iPhone and Android passcodes can be bypassed within seconds

By on March 28, 2012, 4:00 PM

Swedish security firm, Micro Systemation, has demonstrated how simple it is to defeat lock screen passcode mechanisms on both iPhone OS and Android devices. To do it, the company shows off their own security tool called XRY, a utility used by law enforcement, military personnel and even the FBI for this very purpose.

In the demonstration below, the hack takes less than a couple of minutes from getting set up to completion. The actual cracking itself takes only seconds, but the passcode-breaking mechanism is a brute force attack. The pin used in the demonstration is "0000" which is likely to be the first number guessed, thus giving us the quickest possible result. A code like "9945" may take considerably longer.

The software not only cracks passcode locks, but can also extract data from locked phones. It is able to copy and decrypt GPS location history, call logs, contacts, texts and even keystroke logs. 

XRY is based on a jailbreak-like method of gaining unsanctioned access to mobile devices. Instead of using official backdoors which are sometimes left by manufacturers, the company exploits security flaws found the OS itself. Leveraging these exploits, the software is able to inject code into the device which gives XRY unfettered access to the system, not unlike jailbreaking tools like ac1dsn0w or redsn0w.

In fact, finding exploits in every mobile OS update is what about half of Micro Systemation's 75 employees do.

The phone and tablet hacking tool sports a fairly intuitive interface, allowing individuals to use it successfully with minimal training. This sounds particularly useful for law enforcement and other agencies with limited monetary and technical resources.

As we've all heard, the legality of jailbreaking is on thin ice. However though, when authorities are using tools like XRY to crack criminal's smartphones, that seems to raise some red flags.

"If police have a warrant to be in the phone, this is just a way to get access to what they’re legally allowed to," Fakhoury says of the XRY tool. "But if they’re going to a protest and seizing folks for booking, and immediately running this on their phones and sucking everything out, we’ve got a real problem."

Source: Forbes

Micro Systemation claims its largest XRY client is the U.S. Military. "When people aren't wearing uniforms, looking at mobile phones to identify people is quite helpful", Dickinson explained as potential scenario.




User Comments: 9

Got something to say? Post a comment
hahahanoobs hahahanoobs said:

iPhone and Android passcodes can be bypassed within seconds by law enforcement agencies.

*fixed*

Guest said:

Turn Simple Passcode off in iOS, good luck cracking it.

Guest said:

How well does it work when the device is encrypted?? My tablet and phone (both android) are fully encrypted.... also I don't use a simple pin. I have a full password on my tablet. How does the software stack up then. Curious for my own sake...

Guest said:

seriously....4 digit password are you kidding me "sounds like something a ***** would have on his luggage"(spaceballs movie).

My cat could break 4 digits I'm unimpressed with this software, and depressed that anyone would use simple passwords on there mobile device(sigh).

Guest said:

If I remember correctly, my iphone is set to delete all data after a few unsuccessful attempts, how that works for brute force method I wonder?

So many unanswered questions!

Twixtea said:

Guest said:

If I remember correctly, my iphone is set to delete all data after a few unsuccessful attempts, how that works for brute force method I wonder?

So many unanswered questions!

Haha, if I were your friend and knew that, I would have tried random password and deleted all your files and said ''I didn't know''

Guest said:

This is stupid, why? Because governments are already listening to you while you're talking, messaging, using gps or browsing the internet! Everything you have on your phone, mobile company's has it!

DanUK DanUK said:

Twixtea said:

Guest said:

If I remember correctly, my iphone is set to delete all data after a few unsuccessful attempts, how that works for brute force method I wonder?

So many unanswered questions!

Haha, if I were your friend and knew that, I would have tried random password and deleted all your files and said ''I didn't know''

+1 !

Having your iphone delete all data after a few unsuccessful attempts sounds so paranoid hah.

Camikazi said:

DanUK said:

Having your iphone delete all data after a few unsuccessful attempts sounds so paranoid hah.

Better to have it auto delete if you lose your phone then to have a random person have all your contacts and information. I have a program on my phone that does the same, it also has an option that will let me manually delete all information with a text message with the right info sent to it.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.