[Swordmaker]

It took them awhile, but iOS 13 will be out soon and will block it again. This means if you are really concerned about your iPhone/iPad security, use an alphanumeric and symbolic passcode of at least seven characters. This will block even Cellebrite’s system from cracking into your device. Cellebrite still uses a brute force approach to find your passcode, but we are talking about ~869,600,000 years to try all possible combinations of just seven characters of the 223 available from the iPhone’s virtual keyboard at one attempt every second. If I recall correctly, even bypassing the countdown clock, the Secure Enclave limits each attempt to 1.4 seconds so it’s even longer than that. Perhaps you could get by with only six, if you want them to give up during the life span of the Age, only ~3,900,000 years.

[Swordmaker]

Cellebrite claimed they can again break into iPhones and iPads. Now iOS 12.3 vulnerable. . . —PING!

APPLE SECURITY PING!

If you want on or off the Apple/Mac/iOS Ping List, Freepmail me.

[ConservativeMind]

So you are claiming Cellebrite can’t try all the same numbers and letters on iOS 12.3.1?

[House Atreides]

It’s a mystery to me that more people don’t use (more than six) alpha/numeric/symbol characters in their passcode. It just takes a couple seconds longer.

[ConservativeMind]

Folks, what Swordmaker does not understand is that what Cellebrite is using is not brute force on anything iOS 12.3 and under, but it’s using exploits against vulnerabilities.

In short, even if you have a 20 character password, the exploit gets around that.

Brute force is only used when exploits do not allow cracking the phone.

[Squantos]

check .... iOS 13 ? When ?

[moovova]

I imagine from the first second a new iPhone or updated iOS system is out, someone somewhere is throwing everything they have at it...just so they can tweet out that they’ve broken it.

[TheBattman]

I’m curious how their brute force attack can even run - since iOS flips its lid after only a few incorrect attempts...

[Natty Bumppo@frontier.net]

Celebrite requires the user to have physical access to the phone.

Apple provides a way for the user to erase the phone before surrendering it, but it takes some time to execute.

The Find iPhone app allows for the user to remotely erase the phone, providing the phone is on and still connected to a network.

Apple also allows the user to set the phone for automatic erasure after 10 failed passcode attempts, which will defeat any brute force attack.

Compared to the rest of the market, Mac OS and iOS devices are damnably difficult to hack. Market prices for successful exploits reflect this. Apple exploits are orders of magnitude more costly.

HOWEVER, the Achilles heel for ALL devices using cellular communications is the Control Channel in cellular communications systems. To allow for roaming and interoperability among various vendors and systems, it is wide-open, unsecured, simple to access, and readily comprehended.

Those vulnerabilities will not permit access to your device, but they can monitor, capture, and spoof all incoming and outgoing traffic, as well as track your location.

There is nothing Apple, or any other cell phone vendor can do to close those vulnerabilities. They are the responsibility of the cellular providers, who have no real incentive to fix them.