x404.co.uk
http://www.x404.co.uk/forum/

icloud security bypassed by 70 lines of code
http://www.x404.co.uk/forum/viewtopic.php?f=4&t=21461		 Page 1 of 1
Author:  bobbdobbs [ Sat Mar 01, 2014 9:59 am ]
Post subject:  icloud security bypassed by 70 lines of code
http://www.neowin.net/news/apples-icloud-security-feature-in-osx-is-bypassed-in-just-70-lines-of-code
Quote:
A Github user by the name of knoy has uploaded iCloudHacker: its only about 70 or so lines of Arduino code that doesn't just make it ridiculously straightforward to brute-force your way through the Find my Mac lockout, but it also dances around the surprisingly lackluster security controls that Apple had tried to implement. The coder reports that it has been successfully tried and tested on 2010 & 2012 13" MacBooks.

ouch
Author:  jonbwfc [ Sat Mar 01, 2014 11:38 am ]
Post subject:  Re: icloud security bypassed by 70 lines of code
Quote:
If an Apple computer is remotely locked by an iOS device, the user would need to enter a 4-digit PIN on the Find my Mac app in order to unlock the machine.

So it's not actually 'iCloud security', it's the 'find my device' authentication layer. And even if you unlock that, you still have the 'normal' security layer to get through e.g. a password of indeterminate length and complexity.

So not overstating the case much at all then.
Author:  big_D [ Sun Mar 02, 2014 9:16 am ]
Post subject:  Re: icloud security bypassed by 70 lines of code
Once unlocked, the Mac could then be started in recovery mode and passwords reset or data copied from the drive.

This is about unlocking the local Mac.

A better method would be to lock the Mac for hours after half a dozen failed attempts or bricking it (requiring it to be taken to an Apple store or reseller). The problem is, that it locks for a maximum of five minutes and it forgets the 5 minutes if you reboot the system.

That is the problem here. If it could remember the 5 minute lockout and/or change that to hours instead of minutes, it would be much more effective, as would having a sensible length password or longer PIN, instead of just 4 digits. As the article said, if the code took into account the most used PINs first, it would probably be able to crack the PIN code a lot faster.

If you have stolen the Mac, you either want to get at the data on the device or you want to erase it and reinstall it so that you can use it yourself or sell it on. You probably don't care about the iCloud account itself.
Author:  jonbwfc [ Sun Mar 02, 2014 10:49 am ]
Post subject:  Re: icloud security bypassed by 70 lines of code
big_D wrote:
If you have stolen the Mac, you either want to get at the data on the device or you want to erase it and reinstall it so that you can use it yourself or sell it on. You probably don't care about the iCloud account itself.

If that''s what you're bothered about, what you actually need is this. The fact is even without this hack the 'find my mac' lock can be defeated by booting the Mac off a DVD or as you say the recovery partition if you're not actually bothered about keeping the data on it. The 'find my mac' pass lock is about the situation where the person who found it would return it to the origin owner but it gives the owner some piece of mind that it hasn't been accessed in the meantime.

Regardless of all that, the headline is misleading. This is not 'iCloud security' in a real way at all. Cracking the find my mac does not given the person doing so access to the user's iCloud account.
Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/