Three Ways to Thwart XRY's 2-Minute iPhone Passcode Hack

Smartphones are vaunted for their ease of use. But that's precisely why they can be so vulnerable to hacking software, as Micro Systemation's XRY showed last us last Wednesday.

The iPhone's default security passcode is a mere 4 digits. Four digits is incredibly weak - there are just 10,000 different combinations to try, which is nothing for a piece of software.

Back in the 1980s, teenage phone phreakers of um, my acquaintance, hacked MCI and Sprint access codes in order to make free long-distance calls. All you had to do was set your Apple II+ on auto-dial overnight and voila! you'd have several codes by the next morning.

This was despite the process being totally crude and slow. Rather than trying hundreds of codes per second, you could only try a single code per minute. And the codes were harder to hack. MCI codes were 5 digits long, while Sprint's were 8 digits, meaning there were 100,000 and 100 million combinations, respectively. Also, those codes were chosen for you. So you couldn't choose something obvious like  '0000', '1234', '1111' or any of the other codes your IT manager specifically warned you not to pick.

So to summarize my nostalgia trip: 80s hacking software = weak. 80s passcodes = stronger. Ease of hacking = still easy.

In light of that, of course today's smartphones are vulnerable.

So it's surprising how many companies who should know better don't require their users to use any passcode at all.

Jim Price is president of ICOMM Consulting Inc., which advises companies on mobile security (but does not resell any particular product). According to Price, about a third of ICOMM's corporate clients don't require PINs.

"My guess is that the XRY news will make our clients say, 'Oh boy, we don't just need to use PINs, but we need to use more sophisticated ones,'" said Price.

Bad User Experience = Good Security

There are three main approaches that experts like Price suggest could help prevent or slow down an XRY-style attack.

The tradeoff is the same. "The kludgier it is for the end user, the safer it usually is," Price said.

The most secure approach is to deny XRY a chance to steal the data. This would require keeping all corporate data, or at least the confidential data, on the server. Employees would only be able to remotely access the content via software such as Citrix Receiver.

Some law firms and other companies with "extreme" security needs are choosing this approach, said Price. But the downsides can be huge, depending on your point-of-view. You need to be connected, for one. And it can take a lot of time for those e-mails or files to be downloaded.

"Citrix Receiver doesn't provide native experiences," Philippe Winthrop, founder of the Enterprise Mobility Forum, tweeted today during an #SAPChat. For mobile phones, "the more secure it is, the harder it is to use."

Playing In the Sandbox

Another approach is to use an application-level container or "sandbox" to store confidential data. Examples would be Good Technology's secure e-mail app, or Mocana, said Scott Snyder, President and Chief Strategy Officer for Mobiquity Inc., a mobile professional services provider. (Full disclosure: these applications along with Citrix Receiver compete with the Afaria MDM software from my employer, SAP).

That app and its data is encrypted and can only be accessed by entering a strong PIN. While this does protect from the XRY hack, this, like the Citrix strategy, is inconvenient for users, who potentially have to re-type their PIN every few minutes when a new e-mail arrives.

The last approach is using Mobile Device Management (MDM) software.

MDM software can harden against XRY-style attacks while creating the least extra hassle for users.

First, "most of the MDM vendors (like Afaria, MobileIron, Airwatch) have jailbreak detection software for iOS" said Snyder. Once a jailbreak attempt is detected, the MDM software can force the phone to delete all of its data before it is compromised.

Second, MDM software can enforce longer, stronger passcodes than the 4-digit defaults. And it can also enforce a policy of automatically wiping or killing the device after too many attempts.

Third, even if data is physically extracted from the iPhone, it may still be encrypted by the MDM software, rendering it essentially unreadable.

"If something has 256-bit encryption, my belief is that there are only a handful of people in the world who can hack into that," Price said. "Even 128-bit encryption is still pretty darn secure."

