The exact circumstances around the search are not known. But activist Samuel Tunick is charged with deleting data from a Google Pixel before CBP’s Tactical Terrorism Response Team could search it.
Curious, how does that work? 10000 possibilities aren’t many but you get 30s break every 3 failed attempts then 5 more then its every single failed attempts so that’d be ~5000minutes so that’s about 3 days. Assuming they get “lucky” it’s about 1.5 day. I don’t know though what happens after 20 failed attempts, maybe it’s 1min break or 20min break.
Basically, does PIN bruteforcing actually work and if so on what timeframe?
Ah no it relies on either the battery drain method or another exploit that gives you a much higher rate without tripping the device.
I haven’t kept up with the CVEs for this, and I’m sure both Apple and Android have patched several, but for a while police forensics have had access to an AIO cracker tool made by a company that afaik never disclosed these CVEs for the sole purpose of keeping a method of PIN bruteforcing viable.
I think Apple has fixed this, but they would remove the battery, hook it up to external power. When unlocking, there was a pause/dimming on the phone to show it was wrong, and the computer hacking it would kill the power before the phone wrote that there was a bogus attempt, so you got infinite attempts.
I don’t think infinite attempts is the issue, I think the timing of those attempts is what practically limit the usefulness of the attack. Here in the Apple example I imagine rebooting the phone takes longer than 30s. Also if one goes to the length of removing the battery of an iPhone to crack it, this is a pretty serious attempt. One better have proper protections in place.
I don’t think that matters as much as the delay because with brute force you can precisely go through a LOT of possibilities so the practical aspect is the attempt frequency. Even 1 number if it’s 1 attempt per decade is enough to prevent intrusion.
Curious, how does that work? 10000 possibilities aren’t many but you get 30s break every 3 failed attempts then 5 more then its every single failed attempts so that’d be ~5000minutes so that’s about 3 days. Assuming they get “lucky” it’s about 1.5 day. I don’t know though what happens after 20 failed attempts, maybe it’s 1min break or 20min break.
Basically, does PIN bruteforcing actually work and if so on what timeframe?
Data Visualization of the Most Common PIN Numbers https://kottke.org/24/05/data-visualization-of-the-most-common-pin-numbers
I think my phone will actually wipe after a certain number of failed password attempts. I’d like to say 20, but I’m not certain.
Ah no it relies on either the battery drain method or another exploit that gives you a much higher rate without tripping the device.
I haven’t kept up with the CVEs for this, and I’m sure both Apple and Android have patched several, but for a while police forensics have had access to an AIO cracker tool made by a company that afaik never disclosed these CVEs for the sole purpose of keeping a method of PIN bruteforcing viable.
I think Apple has fixed this, but they would remove the battery, hook it up to external power. When unlocking, there was a pause/dimming on the phone to show it was wrong, and the computer hacking it would kill the power before the phone wrote that there was a bogus attempt, so you got infinite attempts.
I don’t think infinite attempts is the issue, I think the timing of those attempts is what practically limit the usefulness of the attack. Here in the Apple example I imagine rebooting the phone takes longer than 30s. Also if one goes to the length of removing the battery of an iPhone to crack it, this is a pretty serious attempt. One better have proper protections in place.
There’s no 30 second rest on my phone. They have 3 tries.
3 tries then what, data wipeout?
Yup
It also depends wha kind of password. I know some phones allow longer than 4 digits, and some offer alphanumeric.
I don’t think that matters as much as the delay because with brute force you can precisely go through a LOT of possibilities so the practical aspect is the attempt frequency. Even 1 number if it’s 1 attempt per decade is enough to prevent intrusion.