Syndicated

Allowing iPhones and iPads into the enterprise can be a popular move by a CIO or CSO, but it doesn’t come without perils.

That was demonstrated this week by researchers at British security consultancy MDSec, who showed how a black box that can be bought for around $378 can defeat the operating system’s protection against someone trying to guess a four-digit passcode.

Ostensibly aimed at the phone repair repair industry, the IP Box gets around the ‘Erase data after 10 attempts’ setting users can set. It does so by connecting directly to an iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. “As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN,” say the researchers.

They tested an iPhone 5s running iOS 8.1. Here’s a video of their work:

The solution is to make sure staff carrying ANY device understand the importance of abandoning four-digit passcodes. (And, of course, they know not to have four digit passcodes on their office computers, right?… )

As security blogger Graham Cluley notes in this blog, the belief is the IP Box may be exploiting a vulnerability in iOS versions before 8.1.1 known as CVE-2014-4451 to attempt multiple different passcodes. He writes that this has been patched for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.

Recent versions of iOS have the ability to disable “Simple passcode” in the Settings section so users can set an advanced password.


  • Ed

    Howard, thanks for this article. Informative as always and much appreciated. During your research on the article was there any indication of whether the device would also crack longer passcodes but it would just take longer or is that just not possible? Ultimately I’m just trying to guide my user community as to how complex is complex enough. Many thanks again.

  • Ed

    Howard, thanks for this article. Informative as always and much appreciated. During your research on the article was there any indication of whether the device would also crack longer passcodes but it would just take longer or is that just not possible? Ultimately I’m just trying to guide my user community as to how complex is complex enough. Many thanks again.

  • Tech Guy

    Problem is at the software logic of IOS, the method of delayed writing to flash is the problem here with the intruder lockout system. 4 pin is fine with short account lockouts and properly designed systems! For systems that don’t have account lockout or where the password hashes might get exploited, 12+ characters are now short passwords. Use passphrases on important systems: OnesThatAreEasyToRememberButHardToGuess

  • Tech Guy

    Problem is at the software logic of IOS, the method of delayed writing to flash is the problem here with the intruder lockout system. 4 pin is fine with short account lockouts and properly designed systems! For systems that don’t have account lockout or where the password hashes might get exploited, 12+ characters are now short passwords. Use passphrases on important systems: OnesThatAreEasyToRememberButHardToGuess