For MDM software to be effective, however, IT administrators need to set aggressive 'data fading' policies that quickly kill the device upon tampering or after a period of non-communication. That's because a determined hacker will immediately put the phone into Airplane Mode, turning off all wireless communications. This prevents the iPhone from being physically tracked via its GPS chip, and the MDM software from communicating with the server.

As a result, Mobiquity's Snyder, argues that a "belt and suspenders" approach is best, one that combines MDM with app level containers like Mocana will "ensure that sensitive data is protected from spillover or attacks.”

But plenty of firms can get by with just MDM. Price's own firm, ICOMM, does.

"We ourselves rejected the sandbox approach," he said. "Because of what we do, we don't need to go that far. So we use 4-digit codes. We can wipe a phone if it's lost. We're not as aggressive as some of our clients."

**********

Despite the Twitterverse being distracted by a rather dubious holiday, some of you logged into #SAPChat on Friday at noon ET to read EMF's Philippe Winthrop and I jibber-jabber about tablets, XRY, MDM, BYOD and other enterprise mobile issues. Below are excerpts from our discussion. Next time, try to join the discussion live!

Q2: Mobile Device Management - Security

SocialKev I've heard that you can hack into an iPhone in 120 seconds or less. What does this mean for enterprise mobility?#SAPChat -12:01 PM Mar 30th, 2012

biz_mobility @ericylai would be interesting to see this be done with an iOS device that has been "protected" with a EMM solution #SAPChat -12:02 PM Mar 30th, 2012

biz_mobility @SocialKev It's all the more reason to manage and secure devices #SAPChat -12:02 PM Mar 30th, 2012

biz_mobility @SocialKev If anything, I think this is a great way to showcase the need for enterprise mobility management#SAPChat #FUD -12:03 PM Mar 30th, 2012

ericylai I actually intvued two #MDM consultants yesterday, their advice on blocking #XRY was interesting #sapchat -12:04 PM Mar 30th, 2012

biz_mobility I wonder if any of the "MDM" providers would be willing to try the test #SAPChat -12:05 PM Mar 30th, 2012

ericylai One route: Don't keep any data locally, i.e. use Citrix Receiver for everything #sapchat -12:04 PM Mar 30th, 2012

biz_mobility @ericylai but the Citrix receiver doesn't provide native experiences #SAPChat Apple doesn't like that -12:05 PM Mar 30th, 2012

ericylai But, he admitted, that was the "kludgiest" method; the second was to use a second-level app sandbox/container, like Good Technology #sapchat -12:05 PM Mar 30th, 2012

biz_mobility yes, however sandboxing does also have its pwos/cons #SAPChat -12:06 PM Mar 30th, 2012

ericylai @biz_mobility - Exactly, it's the constant balance between usability and kludginess. The more secure it is, the more hassle #sapchat -12:07 PM Mar 30th, 2012 biz_mobility the problem with sandboxing in general is that it becomes a religious debate #SAPChat -12:07 PM Mar 30th, 2012

biz_mobility @ericylai often times, the more secure it is, the harder it is to use #SAPChat -12:07 PM Mar 30th, 2012

bmkatz Guys it's not about necessarily sandboxing the app but more about protecting the data #sapchat -12:09 PM Mar 30th, 2012

bmkatz If you protect the data through encryption etc, breaking the phone doesn't get you into the data - just the phone#sapchat -12:09 PM Mar 30th, 2012

biz_mobility @bmkatz yes - this is why we need mobile information management solutions #SAPChat -12:10 PM Mar 30th, 2012

ericylai @biz_mobility Exactly, which is why #MDM might hit the sweet spot, by blocking jailbreak attempts, enforcing 7-digit PINs, etc #sapchat -12:10 PM Mar 30th, 2012

biz_mobility @ericylai yes - this is a classic example of why you need MDM #SAPChat -12:10 PM Mar 30th, 2012

ericylai @bmkatz Agree - 256-bit encryption would take months to break, typically. #MDM can provide that #sapchat -12:11 PM Mar 30th, 2012

biz_mobility but don't forget that MDM is just one component of what you need to manage mobility in the workplace#SAPChat -12:11 PM Mar 30th, 2012

