick a custom alphanumeric code for your iPhone.

Israeli company says it can break into any iPhone — and can help law do the same

In a major win for US law enforcement, Israeli cyber forensics firm, Cellebrite, which is a major government contractor, claims to have found a way to break into any iPhone in the market. The company says that it can get around the security of devices running from iOS 5 to iOS 11.

The company is allegedly actively advertising to law enforcement and private forensics from across the globe.

This reportedly includes the iPhone X, which Forbes reported had been successfully breached by the Department of Homeland Security in November 2017 with suspected involvement of Cellebrite technology.

The reporter was able to dig up a warrant for the same, which notes that the department’s Cellebrite specialist performed a “forensic extraction” in December, although the exact method of unlocking the iPhone is not mentioned.

Apple has repeatedly refused to help law enforcement agencies break into iPhones, stating the need its customers’ privacy. This decision has often led to clashes between the two.

In the past, there have been various cases when law enforcement called upon Apple to provide a way to unlock the iPhones to access necessary information, even going so far as to obtain a court order to help disable to PIN feature. However, Apple has always refused.

If Cellebrite has indeed found a way to hack into iPhones, it could lead to a major change in their interactions.

Hackers lock iPhones remotely and demanding $100 to unlock it


In recent hours, a number of users from Australia had a nightmare as cyber criminals locked their devices and demanding payment of a ransom.

The locked devices show the following message "Device Hacked by Oleg Pliss" and instructs victims to send $100 dollars to lock404@hotmail.com to unlock their devices.

The cyber attack came to light, after one user from Melbourne shared his experience in Apple support forum and asked help to fix the problem.  Following his post, several users have reported of being affected by this attack.

It appears hackers used stolen Apple IDs and passwords to access iCloud account that allowed them to lock victim's devices and display a message.

What you should do? Don't pay the Ransom !
Affected users are advised to contact Apple directly to regain access to their account.  

Once you have access to your account, change the password immediately and enable two step authentication feature for your account.

iOS 7 Beta Hack allows anyone to Bypass iPhone Lockscreen


Every time Apple attempts to improve the security in the new version of iOS, it ends up with a new security bug.

Here comes another iPhone hack to bypass the iOS Lock Screen.  A Spanish iPhone users sent a video to Forbes showing how to hack the iOS 7 Beta version to bypass the iPhone Lockscreen.

The security bug can be easily reproduced by going to iOS control Room,  accessing the Phone's calculator and then accessing the phone's camera.  It is said that the bug allows to deleting, sharing the photos.

The bug has been confirmed by the Forbes. iOS 7 is still in the beta version so it's only available to those with developer accounts.

Earlier this year, we became aware that Vulnerability-Lab discovered iOS Lockscreen vulnerability that allowed anyone to access the data stored on the device.

Researchers can hack iPhone within one minute using malicious Charger


You should think twice or even thrice or even more before using someone else's charger next time your iPhone running out of battery.

Three security researchers , Billy Lau, Yeongjin Jang and Chengyu Song from the Georgia Institute of Technology found a way to hack your iPhone with a malicious charger.

The team will demonstrate the proof-of-concept of the hack at upcoming BlackHat hacker conference in late July.

Researchers claim they can compromise any iOS device within one minute of being plugged to the malicious charger.

The hack attack apparently does not require any user interaction and it works against even devices that are not jailbroken.

Reference:
http://www.blackhat.com/us-13/briefings.html#Lau

iPhone spyware can be used to capture Desktop computer Key strokes

iPhone can be used to capture the Desktop computer keystrokes.  Sounds interesting?A team of researchers at Georgia Tech demonstrated how to use the accelerometers of a smartphone to capture the Keystrokes of Desktop Computers by placing nearby.

Patrick Traynor, an assistant professor in Georgia Tech's School of Computer Science, admits that the technique is difficult to accomplish reliably but claims that the accelerometers built into modern smartphones can sense keyboard vibrations and decipher complete sentences with up to 80% accuracy.

"We first tried our experiments with an iPhone 3GS, and the results were difficult to read," said Traynor. "But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the past two years are sophisticated enough to launch this attack."

Researcher posted what displayed in iPhone:

Presently the spyware cannot determine the pressing of individual keys through the iPhone's accelerometer, but "pairs of keystrokes" instead. The software determines whether the keys are on the right or left hand side of a standard QWERTY keyboard, and then whether the pair of keys are close together or far apart.

With the characteristics of each pair of keystrokes collected, it compares the results against a dictionary - where each word has been assigned similar measurements.

For example, take the word "canoe," which when typed breaks down into four keystroke pairs: "C-A, A-N, N-O and O-E." Those pairs then translate into the detection system’s code as follows: Left-Left-Near, Left-Right-Far, Right-Right-Far and Right-Left-Far, or LLN-LRF-RRF-RLF. This code is then compared to the preloaded dictionary and yields "canoe" as the statistically probable typed word.

For understandable reasons, the technique is said to only work reliably on words which have three or more letters.

Text recovery

Henry Carter, one of the study's co-authors, explained the attack scenario that they envisaged could be used:

"The way we see this attack working is that you, the phone’s owner, would request or be asked to download an innocuous-looking application, which doesn’t ask you for the use of any suspicious phone sensors."

"Then the keyboard-detection malware is turned on, and the next time you place your phone next to the keyboard and start typing, it starts listening."