Swedish security firm, Micro Systemation, has demonstrated how simple it is to defeat lock screen passcode mechanisms on both iPhone OS and Android devices. To do it, the company shows off their own security tool called XRY, a utility used by law enforcement, military personnel and even the FBI for this very purpose.
In the demonstration below, the hack takes less than a couple of minutes from getting set up to completion. The actual cracking itself takes only seconds, but the passcode-breaking mechanism is a brute force attack. The pin used in the demonstration is “0000” which is likely to be the first number guessed, thus giving us the quickest possible result. A code like “9945” may take considerably longer.
The software not only cracks passcode locks, but can also extract data from locked phones. It is able to copy and decrypt GPS location history, call logs, contacts, texts and even keystroke logs.
XRY is based on a jailbreak-like method of gaining unsanctioned access to mobile devices. Instead of using official backdoors which are sometimes left by manufacturers, the company exploits security flaws found the OS itself. Leveraging these exploits, the software is able to inject code into the device which gives XRY unfettered access to the system, not unlike jailbreaking tools like ac1dsn0w or redsn0w.
In fact, finding exploits in every mobile OS update is what about half of Micro Systemation’s 75 employees do.
The phone and tablet hacking tool sports a fairly intuitive interface, allowing individuals to use it successfully with minimal training. This sounds particularly useful for law enforcement and other agencies with limited monetary and technical resources.
As we’ve all heard, the legality of jailbreaking is on thin ice. However though, when authorities are using tools like XRY to crack criminal’s smartphones, that seems to raise some red flags.
“If police have a warrant to be in the phone, this is just a way to get access to what they’re legally allowed to,” Fakhoury says of the XRY tool. “But if they’re going to a protest and seizing folks for booking, and immediately running this on their phones and sucking everything out, we’ve got a real problem.”
Micro Systemation claims its largest XRY client is the U.S. Military. “When people aren’t wearing uniforms, looking at mobile phones to identify people is quite helpful”, Dickinson explained as potential scenario.