Apple vs. FBI iPhone battle shows users remain the weakest link in security

“While Apple and the FBI fight a high-stakes legal battle over a locked iPhone, the dispute also highlights once again that even the most well-designed smartphone security can be undercut by the bad habits of users,” Aaron Pressman writes for Yahoo Finance.

“IPhones — and most other brands of smartphones — can be locked with a PIN code of four to six numbers or more complicated and longer passwords that have both letters and numbers,” Pressman writes. “It’s believed that the iPhone in possession of the FBI is locked only with a simple four-digit code. That was the default setting of Farook’s employer, the San Bernardino County Department of Public Health, which assigned him the phone. If that’s the case, and Apple wrote the special software the FBI wants to disable several of the security safeguards on the phone, the FBI could guess the PIN code in under an hour. But even with Apple weakening an iPhone’s security, guessing a longer passcode that had a mix of letters and numbers could take decades or even longer.”

Pressman writes, “‘The only reason we’re having this discussion about Farook’s phone at all is because he chose to use a weak, numeric pin,’ says security researcher Jonathan Zdziarski. ‘If he had used an alpha-numeric passcode of reasonable length, all of Apple’s encryption would still hold together and it would be unfeasible to try and attack it.'”

Read more in the full article here.

MacDailyNews Note: To set a stronger alphanumeric passcode on your iOS device that cannot be easily brute-forced:

1. Settings > Touch ID & Passcode. On devices without Touch ID, go to Settings > Passcode
2. Tap Change Passcode
3. Tap Passcode Options to switch to a custom alphanumeric code
4. Enter your new, stronger passcode again to confirm it and activate it

Apple’s fight with U.S. could speed development of devices impervious to government intrusion – February 24, 2016
Apple to argue that FBI court order violates its free-speech rights – February 24, 2016
Apple, the U.S. government, and security – February 24, 2016
Congressman Ted Lieu asks FBI to drop demand that Apple hack iPhones – February 23, 2016
In the fight to hack iPhones, the U.S. government has more to lose than Apple – February 23, 2016
Here are the 12 other cases where the U.S. government has demanded Apple help it hack into iPhones – February 23, 2016
John McAfee blasts FBI for ‘illiterate’ order to create Apple iPhone backdoor – February 23, 2016
Some family members of San Bernardino victims back U.S. government – February 23, 2016
Apple supporters to rally worldwide today against U.S. government demand to unlock iPhone – February 23, 2016
U.S. government seeks to force Apple to extract data from a dozen more iPhones – February 23, 2016
Apple CEO Cook: They’d have to cart us out in a box before we’d create a backdoor – February 22, 2016
Tim Cook’s memo to Apple employees: ‘This case is about more than a single phone’ – February 22, 2016
Obama administration: We’re only demanding Apple hack just one iPhone – February 17, 2016


    1. Not only that, but the San Bernardino County Department of Public Health failed to install the Mobile Device Management software that they owned, which would have allowed them to decrypt the phone without Farook’s passcode.

  1. I worked at a bank 3 years ago, 1st line so lots of password resets. We had security questions… here’s an example:

    Me: “What is your favourite colour?”

    User: “Colour”

    Me: “What was our first car?”

    User: “Car”

    And so on… mainly the Indian Call Centre. We had to accept their answer, because it was correct. Now I know that all up to date systems don’t allow this kind of answer, this was a major investment bank that had swallowed up loads of others, so we had to shoehorn everything together and this was the end result.

    Anyway, I digress 🙂

  2. In the security community, the term I picked up is ‘luser‘, or the same term in all caps when emphatic. Lusers are users you can count on to pick up Trojan horse malware, fall for phishing, send money to Nigeria, etc. They can’t help it. Expect them. Prepare for them. They are the eternal ‘wetware error’.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.