Device cracks iPhone via bruteforce pin code within 17 hours

Owners of iPhones run the risk that the four-digit PIN code of the device will be cracked if their device is stolen. All this is fully automatic with a device of less than 240 euros, a security company shows.

The claim comes from British security firm IT Governance. The so-called IP-Box could crack the four-digit PIN code of any iPhone up to and including iOS 8.1 within seventeen hours. MDSec, the company that posted a video of the brute force attack on its site, claims that the device is mainly used by iPhone repair companies. Basically there is a security in the operating system whereby after ten attempts all data will be erased, but by turning off the power after each failed attempt before synchronization with the flash memory can take place, this security system is effectively circumvented. The total process takes about 40 seconds per attempt.

According to MDSec, the IP-Box device is likely working due to an iOS vulnerability, bug CVE-2014-4451. This vulnerability has been fixed since iOS 8.1. The company has yet to come up with test results to see whether the vulnerability has actually been remedied. For people who for some reason can’t upgrade to the Tuesday 8.2 upgrade, the solution is to use a much stronger password. This can be done in settings by turning off ‘simple code’ for access code. After that, a password of up to 100 characters can be entered.