bmkatz Hang on folks - #MDM doesn't jailbreak attempts - it can detect when you've JB but not prevent it from happening#sapchat -12:11 PM Mar 30th, 2012

biz_mobility @bmkatz actually MDM can't really detect 100% accurately a jailbroken device #SAPChat -12:12 PM Mar 30th, 2012

biz_mobility @ericylai but are you talking MDM or mobile security here? #SAPChat -12:11 PM Mar 30th, 2012

bmkatz @ericylai #MDM doesn't provide encryption & it's a misnomer to say it does except for a few cases, it enables enforcing encryption #SAPChat -12:12 PM Mar 30th, 2012

biz_mobility So is remote wipe/lock part of MDM? #SAPChat I think not -12:12 PM Mar 30th, 2012

bmkatz @biz_mobility #MDM in itself doesn't detect it - requires an agent on the device - which most do - and that's not foolproof #SAPChat -12:13 PM Mar 30th, 2012

biz_mobility @bmkatz agreed - and don't forget Apple took out the API for detecting jailbroken devices #SAPChat -12:14 PM Mar 30th, 2012

SocialKev @biz_mobility - which are the harder ones to use because of their high security? #SAPChat -12:08 PM Mar 30th, 2012

biz_mobility @SocialKev Not even a question of which one is better #SAPChat -12:09 PM Mar 30th, 2012

biz_mobility It's just typically, the more you secure things, the more annoying it becomes for the users #SAPChat -12:09 PM Mar 30th, 2012

Q3: Google Tablets v. Ipad SocialKev So let's hear it.. will the Google #Nexus tablet be an iPad killer? Does it stand a chance? #SAPChat -12:14 PM Mar 30th, 2012

bmkatz Better question is will Google really do a #nexus tablet or just brand one as the reference device like it did with the Xoom #sapchat -12:15 PM Mar 30th, 2012

biz_mobility Does it stand a chance? Sure it does #SAPChat-12:15 PM Mar 30th, 2012

biz_mobility What do you think would make it a killer?#SAPChat -12:15 PM Mar 30th, 2012

ericylai @socialkev I'm not optimistic about the Nexus. $199 only matches the Kindle Fire, which is still a minority taste.#sapchat -12:15 PM Mar 30th, 2012

biz_mobility iPad has a great app ecosystem right now#SAPChat -12:16 PM Mar 30th, 2012

bmkatz Until Google actually treats #Android as a platform for anything other than search and advertizing - doubtful #sapchat-12:16 PM Mar 30th, 2012

biz_mobility @bmkatz What does Google do that is not an extension of search? #SAPChat -12:16 PM Mar 30th, 2012

ericylai @bmkatz You're saying the Nexus will be a rebranded Xoom? #sapchat -12:16 PM Mar 30th, 2012

biz_mobility @ericylai It will certainly be interesting to see what happens with Motorola in the not too distant future#SAPChat -12:17 PM Mar 30th, 2012

Q4: What makes an “Ipad Killer” biz_mobility @bmkatz What do you think is necessary to make an "iPad Killer" #SAPChat -12:18 PM Mar 30th, 2012

bmkatz @ericylai I think it would be a mistake to do so but that's what they did last time, it may be an Asus tab but same idea #sapchat -12:20 PM Mar 30th, 2012

ericylai @biz_mobility An iPad Killer? This sounds like something invented in the future by SkyNet... #sapchat -12:20 PM Mar 30th, 2012

bmkatz @biz_mobility Google has to get serious about their ecosystem & they have to build the security APIs to make it work for the ent. #sapchat -12:21 PM Mar 30th, 2012

bmkatz @biz_mobility The fact that 3LM and Samsung have competing stadards and APIs that aren't the same across the devices isn't good #sapchat -12:21 PM Mar 30th, 2012

