BEST OF THE WEB

This $380 box can break four-digit iOS passcodes

Allowing iPhones and iPads into the enterprise can be a popular move by a CIO or CSO, but it doesn’t come without perils.

That was demonstrated this week by researchers at British security consultancy MDSec, who showed how a black box that can be bought for around $378 can defeat the operating system’s protection against someone trying to guess a four-digit passcode.

Ostensibly aimed at the phone repair repair industry, the IP Box gets around the ‘Erase data after 10 attempts’ setting users can set. It does so by connecting directly to an iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. “As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN,” say the researchers.

They tested an iPhone 5s running iOS 8.1. Here’s a video of their work:

The solution is to make sure staff carrying ANY device understand the importance of abandoning four-digit passcodes. (And, of course, they know not to have four digit passcodes on their office computers, right?… )

As security blogger Graham Cluley notes in this blog, the belief is the IP Box may be exploiting a vulnerability in iOS versions before 8.1.1 known as CVE-2014-4451 to attempt multiple different passcodes. He writes that this has been patched for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.

Recent versions of iOS have the ability to disable “Simple passcode” in the Settings section so users can set an advanced password.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web