← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #12880

[Bug 1363214] [NEW] require 'Enter' key when entering PIN

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Public security bug reported:

If I set a PIN on the device, I am prompted to enter it on screen unlock
(great!). Right now, the lockscreen checks the PIN as you type so that
you don't have press Enter. I guess this was done for usability, but it
is a security issue because an attacker can easily determine the PIN
length, which makes it easier to for an attacker to guess the PIN. Eg,
if I have a 2 digit PIN set, then an attacker need only type '111' and
know that the PIN is only two characters. Now, a PIN isn't strong to
begin with and an automated attack could rather quickly brute force
PINs, but we shouldn't make it easier for someone manually trying to
guess the PIN.

The passphrase lockscreen  promptcorrectly requires you to press Enter.

I suggest moving the 'X' up t the left of '0' and an Enter symbol to the
rigth of '0'.

** Affects: unity8 (Ubuntu)
     Importance: High
         Status: New


** Tags: rtm14

** Changed in: unity8 (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unity8 in Ubuntu.
https://bugs.launchpad.net/bugs/1363214

Title:
  require 'Enter' key when entering PIN

Status in “unity8” package in Ubuntu:
  New

Bug description:
  If I set a PIN on the device, I am prompted to enter it on screen
  unlock (great!). Right now, the lockscreen checks the PIN as you type
  so that you don't have press Enter. I guess this was done for
  usability, but it is a security issue because an attacker can easily
  determine the PIN length, which makes it easier to for an attacker to
  guess the PIN. Eg, if I have a 2 digit PIN set, then an attacker need
  only type '111' and know that the PIN is only two characters. Now, a
  PIN isn't strong to begin with and an automated attack could rather
  quickly brute force PINs, but we shouldn't make it easier for someone
  manually trying to guess the PIN.

  The passphrase lockscreen  promptcorrectly requires you to press
  Enter.

  I suggest moving the 'X' up t the left of '0' and an Enter symbol to
  the rigth of '0'.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unity8/+bug/1363214/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next