Security & Privacy

This Black Box Can Brute Force Crack iPhone PIN Passcodes

Posted on by

This black box can brute force crack iPhone PIN passcodes
If you don’t have time to read this whole blog post, do one thing for me okay?

Change your iPhone password from a simple 4 digit numeric code to a longer, more advanced version, which can include letters and symbols as well as numbers.

Done that? Good. Now go and watch some cat videos on YouTube.

IP Box toolFor the rest of you who are still with me, check out this fascinating blog post by British security consultancy firm MDSec.

The team at MDSec has highlighted the availability for purchase of a hardware tool, called IP Box, that can brute force crack the four digit password that most users have protecting their iPhones.

Which means that if you wanted to break into someone else’s iPhone—maybe because you’re a law-enforcement agency, or a jealous partner—you could have the tools in your hand for less than £200.

As the advertising blurb I read on one sales site describes, “Simply attach the device to the iPhone or iPad and it will give you the code within 6 seconds to 17 hours. You will then have full access to your iPhone/iPad and all user data remains intact.”

Here’s a YouTube video (which gets interesting from about 30 seconds in, despite the lack of cats) demonstrating the hardware brute force attack in action, guessing the PIN code of an iPhone:

The device automates the tedious manual process of sequentially entering every passcode from 0000 to 9999, utilizing a USB connection and a light sensor to tell when the device has been successfully unlocked.

What is interesting is that the MDSec researchers claim that the IP Box tool now works even if the iPhone or iPad’s owner has had the foresight to enable the “Erase Data After Ten Failed Passcode Attempts” security setting, by directly cutting off the iOS device’s power supply.

Our initial analysis indicates that the IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN.

The researchers speculate that this may be exploiting a vulnerability known as CVE-2014-4451 to attempt multiple different passcodes.

That vulnerability, found last year by Stuart Ryan of University of Technology, Sydney, meant that iOS would not notice there had been incorrect PIN entered if the home button and power button were pressed almost immediately after a failed entry, not allowing the phone to remember—and thus not increment—the number of failed attempts.

CVE-2014-4451 was patched by Apple last year, so if you are running the latest version of iOS you will hopefully be safe—although the researchers still have to confirm that is the case.

Nonetheless, you should take this as a wake-up call. A four-digit PIN code is never going to be as strong at protecting your iPhone or iPad as a longer, hard-to-guess password.

Go to your passcode settings on your iOS device, and make sure that “Simple passcode” is disabled and set yourself an advanced password.

It’s your choice whether you choose to set “Require password” to “Immediately,” but obviously that is the most secure option.

With that done, you can now relax and join those other folks watching cat videos.

Further Reading:

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →