The speed with which the attack can be done is really the key here. This is less an issue of someone stealing your iPad2 and then getting access to your personal data. This is more an issue of someone having physical access for a couple of minutes and being able to get into and out of the device without being detected.
The feature defaults to enabled. If you don't own a smart cover, would you really look through the options for something like that and change it? Would your Joe Average consumer?
An insecure default shouldn't be excused because you can change it - the default configuration should be secure against such an attack.
I think that option isn’t even displayed when you have never used a smartcover with your iPad and it defaults to being turned on.
So in order to avoid this bug you would have to own a smartcover (or magnet) and hold it up to the sensor (it’s on the right side of the device) in order to display the option in the settings and only then could you turn it off.
> The attacker has physical access to your device ... you have bigger problems to worry about.
1. What bigger problems do I have to worry about?
2. The iPad uses encryption just like the iPhone. Most people won't be able to defeat that encryption, but most people will be able to do this simple on/off hack.
Sure, but the decryption keys are also on the iDevice, otherwise it wouldn't work. Which means that a competent cracker can get access to your data. Not a big issue if all you have is personal stuff (but then, how bad is it if your personal data is compromised), but the gains for bug business espionage could justify the expense of a crack... So yes, the battle is already lost if an attacker physically has your iDevice in their hands. Don't do that.
Still, the default setting for the smart cover is clearly a bad security error by Apple - I trust it will be quickly fixed.
How many competent crackers vs opportunistic snatchers do you think there are? I'd be willing to bet that most would just wipe the thing if they can't get in easily enough - the data is less valuable than the device. That is, in anything but a targeted data-stealing attempt, but you're really hosed if you're a target of skilled hackers/crackers.
> The attacker has physical access to your device ... you have bigger problems to worry about.
I don't have bigger problems to worry about (or maybe I do - what are they?)
Perhaps 1% of thieves can get at my encrypted data, but probably all of them will be able to perform the few steps necessary to bypass the lock screen.
Look, the thing is, if you're worried about a casual thief, they probably don't care about your data anyway, they're going to wipe the device clean and resell it. If it is someone that actually stole the device to get the data, then I would expect your '1%' (plucked out of the air, or is there a reference for this kind of statistic - honest question, I'm not snarking) is actually going to be a much higher number, in which case the encryption isn't going to save you. It's pretty much game over once the attacker has their hands on the physical device, afterwards it's just a question of time.
My point is this: physical access to the device does not normally mean Game Over.
Most theft is going to be opportunist. For most thefts my data is going to be protected by the encryption. So in most cases, I don't have anything bigger to worry about.
Which is usually a four digit code, since you have to type it in so often? That's about 10,000 combinations. It's trivial to go through all the combinations. Even if it took a second per combination, it'd be cracked under three hours.
A more sensible way to encrypt a device is to use a separate long code that only has to be typed in at boot. Using a screen lock as an encryption key is just not effective.
Someone can probably manually access this in about 8 hours. 4 seconds / attempt = 7,200 guesses ~72% chance to break in. (Assuming there is no built in lockout based on failed attempts.)
While the adage "physical access == game over" is definitely true, it's a bit less useful now as more & more devices are portable.
Previously, physical access meant someone broke in or fraudulently gained entry to a room where your pc/server lives. Nowadays it means someone grabbed your tablet/smartphone for a minute while you are in the bathroom.
I have never left my iPad lying anywhere, unless it is with friends, and I am not too worried about them getting a peek at my home screen, or my email...
