[SoftExpert]

Hello,

While searching for latest update I discovered something troubling, and I wonder if it's a known design flaw - or a configuration error from my part.

First, I removed the SIM card - hoping that my PRIV (currently with AAO484) will, somehow, find the latest update (which it didn't, but that it's not the topic).
Then, after the 32s reboot, I put in the PIN and the boot process continued until I ended on the default interface.

The trouble is the following: although the Picture Password was set up, it was not triggered - so I had FULL access to everything.

Once the phone went into sleep, when woken up, it presented the Picture Password as usual.

So it seems that there is a "one time only" way to get past the protection (at least Picture Password) - immediately after a reboot. It can be reproduced easily after each reboot, when the SIM is not present.

Obviously, someone must have the PIN code, but there might be a reason to have some other kind of protection as an extra.

So, is this known? Are there ways around it? (I mean make Picture Password work in this narrow case, not replacing it with other methods).

Thank you for your inputs, guys!

Best regards,
SoftExpert

[Dunt Dunt Dunt]

I just tried with my Samsung... it require a PIN pretty early in the boot process (no picture password), so that didn't work on it. Have to see if other BlackBerry users can reproduce your results with Picture Password or a PIN....

[dpw09]

Hello,

While searching for latest update I discovered something troubling, and I wonder if it's a known design flaw - or a configuration error from my part.

First, I removed the SIM card - hoping that my PRIV (currently with AAO484) will, somehow, find the latest update (which it didn't, but that it's not the topic).
Then, after the 32s reboot, I put in the PIN and the boot process continued until I ended on the default interface.

The trouble is the following: although the Picture Password was set up, it was not triggered - so I had FULL access to everything.

Once the phone went into sleep, when woken up, it presented the Picture Password as usual.

So it seems that there is a "one time only" way to get past the protection (at least Picture Password) - immediately after a reboot. It can be reproduced easily after each reboot, when the SIM is not present.

Obviously, someone must have the PIN code, but there might be a reason to have some other kind of protection as an extra.

So, is this known? Are there ways around it? (I mean make Picture Password work in this narrow case, not replacing it with other methods).

Thank you for your inputs, guys!

Best regards,
SoftExpert

Disable boot pin and see if same happens... curious

[1122334455667788]

I'm pretty sure this is how it is supposed to work. If I remember correctly, after booting, the first login uses the pin/password instead of the picture.
I'm guessing it's needed to unlock encryption keys or something.

[SoftExpert]

Hello,

I'm not sure I was clear enough: the first PIN is entered in early boot - so the phone will have access to whatever encryption key it needs.
The trouble is that after this stage we have 2 distinct behaviours:
1. with the SIM present, the SIM PIN code will be requested and then the Picture Password is shown - the expected behaviour
2. with SIM absent, we get directly to the UI, without having the Picture Password shown (thus my question); if I simply press the Power button to enter "sleep" mode (lock), once I wake it up again, the Picture Password is shown.

So, my question is about this gap when the SIM is absent.

[1122334455667788]

I guess it is weird that you are getting two different behaviours (number 2 actually sounds like the normal one to me).
I don't really see an issue though. As long as a PIN or Picture Password is requested after/during boot, everything is secure. Keep in mind that whenever you have a Picture password request, you can bypass it and choose to enter the regular PIN instead.

[PHughes]

how is it an easy way in, if it requires your pin to boot?

[dpw09]

how is it an easy way in, if it requires your pin to boot?

I'm guessing because it's easier to crack a pin than it is to crack a pin and picture password

[1122334455667788]

I'm guessing because it's easier to crack a pin than it is to crack a pin and picture password

Like I said, you never HAVE to complete the picture password. Simply enter the picture password incorrectly 5 times, and it switches to requesting the PIN.

[PHughes]

Like I said, you never HAVE to complete the picture password. Simply enter the picture password incorrectly 5 times, and it switches to requesting the PIN.

And, if they get the PIN incorrect ten times the phone is wiped. I don't have a PIN, I think you are referring to the password, it doesn't have to be a PIN, it can contain letters or numbers.

[PHughes]

I'm guessing because it's easier to crack a pin than it is to crack a pin and picture password

It isn't a PIN, it can contain letters or numbers. If you get it wrong ten times, the phone wipes itself, so not easy.

[1122334455667788]

And, if they get the PIN incorrect ten times the phone is wiped. I don't have a PIN, I think you are referring to the password, it doesn't have to be a PIN, it can contain letters or numbers.

Having a pin or password doesn't make any difference to what I said.
If you use a password instead of a PIN, just replace every instance of PIN with password and it's still correct.

[anon(2313227)]

so how is it insecure if it asked for a pin... I don't get it...

[PHughes]

so how is it insecure if it asked for a pin... I don't get it...

Exactly. The phone is protected by the password. Without it, you cannot get in and the phone will be wiped after ten tries.

[tickerguy]

Its not insecure.

The Picture Password uses the lock state FROM THE PIN (or password.) So you have to have unlocked the phone with the pin or password FIRST, in order for Picture Password to work at all. That's why it asks for it either on boot or, if you've disabled "PIN or Password required to boot", before the phone will let you in the FIRST time after boot.

A SIM pin is an entirely-separate thing. That's required to unlock THE SIM. That's stored ON the SIM, so if you move the SIM it moves too. If you have no SIM in the phone then there is nothing to unlock in that regard, so it isn't asked for.

BTW if you get the SIM PIN wrong too many times (usually 3!) you had better have the PUK code. Get THAT wrong too many times and your SIM gets erased and there is no way to reverse that one -- you get to go to the carrier and get a new SIM card.

[dejanh]

If you have startup protection turned on where you have to enter a password to start your phone then you will see exactly the behavior you describe on boot. Every Android device behaves the same. My S8+ is also the same.