Allowing iPhones and iPads into the enterprise can be a popular move by a CIO or CSO, but it doesn’t come without perils.
That was demonstrated this week by researchers at British security consultancy MDSec, who showed how a black box that can be bought for around $378 can defeat the operating system’s protection against someone trying to guess a four-digit passcode.
Ostensibly aimed at the phone repair repair industry, the IP Box gets around the ‘Erase data after 10 attempts’ setting users can set. It does so by connecting directly to an iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. “As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN,” say the researchers.
They tested an iPhone 5s running iOS 8.1. Here’s a video of their work:
The solution is to make sure staff carrying ANY device understand the importance of abandoning four-digit passcodes. (And, of course, they know not to have four digit passcodes on their office computers, right?… )
As security blogger Graham Cluley notes in this blog, the belief is the IP Box may be exploiting a vulnerability in iOS versions before 8.1.1 known as CVE-2014-4451 to attempt multiple different passcodes. He writes that this has been patched for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.
Recent versions of iOS have the ability to disable “Simple passcode” in the Settings section so users can set an advanced password.