Q7: HCM & Mobility SAP_Jarret What benefits do #SAP HCM customers get paying for Sybase/Gateway that are not available in HR competitors free mobile offerings #SAPChat -12:20 PM Mar 30th, 2012

biz_mobility @SAP_Jarret there's more than one way to skin a mobile enterprise application strategy cat #SAPChat -12:21 PM Mar 30th, 2012 ericylai @SAP_Jarret I know you've got an opinion on this ;) What do you think? #sapchat -12:22 PM Mar 30th, 201

SAP_Jarret @ericylai I think #SAP needs to revisit their licensing model in order to stay competitive in the HR Technology space. #sapchat -12:25 PM Mar 30th, 2012

ericylai @SAP_Jarret I think you and the other Mentors are being heard. If it were up to me...but it's not. #sapchat -12:28 PM Mar 30th, 2012

biz_mobility @ericylai It's not your fault ;-) #SAPChat -12:28 PM Mar 30th, 2012

bmkatz No #MDM is definitely a subset of #EMM 100% agree@biz_mobility #SAPChat -12:31 PM Mar 30th, 2012

CitizenJulien @SAP_Jarret secure data transfer? #SAPChat -12:31 PM Mar 30th, 2012

biz_mobility @AmberMobile I look at MDM as monitoring the "proper" function of the device- no more....no less. #SAPChat-12:31 PM Mar 30th, 2012

bmkatz .@biz_mobility Since when is security not part of Device management - #sapchat -12:31 PM Mar 30th, 2012

biz_mobility @bmkatz security is about security #SAPChat#captainobvious -12:31 PM Mar 30th, 2012

bmkatz @biz_mobility @AmberMobile Me thinks you have confused management with monitoring there #chiefobvious#SAPChat -12:32 PM Mar 30th, 2012

Q8: Wipe & Lock Security

Why not? Pretty necessary component. "@biz_mobility: So is remote wipe/lock part of MDM? #SAPChat I think not"

biz_mobility @AmberMobile It's a question of taxonomy#SAPChat -12:21 PM Mar 30th, 2012

biz_mobility @AmberMobile No question that remote wipe/lock is critical - but it's NOT part of MDM #SAPChat -12:22 PM Mar 30th, 2012

bmkatz @biz_mobility @AmberMobile He's getting at that its part of #EMM not #MDM although he's wrong - both are device mgmt pieces #SAPChat -12:23 PM Mar 30th, 2012

biz_mobility @bmkatz Since when am I wrong? Wipe and Lock is security #SAPChat -12:23 PM Mar 30th, 2012

biz_mobility @bmkatz and how is EMM part of MDM? #SAPChat-12:24 PM Mar 30th, 2012

ericylai @biz_mobility 63.5 mln iPads sold this year is the consensus. High/low? #sapchat -12:25 PM Mar 30th, 2012

biz_mobility @ericylai I hate estimates in the mobile world because things can change on a dime #SAPChat -12:25 PM Mar 30th, 2012

biz_mobility @ericylai it's like when all those smart analysts estimated that Symbian would have 20% market share in 2015#SAPChat -12:26 PM Mar 30th, 2012

ericylai @biz_mobility Were you one of those smart analysts, when you were at Strategy Analytics? :) #sapchat -12:27 PM Mar 30th, 2012

biz_mobility RT @ericylai: @biz_mobility Were you one of those smart analysts, when you were at Strategy Analytics? :)#sapchat <-- most definitely not -12:27 PM Mar 30th, 2012

Q9: Corporate Owned Personally Enabled ericylai @biz_mobility Hey, Acronym Man what do you mean by COPEing with BYOD? #sapchat -12:32 PM Mar 30th, 2012

biz_mobility @ericylai It's my new favorite thing - Corporate Owned Personally Enabled #SAPChat -12:32 PM Mar 30th, 20

biz_mobility COPE cures many of the issues around BYOD IMO#SAPChat -12:33 PM Mar 30th, 2012

biz_mobility and in fact, it is all about the consumerization of IT #SAPChat -12:33 PM Mar 30th, 2012

ericylai Corporate-Owned, Personally-Enabled? But I thought the whole point was to JediMindTrick workers into buying themselves? #sapchat -12:33 PM Mar 30th, 2012

biz_mobility @ericylai too bad the companies keep on giving the employees money to buy the devices #SAPChat -12:34 PM Mar 30th, 2012

ericylai @biz_mobility So bold, so bold. As worker, I personally love the idea of COPE, but I'm not sure my company accountant does #sapchat -12:37 PM Mar 30th, 2012

biz_mobility RT @KmkMiller: @biz_mobility COPE is TEM problematic. <--- how so??? #SAPChat -12:37 PM Mar 30th, 2012

