Hello trewmte,
thanks for the amazing write-up and I completely agree with the implementations that you suggested. But my question remains:
Most people use a classical 4-digit pin number to protect their device (longer passwords are harder to remember, and also a hindrance to usability according to casual users), this comes down to brute forcing only 10,000 possible combinations which is trivial for a computer to process.
I'm not too familiar with blackberry devices, but as an incumbent in the corporate environment, I'm pretty sure BB devices have their security pretty much setup from long years of experience. My focus is more on the iPhone/iPad and the multitude of Android devices out there. As you all know, these devices were released as casual consumer devices, and slowly shifted into the corporate environment with the rising trend of BYOD.
So, even if your device is password protected, and has a "x number of entry attempts or wipe" policy associated with it, I could easily put the device, let's say into "recovery mode" (e.g. DFU mode for iPhone), brute force your PIN number in hopes of cracking it, and dumping a physical forensic image of the device for me to analyze.
I am also interested in a "secure wipe" for mobile devices. I mean the iPhone erases the keys, that's great, but let's say in the near future (although unlikely) some flaw in the AES algorithm gets published, now I have your encrypted data and can use that flaw to decrypt it.
What we need is a completely secure erase that wipes the data on the device never to be recovered again.
↧