iPad Passcode Lock Basic Security Flaw

If you are a bit paranoid, like me, you certainly protect the access to your iPad via the Passcode Lock (available under Settings >> General >> Passcode Lock). While using our iPads earlier today, we uncovered an unexpected, low tech security flaw associated with this feature.

If you haven’t played with the Passcode Lock yet, the feature is basically designed to prevent unauthorized access to your iPad by asking for a 4 digits code, each time the iPad is woken up. Each digit is comprised between 0 and 9, so the total number of possibilities is 10,000, and it is fair to assume that it would take a while for someone to guess your passcode, especially given that the iPad goes into a protected mode for some time if you enter too many erroneous passcodes.

However, the number of actual possibilities can be greatly reduced, because of the combination of these 2 basic flaws:

  • The location of the Passcode Lock window, which never changes
  • The smudges the end users leave on their screen

If you don’t clean your iPad screen often enough, smudges quickly appear, especially in locations where you happen to tap a lot, just like the Passcode Lock window. And since the window always shows up at the same place, the smudges tend to accumulate exactly on the digits used to unlock your iPad. By looking at the screen at an angle in a luminous room, it is very easy to discover which digits are used the most, and if like me you happen to use a 4 different digits combination for your passcode, the number of possibilities for an intruder to figure out your key goes from 10,000 to… 24! Trying the 24 combinations takes less than 5 minutes, even if you trigger the protected mode by typing too many erroneous codes.

In order to protect your iPad, try to use the same digit twice (for instance, 9313), as this will prevent a wannabe intruder from being able to use this method. Most of all, clean your screen as often as you can. Hopefully the next iPhone OS update will “randomize” the location and/or the order of the digits of the Passcode Lock window, in order to avoid the issue once and for all.

email

About dag: Certified geek

  • AspirinMan

    Changed my code, thanks for the tip

  • Ryszard H.

    “clean your screen as often as you can” or do just the opposite, so the passcode smudges are just part of the overall touch pattern. In fact, I would postulate, that this ‘trick’ works only on a relatively newly cleaned screen.

  • Mezzrow

    I seriously hope this is one of the things Apple addresses when OS 4.0 comes out–4 digits is just not secure enough. It’s not on the iPhone, and even less so on the iPad. It needs to be longer and allow other characters. Apple also needs to add the ability to have more than one user account.

  • Craig

    Better yet, enter an invalid passcode that uses four digits that aren’t in your real passcode then enter your real one. That only takes an extra second or two and gives would-be thieves 8 digits to work with, or almost 1,700 combinations. Alternate between two invalid passcodes that use all 10 digits and you have maximum security.

  • Charlie

    I agree, the 4 digit passcode is a real security flaw. Why limit it to digits anyway? That only makes for 10,000 combinations. If they allowed letters and digits the total would be over a million.

    I think getting a decent password manager is a wise investment on an iPad. But watch out because some them limit you to 4 digit passcode too, so be sure to get one that allows you to create a strong password with letters, numbers, caps, punctuation marks. I like Ascendo Datavault because it has a password generator with strength meter but SPB seems to be good too.

    Bottom line is you would store all your treasure behind a padlock!

  • Charlie

    I agree, the 4 digit passcode is a real security flaw. Why limit it to digits anyway? That only makes for 10,000 combinations. If they allowed letters and digits the total would be over a million.

    I think getting a decent password manager is a wise investment on an iPad. But watch out because some them limit you to 4 digit passcode too, so be sure to get one that allows you to create a strong password with letters, numbers, caps, punctuation marks. I like Ascendo Datavault because it has a password generator with strength meter but SPB seems to be good too.

    There are lots of good ones, here’s a link that looks at a bunch.
    http://www.brighthub.com/mobile/iphone/articles/66880.aspx

    Bottom line is don’t settle for a padlock to safeguard your most important info!

  • Tux2

    This is a major security flaw. I have several brothers. And sisters, and they quickly figured out the: clean the screen, ask brother to type in the password so I can play on it routine. Then they would use the smudges, and the way I moved my hands to figure out the password. There are two ways to combat this: put a thin piece of cloth over your finger when you type in the password, like your shirt, or just take the palm of your hand and smudge out the fingerprints. Another way to combat it is to type in your password in different orientations every time so the smudges are inconsistent. Although I do these techniques, I still find that I have to change my password every 4-7 days, because they see me type in bits and pieces. All my other passwords that I have are at least 15 characters long and include special characters, and they have yet to crack them. Apple, please fix this!!!!

  • http://adamagregory.com Adam

    I would suggest the better option is to never clean your screen at all then it’s just one big blur of smudges and therefore unimportant. But in reality if someone has your taken iPad to begin with who cares about the data you just got screwed out of $600-$800 bucks. That blows.

  • Bnau

    You people need to read your IPad documentation first! You only need to turn off the 4 digit code capabilty in settings and this will enable you to put in a regular 8 digit passcode as i did lol

  • http://www.facebook.com/ThunderStruck Michael Warner Hayes

    Hello, my name is Michael Hayes from Arkansas. I have an iPad2 which tonight I accidently activated the VoiceOver, then with out knowing, locked the screen. Now when I try to unlock the devise, it does not input the code and then closes the screen, Over and Over I have tried with no help. I called support only to find that tomorrow they will call me. I was wondering and was hoping that you may be able to help? I hard rebooted to no success, Do you have any suggestions?

    • http://www.facebook.com/ThunderStruck Michael Warner Hayes

      please email mh71921@yahoo.com