Motorola has unveiled an accessory for its new Moto X smartphone that its marketers claim “provides all the benefits of a PIN without the hassle.” That claim is only half right, but you wouldn’t know it from a blog post introducing the Motorola Skip and all the headlines that followed. Left out of the coverage are some key protections people may lose when using the thumb-sized clip.
Yes, the wearable fob, when electronically paired with a Moto X, instantly unlocks phones with a simple tap, skipping the step of first entering a personal identification number or swiping a pattern. Making things even easier are three “dots” that accompany the clip and can be affixed to desks, bedside tables, and other trusted zones. Paired phones can be unlocked by tapping them on the tiny stickers—again, with no PIN or pattern required. Assuming it takes 2.3 seconds each time a four-digit PIN is entered and people unlock their phones from 39 to 100 times each day—as Motorola figures claim—a device like Skip can save huge amounts of time over the lifetime of a phone.
But as is almost always the case with security, the added convenience comes with a cost. In exchange for making things easier, people who use Skip may be vulnerable to several threats that are impractical against mobile devices protected only by old-fashioned personal identification numbers.
The problem with wearing something that opens up your phone or having a dot that will open it arises from the greatly deceased security. Anyone who gets your phone and the wearable fob can get into your phone.
Someone who gets your smart phone can get a whole lot more information that just phone numbers. People connect to their banks, to their email, to their books using their smartphone.
Apple makes it really easy to make out phones very secure from examination.
At the heart of Apple’s security architecture is the Advanced Encryption Standard algorithm (AES), a data-scrambling system published in 1998 and adopted as a U.S. government standard in 2001. After more than a decade of exhaustive analysis, AES is widely regarded as unbreakable. The algorithm is so strong that no computer imaginable for the foreseeable future—even a quantum computer—would be able to crack a truly random 256-bit AES key. The National Security Agency has approved AES-256 for storing top-secret data.
A unique encryption key is hardwired into every iPhone. So no one can get your data without also having the phone. And to protect that key, Apple allows us to create a PIN code – the password you have to enter to unlock the phone.
The only way to then get the encryption key that will unencrypt all the data is to break your lock code. But it has to be run under iOS on an iPhone in order to unlock the encryption key. And iOS allow only one attempt to unlock the phone every 80 milliseconds..
If you use a simple 4 digit passcode, which has 10,000 combinations, then it would take about 800 seconds to go through every combination. On average it would take half that time – 400 seconds or about 7 minutes.
But Apple lets you use longer codes and ones that includes letters and symbols. You can use a passcode 37 characters long using any of 114 different characters.
Now the amount of time to brute force becomes simply astronomical with even a small password. A 10 character code has 7,300,000,000,000,000,000 possible combinations. At 80 milliseconds per attempt, that works out to 18 billion years for all combinations or perhaps 9 billion on average.
Even if someone figured out how to do checks faster than every 80 milliseconds, it would take a Class F attack (1,000,000,000 attempts per second) almost 3 months.
No one is brute forcing a 10 character code on an iPhone. They will only get it if Apple has a backdoor that will let them.
And it does look like Apple has some sort of way around this (my guess is they can pull out what the hardware encryption key is if they have the serial number), but they are requiring police to specifically ask.
I do not see them giving blanket access to their servers. I can see how a specific warrant will get them to release the key.
However, thousands of requests only means that the time to get the keys will increase. The article talks about 7 weeks.
So be sure to lock your iPhone with a long password.