This is getting silly. Lock screens are the security equivalent of having a screen door. They exist to keep the mildly annoying things out, but they're not designed to prevent the real baddies.
Breaking with metaphor, I don't consider it much of a security flaw if step one is the other person has to have physical access to the device.
Okay, let's say it's now true. So if you forget your lock screen password, that's it, you're SOL. You bring it to the Genius bar at an Apple store. They inform you that you're SOL and you'll need to pay $600 for a new one. Yes, this would happen, so it's a terrible idea.
Okay, so relent a little, and let the people at the Genius bar send a special override command that enables them to unlock the device. This would be special in the sense that you couldn't do this at home with iTunes.
But eventually someone would reverse engineer what, exactly, that special command is, and then regular users would be able to unlock devices on their own. We're no longer everything-but-screwdriver-proof, but we're more secure than before.
My question: is it worth it? I don't think so. We're still in a situation where this is only going to be a concern when you lose your device - either because you left it somewhere or it was stolen. But we've now introduced lots of potential headaches for the user, for very little practical gain.
And those codes could leak, at which point we're back to the beginning.
But let's assume it doesn't leak. Is it worth it? Consider the enormous cost that would be required for this: every new iPad that is manufactured would need to be recorded in this central database. Secure access to it needs to be set up and maintained from all Apple stores around the world. Is that worth it for a rarely needed feature that most people don't care about?
If you instead try to do a secure hash of, say, the serial number, that's much less cost to maintain, but that hash will almost certainly leak. (Think DeCSS.)
Isn't it trivial to "fix" this by just disabling smart-cover unlocking? Isn't that exactly why this is a user-enabled feature of the smart cover?
It isn't that I oppose viewing this as a "bug" (obviously the user is led to believe that a password in and of itself would prevent this), but I would think that anyone security-conscious enough to have a password should be disabling smart cover unlocking anyway...
I largely agree. That said, it is a weird default, as if you've never owned a smart cover, it might not occur to you that there is a setting relating to it you don't want that is defaulted to on. I mean, it seems fair to me that someone who is "security-conscious" shouldn't be forced to examine every single option on the device looking for a painfully insecure default.
This is typical of Apple, though: it is also fun to carry around an Apple Remote if you know people with MacBooks. You walk up behind them, hit the menu button, and yell "FRONT ROW!", at which point their computer (default setting: accept any random remote) will /slowly/ fade to black, and then /slowly/ fade into a TV-like UI the user has probably never seen before.
> This is typical of Apple, though: it is also fun to carry around an Apple Remote if you know people with MacBooks. You walk up behind them, hit the menu button, and yell "FRONT ROW!", at which point their computer (default setting: accept any random remote) will /slowly/ fade to black, and then /slowly/ fade into a TV-like UI the user has probably never seen before.
It's /more/ fun to walk around with a defcon 2008 badge hacked to mash the "menu" button ten times a second rolling through the different pairing codes :)
Did you watch the video? This is definitely a bug, seeing as it only happens when you have the shutdown panel open. When you don't have the shutdown panel open, it shows the password prompt as expected. There's no reason that smart cover unlocking and a password prompt can't co-exist.
The speed with which the attack can be done is really the key here. This is less an issue of someone stealing your iPad2 and then getting access to your personal data. This is more an issue of someone having physical access for a couple of minutes and being able to get into and out of the device without being detected.
The feature defaults to enabled. If you don't own a smart cover, would you really look through the options for something like that and change it? Would your Joe Average consumer?
An insecure default shouldn't be excused because you can change it - the default configuration should be secure against such an attack.
I think that option isn’t even displayed when you have never used a smartcover with your iPad and it defaults to being turned on.
So in order to avoid this bug you would have to own a smartcover (or magnet) and hold it up to the sensor (it’s on the right side of the device) in order to display the option in the settings and only then could you turn it off.
> The attacker has physical access to your device ... you have bigger problems to worry about.
1. What bigger problems do I have to worry about?
2. The iPad uses encryption just like the iPhone. Most people won't be able to defeat that encryption, but most people will be able to do this simple on/off hack.
Sure, but the decryption keys are also on the iDevice, otherwise it wouldn't work. Which means that a competent cracker can get access to your data. Not a big issue if all you have is personal stuff (but then, how bad is it if your personal data is compromised), but the gains for bug business espionage could justify the expense of a crack... So yes, the battle is already lost if an attacker physically has your iDevice in their hands. Don't do that.
Still, the default setting for the smart cover is clearly a bad security error by Apple - I trust it will be quickly fixed.
How many competent crackers vs opportunistic snatchers do you think there are? I'd be willing to bet that most would just wipe the thing if they can't get in easily enough - the data is less valuable than the device. That is, in anything but a targeted data-stealing attempt, but you're really hosed if you're a target of skilled hackers/crackers.
> The attacker has physical access to your device ... you have bigger problems to worry about.
I don't have bigger problems to worry about (or maybe I do - what are they?)
Perhaps 1% of thieves can get at my encrypted data, but probably all of them will be able to perform the few steps necessary to bypass the lock screen.
Look, the thing is, if you're worried about a casual thief, they probably don't care about your data anyway, they're going to wipe the device clean and resell it. If it is someone that actually stole the device to get the data, then I would expect your '1%' (plucked out of the air, or is there a reference for this kind of statistic - honest question, I'm not snarking) is actually going to be a much higher number, in which case the encryption isn't going to save you. It's pretty much game over once the attacker has their hands on the physical device, afterwards it's just a question of time.
My point is this: physical access to the device does not normally mean Game Over.
Most theft is going to be opportunist. For most thefts my data is going to be protected by the encryption. So in most cases, I don't have anything bigger to worry about.
Which is usually a four digit code, since you have to type it in so often? That's about 10,000 combinations. It's trivial to go through all the combinations. Even if it took a second per combination, it'd be cracked under three hours.
A more sensible way to encrypt a device is to use a separate long code that only has to be typed in at boot. Using a screen lock as an encryption key is just not effective.
Someone can probably manually access this in about 8 hours. 4 seconds / attempt = 7,200 guesses ~72% chance to break in. (Assuming there is no built in lockout based on failed attempts.)
While the adage "physical access == game over" is definitely true, it's a bit less useful now as more & more devices are portable.
Previously, physical access meant someone broke in or fraudulently gained entry to a room where your pc/server lives. Nowadays it means someone grabbed your tablet/smartphone for a minute while you are in the bathroom.
I have never left my iPad lying anywhere, unless it is with friends, and I am not too worried about them getting a peek at my home screen, or my email...
So let me straight, being the first one a setting it wasn't a vulnerability, instead this one is. I can't see the logic behind their reasoning, in my opinion they are both superficial security policies (ie. badly set defaults)
Breaking with metaphor, I don't consider it much of a security flaw if step one is the other person has to have physical access to the device.