Q10: Tablets in General bmkatz So - I thought this was chat about Tablets... #sapchat-12:33 PM Mar 30th, 2012

bmkatz Are we going to spend any time talking about tablets?#sapchat -12:41 PM Mar 30th, 2012

ericylai @bmkatz Let's talk Phablets! I hear that Galaxy Note is doing well. I'm actually tempted. I think it's Return of the SuperPhone! #sapchat -12:42 PM Mar 30th, 2012

bmkatz So other than the i Pad what is everyone's second favorite tablet? #sapchat -12:43 PM Mar 30th, 2012

bmkatz @ericylai But i can't deal with it unless you have a headset - reminds me of the moto bricks, plus I have small hands #sapchat -12:43 PM Mar 30th, 2012

ericylai @bmkatz All I'm saying is that my pockets are big enough for Galaxy Note. And I'm fearless enough to clip on to my belt. I said it. #sapchat -12:44 PM Mar 30th, 2012

biz_mobility @bmkatz which tablets can do "true" voice?#SAPChat -12:44 PM Mar 30th, 2012

bmkatz @biz_mobility True voice versus VOIP? #sapchat -12:45 PM Mar 30th, 2012

bmkatz .@biz_mobility Other than the Note I can't think of any except for maybe the dead touchpad... #sapchat -12:46 PM Mar 30th, 2012

biz_mobility @bmkatz could the touchpad do voice? #SAPChat-12:46 PM Mar 30th, 2012

ericylai @bmkatz What is true voice? Is this as opposed to robot Cylon voice? #sapchat -12:46 PM Mar 30th, 2012

bmkatz @ericylai Ahh - so you are one of those who has the utility belt...device from each loop...LOL #sapchat -12:46 PM Mar 30th, 2012

ericylai @bmkatz You know, fanny packs are back in. So are nerds. #sapchat -12:47 PM Mar 30th, 2012

bmkatz @ericylai Nerds never went out.... #sapchat -12:48 PM Mar 30th, 2012

biz_mobility @bmkatz @ericylai is the batman of mobility#SAPChat -12:47 PM Mar 30th, 2012

ericylai @biz_mobility That makes you Robin. Leapin' Lizards!#sapchat -12:49 PM Mar 30th, 2012

William_Newman @bmkatz I am a #Motoogle person for second device m'self #SAPChat > good app marketplace -12:45 PM Mar 30th, 2012

bmkatz @William_Newman Which one do you have the original Xoom or the Xyboard (marketing person didn't think that name up) #SAPChat -12:47 PM Mar 30th, 2012

bmkatz @biz_mobility I think it pulled a blackberry thing and routed through the Pre but have to check - I do have one#sapchat -12:47 PM Mar 30th, 2012

biz_mobility @bmkatz i do think however that unified communications on a tablet is pretty cool #SAPChat -12:48 PM Mar 30th, 2012

ericylai @William_Newman What's on your mind, tablet-wise?#sapchat -12:35 PM Mar 30th, 2012

Q12: Bring Your Own Device - Is it a fad?

biz_mobility @ericylai the more I think about it, the more I think BYOD is a fad #SAPChat -12:34 PM Mar 30th, 2012

ericylai @biz_mobility "BYOD is a fad". I'm going to broadcast this everywhere that bigtime analyst Philippe W thinks BYOD is OVER #sapchat -12:35 PM Mar 30th, 2012

