If you are a bit paranoid, like me, you certainly protect the access to your iPad via the Passcode Lock (available under Settings >> General >> Passcode Lock). While using our iPads earlier today, we uncovered an unexpected, low tech security flaw associated with this feature.
If you haven’t played with the Passcode Lock yet, the feature is basically designed to prevent unauthorized access to your iPad by asking for a 4 digits code, each time the iPad is woken up. Each digit is comprised between 0 and 9, so the total number of possibilities is 10,000, and it is fair to assume that it would take a while for someone to guess your passcode, especially given that the iPad goes into a protected mode for some time if you enter too many erroneous passcodes.
However, the number of actual possibilities can be greatly reduced, because of the combination of these 2 basic flaws:
- The location of the Passcode Lock window, which never changes
- The smudges the end users leave on their screen
If you don’t clean your iPad screen often enough, smudges quickly appear, especially in locations where you happen to tap a lot, just like the Passcode Lock window. And since the window always shows up at the same place, the smudges tend to accumulate exactly on the digits used to unlock your iPad. By looking at the screen at an angle in a luminous room, it is very easy to discover which digits are used the most, and if like me you happen to use a 4 different digits combination for your passcode, the number of possibilities for an intruder to figure out your key goes from 10,000 to… 24! Trying the 24 combinations takes less than 5 minutes, even if you trigger the protected mode by typing too many erroneous codes.
In order to protect your iPad, try to use the same digit twice (for instance, 9313), as this will prevent a wannabe intruder from being able to use this method. Most of all, clean your screen as often as you can. Hopefully the next iPhone OS update will “randomize” the location and/or the order of the digits of the Passcode Lock window, in order to avoid the issue once and for all.