Still using a four digit passcode to lock your iPhone? You should probably change that to a complex passcode, thanks to a new hardware hack.
The IP Box can, so it’s claimed, brute force its way around any iPhone passcode. To make matters worse, it’s not terribly expensive (£200, or around $385, which is peanuts compared to the cost of just one iPhone) and, according to research undertaken by UK security firm MDSec, it can even bypass the “Erase data after 10 attempts” security setting that you can place on your iPhone to limit this kind of attack. According to MDSec:
Our initial analysis indicates that the IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN.
111 hours is a fair amount of testing time, but that’s the upper limit, and it’s feasible that it could only take a few 40 second attempts to lure out your passcode. As always, if somebody’s got physical access to your computing hardware, all security bets are off.
There’s some indication that the exploit that makes this feasible may be CVE-2014-4451, which was patched by Apple late last year, meaning that if you’re on a current version of iOS, you may be safe, but they’re yet to verify this.
As such, it would make good sense to switch to a more complex passcode by going into Settings>Passcode and changing from “Simple Passcode” to a more complex pattern.