Security Bits Logo no alpha channel

Security Bits — 30 August 2020

Feedback & Followups

  • 🇺🇸 Pennsylvania has announced plans to release an Apple/Google-based COVID app in September —…
    • Which U.S. states are using Apple’s Exposure Notification API for COVID-19 contact tracing?…
  • 🇦🇺 Australia’s non-Google/Apple COVID app continues to struggle with success rates while phones are locked between 27% & 40% (Editorial by Bart: this is of course completely expected, and, what surprises me is that it sometimes nearly manages to work half the time) —…;
  • 🇬🇧 English & Welsh victims of the massive 2014-2018 data breach at Marriott hotels are suing the company. According to the UK Information Commissioner 7M UK residents were caught up in the breach —…

Deep Dive — Is a 6-Digit PIN Safe on your iOS Device?

Thanks to COVID a lot of people who relied on FaceID to make the inconvenience of an alphanumeric password on their iOS devices an acceptable experience are now being tempted to revert to a 6-digit PIN.

An anecdote has emerged that suggests that perhaps there are now enough GreyKey-like machines out there that they have made their way into the hands of regular criminals, and that they are being used to crack iOS PINs on stolen devices.

Somehow, a user who recently had an iPhone with a 6-digit passcode stolen found that the thieves had cracked the PIN, used the PIN to access his KeyChain and then used his passwords to steal $30K via unauthorised wire transfers, spend $2.5K in the AppStore, and break into loads of the user’s online accounts.

The assumption is that the criminals who stole the phone used a second-hand iPhone cracking device like the GreyKey to crack the PIN. We know these devices exist, but in theory, they are only available to law enforcement. Mind you, at least one example has been reported of one of these devices for sale on eBay, so it’s not unreasonable to assume they are leaking out beyond the law enforcement community. Of course, good old fashioned corruption is another possibility — a bad cop making a few bucks on the side cracking iPhones for their mob buddies doesn’t too outlandish to me.

It’s important to remember that this is a single anecdote, and, we are assuming the PIN was cracked, and guessing that was done with a GreyKey-like device. Be careful not to read too much into this one very wobbly datapoint!

Having said that, my advice remains as it always was, use a real password on your iOS device. If you set your phone to erase after 10 failed attempts, then a 6-character password seems adequate to me — there’s a lot more entropy in even a terrible password like M0nkey than there is in any six-digit PIN!


Worthy Warnings

Notable News

Top Tips

Palate Cleansers

Dependency —…


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

3 thoughts on “Security Bits — 30 August 2020

  1. James Ford - September 7, 2020

    On episode 799, Bart said he does not watch YouTube videos because turning off Autoplay does not stick from session to session. I turned Youtube AutoPlay off on my Mac, iPad and iPhone and the setting has stayed off for 3-4 days, even after reboots and resets. I am running the latest software on all my devices. What he previously experienced seems to have been fixed, at least it has for me. Maybe he should try again to see if that is true for him.

  2. Anonymous - September 7, 2020

    James — do you log in to YouTube? I don’t because I don’t want to make it even easier for them to spy on me than it already is 🙂

  3. James Ford - September 7, 2020

    Yes I do login to YouTube.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top