Now Would Be A Good Time To Change Your iPhone's Passcode

Still using a four digit passcode to lock your iPhone? You should probably change that to a complex passcode, thanks to a new hardware hack.

The IP Box can, so it's claimed, brute force its way around any iPhone passcode. To make matters worse, it's not terribly expensive (£200, or around $385, which is peanuts compared to the cost of just one iPhone) and, according to research undertaken by UK security firm MDSec, it can even bypass the "Erase data after 10 attempts" security setting that you can place on your iPhone to limit this kind of attack. According to MDSec:

Our initial analysis indicates that the IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN.

111 hours is a fair amount of testing time, but that's the upper limit, and it's feasible that it could only take a few 40 second attempts to lure out your passcode. As always, if somebody's got physical access to your computing hardware, all security bets are off.

There's some indication that the exploit that makes this feasible may be CVE-2014-4451, which was patched by Apple late last year, meaning that if you're on a current version of iOS, you may be safe, but they're yet to verify this.

As such, it would make good sense to switch to a more complex passcode by going into Settings>Passcode and changing from "Simple Passcode" to a more complex pattern.

This Black Box Can Brute Force Crack iPhone PIN Passcodes [Intego]


Comments

    Headline is a little fear mongering. I mean, not only do you have to lose/have your phone stolen in the first place, but the person who ends up with it has to have access to this gear, and goes by the assumption that you didn't remote wipe your phone when you lost it.

    As the discoverer of CVE-2014-4451 (which believe me I wish I hadn't as I knew the impact it would have), from everything I can see that they are doing I am 100% sure that it is exploiting that bug which was patched in 8.1.1.

    The thing that frustrates me, is any iDevice that is incapable of upgrading to iOS 8+ is still exposed as Apple does not release patches for older iOS versions.

    With the help of some twitter followers we tested (and found) the bug as far back as at least iOS 6 (but did not have any earlier devices to test on).

    Definitely a wise idea to have a password that contains more than just digits (something complex, albeit longer to type, would be far more secure for older devices).

Join the discussion!

Trending Stories Right Now