Recommended + Security & Privacy

This Black Box Can Brute Force Crack iPhone PIN Passcodes

Posted on March 16th, 2015 by

This black box can brute force crack iPhone PIN passcodes
If you don't have time to read this whole blog post, do one thing for me okay?

Change your iPhone password from a simple 4 digit numeric code to a longer, more advanced version, which can include letters and symbols as well as numbers.

Done that? Good. Now go and watch some cat videos on YouTube.

IP Box toolFor the rest of you who are still with me, check out this fascinating blog post by British security consultancy firm MDSec.

The team at MDSec has highlighted the availability for purchase of a hardware tool, called IP Box, that can brute force crack the four digit password that most users have protecting their iPhones.

Which means that if you wanted to break into someone else's iPhone—maybe because you're a law-enforcement agency, or a jealous partner—you could have the tools in your hand for less than £200.

As the advertising blurb I read on one sales site describes, "Simply attach the device to the iPhone or iPad and it will give you the code within 6 seconds to 17 hours. You will then have full access to your iPhone / iPad and all user data remains intact."

Here's a YouTube video (which gets interesting from about 30 seconds in, despite the lack of cats) demonstrating the hardware brute force attack in action, guessing the PIN code of an iPhone:

The device automates the tedious manual process of sequentially entering every passcode from 0000 to 9999, utilising a USB connection and a light sensor to tell when the device has been successfully unlocked.

What is interesting is that the MDSec researchers claim that the IP Box tool now works even if the iPhone or iPad's owner has had the foresight to enable the "Erase Data After Ten Failed Passcode Attempts" security setting, by directly cutting off the iOS device's power supply.

Our initial analysis indicates that the IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN.

The researchers speculate that this may be exploiting a vulnerability known as CVE-2014-4451 to attempt multiple different passcodes.

That vulnerability, found last year by Stuart Ryan of University of Technology, Sydney, meant that iOS would not notice there had been incorrect PIN entered if the home button and power button were pressed almost immediately after a failed entry, not allowing the phone to remember—and thus not increment—the number of failed attempts.

CVE-2014-4451 was patched by Apple last year, so if you are running the latest version of iOS you will hopefully be safe—although the researchers still have to confirm that is the case.

Nonetheless, you should take this as a wake-up call. A four digit PIN code is never going to be as strong at protecting your iPhone or iPad as a longer, hard-to-guess password.

Go to your passcode settings on your iOS device, and make sure that "Simple passcode" is disabled and set yourself an advanced password.

It's your choice whether you choose to set "Require password" to "Immediately," but obviously that is the most secure option.

With that done, you can now relax and join those other folks watching cat videos.

Further Reading:

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • ShaunTheSheep

    ” set yourself an advanced password.” And get used to typing it 50 times a day.

    Or apple can fix their bugs and implement 4 digit pins with incremental time outs that turn guessing a 4 digit password into something that takes 200 years.

    • Graham Cluley

      Or set an advanced password, and enable Touch ID.

      For those who don’t have Touch ID, here’s an easy way to have a long hard-to-crack password on your iPhone that is surprisingly easy to remember:

    • The Wockman

      Incremental timeouts after entering each PIN may also by bypassed by resetting the device after each attempt. Personally, I think it would be beneficial to introduce a short but mandatory timeout after entering each digit of a PIN.

      I don’t know how each PIN is protected in iOS, however, it would be interesting if each digit were – on-input – salt+hashed after being combined with the previous character in some way for storage (e.g. a random digit salt equating to an iteration count for a digit-hash being used as a ‘timeout’ that ‘must’ be observed).

      Perhaps online passwords could be handled similarly with a new password control for web forms… i.e. Each character is sent to a server, then hashed + salted & combined with a previous character before eventually being written and then allowing the next character to by typed in. The longer your password gets, the more processing is required to hash it and by proxy – it should take longer to brute force crack it…

      • ShaunTheSheep

        There’s a reason an incremental timeout cannot be implemented in a way that defeats restarting the device to get around it?

    • Coyote

      Well Apple should fix bugs in any case, like all software vendors (you’d especially hope a vendor as in for-profit would actually do this but can’t expect it all, I suppose). But still, a longer/more sophisticated is more secure than a 4 digit (or 4 character, full stop) passcode[1], regardless of how it might be slowed down or otherwise stopped (example: among other defences, a network might rate limit certain behaviour from clients, and then at some point block everything from them for some time, making the initial scans take a lot longer; that they can work is due to timing and other methods to evade the protections – and it still can be done). Not suggesting that is realistic with a phone (and of course a phone doesn’t have as fast of a processor as a computer, especially computers of today which is indeed relevant) and I certainly do not know the implementation of the iPhone features – just pointing out that security is always balancing act of what is convenient (or too inconvenient) and what is safe. But see 1, because it doesn’t take much work to make a more advanced password than a 4 digit sequence (how extreme you go is up to you, right?).

      [1] A more advanced password than a 4 character (especially if all same character class like digits) doesn’t have to be too difficult to type, either (for that matter, it doesn’t have to be more than 4 characters if you’re set on that amount). Using more than one character class – alphanumerical (upper/lower case for letters) and special characters, for example, gives more combinations and critically it also takes away the more efficient iteration of just digits (still, yes, Apple should fix the problem but I would think that applies to all problems. But what do I know? It isn’t up to me fix their problems.)

  • Steve Greenham

    According to the article Apple have fixed the code so it’s only old phones without fingerprint scanner and old versions of iOS that are vulnerable. If you normally use the fingerprint it is no hardship to have a more complex password. If you don’t keep iOS up to date you are unlikely to take this advice either.

  • David L

    Apple has a bigger issue that was only partially addressed in their last update. This vuln. Can replace legitimate apps with a fake one that can then cause alkinds of trouble and even take complete control,all without the users knowledge. Apple is always secretive and dismissive about their own vulnerability. Here is the research for those who want the truth.

  • spencer

    does this work when the iphone is icloud locked?

  • Jeff hammer

    I need one

  • SuMtOnE

    guess im sticking with my finger print.

  • CheG

    All versions of iphone , or a specific version