The iPhone reset feature, or why throttling matters

Throttling is a fundamental technique that finds numerous applications in information security. It helps buy time for a security team to decide the proper course of action for remediating a problem. In a previous article I briefly mentioned its utility for social network’s anti-spam efforts. Throttling of malicious activity can prove useful for security of consumer products as well, as shown by a patch delivered this past week to a popular handset.

On Friday Apple released iPhone firmware 2.1, an update that brought many bug fixes and security patches to the platform. One new feature listed is the option to “wipe data after ten failed passcode attempts”. I immediately thought about possible ways this feature could be exploited by someone to maliciously wipe a handset. Let’s say you are at a bar with a few friends after work, and one of them happens to think an amusing practical joke would be to blank your handset. Another scenario would be if your child picked up your phone and decided to attempt to log in, but repeatedly entered the wrong passcode. In both cases a few extra minutes can make the difference between having a phone that is still immediately usable and one that is not.

Apple included staged throttles on the passcode screen that can create this extra time. After 6 passcode failures, the user is required to wait 1 minute before attempting again. Failing 7 and 8 times in a row incurs 5 and 15 minute pauses. I didn’t want to see how long I would have to wait to use my phone after 9 failures. Collectively, the incorrect passcode throttles will generate at least 20 minutes of delay before someone can wipe your handset, more than enough time to intervene and stop someone from playing with your handset if it is still physically near you.

Having a passcode throttle does not prevent the device from being stolen, nor does it prevent someone from gaining access to the data. A phone will be stolen regardless of whether or not the thief can use it him or herself, and the winners in the data theft game are the attackers who have the most patience. What the throttle does provide you, however, is a little more time to take a remediating action, or, in other words, find your phone and put it back in your pocket.

[Source: zdnet]