SocialKev @biz_mobility what makes BYOD a fad? #SAPChat-12:36 PM Mar 30th, 2012

William_Newman Most #BYOD programs offer a stipend - based on level - to fund devices, much like old PC entry program of yore #SAPChat -12:36 PM Mar 30th, 2012

biz_mobility @William_Newman Not sure why you should provide a stipend on BYOD #SAPChat -12:37 PM Mar 30th, 2012

biz_mobility kinda defeats the purpose IMO#SAPChat -12:37 PM Mar 30th, 2012

bmkatz "#BYOD isn't a fad" it's just being used incorrectly when what most people mean is #Coit #SAPChat -12:37 PM Mar 30th, 2012

William_Newman @biz_mobility usually it's to give employees an oppty to get to the app market, it's a perk fer sure and usually at the M-/D-levels #SAPchat -12:38 PM Mar 30th, 2012

biz_mobility @William_Newman mobility should be for all employees! #SAPChat #FTW -12:39 PM Mar 30th, 2012

bmkatz If company is paying for part or all of device it isn't#BYOD - it is #cope #sapchat -12:40 PM Mar 30th, 2012

biz_mobility If you want to learn more about COPE, you can find out more here http://t.co/MdM9gEno and herehttp://t.co/3K3zInRP #SAPChat -12:40 PM Mar 30th, 2012

William_Newman @biz_mobility agreed, but you have the zots w/ dots and the zots w/ nots. Can't change that. #DrSeuss#SAPChat -12:41 PM Mar 30th, 2012

Q15: Tablet v. Tablet ericylai @biz_mobility Hey, I heard you wrote something cool on http://t.co/PhVdbyzg about Good Will Hunting today. Please share! #sapchat -12:49 PM Mar 30th, 2012

The_EMF_dot_org Confused About BYOD? It’s Not Your Faulthttp://t.co/0ejjvGnw #SAPChat -12:50 PM Mar 30th, 2012

bmkatz .@William_Newman For tablets you think #google has a good app marketplace - really? haven't found it useful on mine... #sapchat -12:50 PM Mar 30th, 2012

William_Newman @bmkatz didn't say they all worked but usually what you can find on #iTunes you can also find on#MoToogle #SAPChat -12:52 PM Mar 30th, 2012

bmkatz @William_Newman Did you see the recent article comparing tablet apps on iOS vs Android - food for thought#sapchat -12:53 PM Mar 30th, 2012

William_Newman @bmkatz so like running barefoot? #SAPChat-12:53 PM Mar 30th, 2012

biz_mobility @bmkatz can you share the link? #SAPChat -12:53 PM Mar 30th, 2012

bmkatz Article from @saschasegan - The iPad Wins Because Android Tablet Apps Suck: An Illustrated Guidehttp://t.co/HKwcVUlB #SAPChat -12:54 PM Mar 30th, 2012

ericylai @bmkatz What if I like my apps sorta raw, unrefined?#sapchat -12:56 PM Mar 30th, 2012

Q16: EMM v. BYOD Colin_Best @biz_mobility Does EMM not make BYOD irrelevant?#SAPChat -12:54 PM Mar 30th, 2012

biz_mobility @Colin_Best BYOD, COPE, StayPuff Marshmallow Man....you always need enterprise mobility management#SAPChat -12:55 PM Mar 30th, 2012

bmkatz My thoughts on BYOD and why it doesn't really matterhttp://t.co/UndNxhiF #sapchat -12:55 PM Mar 30th, 2012

bmkatz #EMM doesn't solve issues with #BYOD and privacy etc… > RT @Colin_Best: @biz_mobility Does EMM not make BYOD irrelevant? #SAPChat -12:57 PM Mar 30th, 2012

VirtualTal “@bmkatz: My thoughts on BYOD and why it doesn't really matter http://t.co/eWKk4pC8 #sapchat < exactly. it's not a "policy", it's a fact. -12:57 PM Mar 30th, 2012

biz_mobility @bmkatz let's agree to disagree my friend#SAPChat -12:58 PM Mar 30th, 2012