The exact circumstances around the search are not known. But activist Samuel Tunick is charged with deleting data from a Google Pixel before CBP’s Tactical Terrorism Response Team could search it.
Curious, how does that work? 10000 possibilities aren’t many but you get 30s break every 3 failed attempts then 5 more then its every single failed attempts so that’d be ~5000minutes so that’s about 3 days. Assuming they get “lucky” it’s about 1.5 day. I don’t know though what happens after 20 failed attempts, maybe it’s 1min break or 20min break.
Basically, does PIN bruteforcing actually work and if so on what timeframe?
I think Apple has fixed this, but they would remove the battery, hook it up to external power. When unlocking, there was a pause/dimming on the phone to show it was wrong, and the computer hacking it would kill the power before the phone wrote that there was a bogus attempt, so you got infinite attempts.
I don’t think infinite attempts is the issue, I think the timing of those attempts is what practically limit the usefulness of the attack. Here in the Apple example I imagine rebooting the phone takes longer than 30s. Also if one goes to the length of removing the battery of an iPhone to crack it, this is a pretty serious attempt. One better have proper protections in place.
I don’t think that matters as much as the delay because with brute force you can precisely go through a LOT of possibilities so the practical aspect is the attempt frequency. Even 1 number if it’s 1 attempt per decade is enough to prevent intrusion.
Ah no it relies on either the battery drain method or another exploit that gives you a much higher rate without tripping the device.
I haven’t kept up with the CVEs for this, and I’m sure both Apple and Android have patched several, but for a while police forensics have had access to an AIO cracker tool made by a company that afaik never disclosed these CVEs for the sole purpose of keeping a method of PIN bruteforcing viable.
Curious, how does that work? 10000 possibilities aren’t many but you get 30s break every 3 failed attempts then 5 more then its every single failed attempts so that’d be ~5000minutes so that’s about 3 days. Assuming they get “lucky” it’s about 1.5 day. I don’t know though what happens after 20 failed attempts, maybe it’s 1min break or 20min break.
Basically, does PIN bruteforcing actually work and if so on what timeframe?
I think Apple has fixed this, but they would remove the battery, hook it up to external power. When unlocking, there was a pause/dimming on the phone to show it was wrong, and the computer hacking it would kill the power before the phone wrote that there was a bogus attempt, so you got infinite attempts.
I don’t think infinite attempts is the issue, I think the timing of those attempts is what practically limit the usefulness of the attack. Here in the Apple example I imagine rebooting the phone takes longer than 30s. Also if one goes to the length of removing the battery of an iPhone to crack it, this is a pretty serious attempt. One better have proper protections in place.
I think my phone will actually wipe after a certain number of failed password attempts. I’d like to say 20, but I’m not certain.
It also depends wha kind of password. I know some phones allow longer than 4 digits, and some offer alphanumeric.
I don’t think that matters as much as the delay because with brute force you can precisely go through a LOT of possibilities so the practical aspect is the attempt frequency. Even 1 number if it’s 1 attempt per decade is enough to prevent intrusion.
There’s no 30 second rest on my phone. They have 3 tries.
3 tries then what, data wipeout?
Yup
Data Visualization of the Most Common PIN Numbers https://kottke.org/24/05/data-visualization-of-the-most-common-pin-numbers
Ah no it relies on either the battery drain method or another exploit that gives you a much higher rate without tripping the device.
I haven’t kept up with the CVEs for this, and I’m sure both Apple and Android have patched several, but for a while police forensics have had access to an AIO cracker tool made by a company that afaik never disclosed these CVEs for the sole purpose of keeping a method of PIN bruteforcing viable.