This Black Box Can Brute Force Crack iPhone PIN Passcodes



If you don't have time to read this whole blog post, do one thing for me okay?

Change your iPhone password from a simple 4 digit numeric code to a longer, more advanced version, which can include letters and symbols as well as numbers.

Done that? Good. Now go and watch some cat videos on YouTube.

For the rest of you who are still with me, check out this fascinating blog post by British security consultancy firm MDSec.

The team at MDSec has highlighted the availability for purchase of a hardware tool, called IP Box, that can brute force crack the four digit password that most users have protecting their iPhones.

Which means that if you wanted to break into someone else's iPhone—maybe because you're a law-enforcement agency, or a jealous partner—you could have the tools in your hand for less than £200.

As the advertising blurb I read on one sales site describes, "Simply attach the device to the iPhone or iPad and it will give you the code within 6 seconds to 17 hours. You will then have full access to your iPhone / iPad and all user data remains intact."

Here's a YouTube video (which gets interesting from about 30 seconds in, despite the lack of cats) demonstrating the hardware brute force attack in action, guessing the PIN code of an iPhone:

The device automates the tedious manual process of sequentially entering every passcode from 0000 to 9999, utilising a USB connection and a light sensor to tell when the device has been successfully unlocked.

What is interesting is that the MDSec researchers claim that the IP Box tool now works even if the iPhone or iPad's owner has had the foresight to enable the "Erase Data After Ten Failed Passcode Attempts" security setting, by directly cutting off the iOS device's power supply.

Our initial analysis indicates that the IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN.

The researchers speculate that this may be exploiting a vulnerability known as CVE-2014-4451 to attempt multiple different passcodes.

That vulnerability, found last year by Stuart Ryan of University of Technology, Sydney, meant that iOS would not notice there had been incorrect PIN entered if the home button and power button were pressed almost immediately after a failed entry, not allowing the phone to remember—and thus not increment—the number of failed attempts.

CVE-2014-4451 was patched by Apple last year, so if you are running the latest version of iOS you will hopefully be safe—although the researchers still have to confirm that is the case.

Nonetheless, you should take this as a wake-up call. A four digit PIN code is never going to be as strong at protecting your iPhone or iPad as a longer, hard-to-guess password.

Go to your passcode settings on your iOS device, and make sure that "Simple passcode" is disabled and set yourself an advanced password.

It's your choice whether you choose to set "Require password" to "Immediately," but obviously that is the most secure option.

With that done, you can now relax and join those other folks watching cat videos.

Further Reading: