New 'IP Box' tool bypasses 10-try limit for PINs on older iOS versions, automates brute force attack

Posted:
in iPhone edited March 2015
A relatively new $300 device could allow attackers to crack the PIN codes on out-of-date iPhones or iPads, taking advantage of a flaw in iOS versions older than 8.1.1 that allows unlimited attempts at PIN entry, even when users enable Apple's 10-try limit.


The IP Box setup, via MDSec.


The so-called "IP Box" tested by security consultancy MDSec works by entering a PIN over USB, then immediately cutting power to the iOS device before the attempt is recorded. This has the effect of eliminating the 10-try limit, at the expense of significant time lost to iOS device reboots.

MDSec places the time per attempt at nearly 40 seconds. While this long interval may seem likely to discourage brute force attempts in all but a few scenarios, research suggests that more than 25 percent of the population use one of 20 similar PINs, potentially cutting the mean time to crack a PIN down to minutes.

Additionally, such tools are readily available over the internet, with some models costing as little as $175.

As the firm notes, this appears to be an automated method to exploit a flaw described last November in CVE-2014-4451. Apple patched that bug in iOS 8.1.1, but older iOS versions remain vulnerable.

Users running unpatched versions of iOS are advised to move to a more complex passcode to mitigate the danger from similar attacks. This can be done by navigating to Settings → Passcode and turning off "Simple Passcode," which will allow the selection of a longer alphanumeric code.

Comments

  • Reply 1 of 17
    I'm sure law enforcement is salivating at the potential behind this. I wish I had TouchID in my iPad to go to a complex password there.
  • Reply 2 of 17
    This is what some of these folks lives are reduced to? Sad.
  • Reply 3 of 17
    gregqgregq Posts: 62member

    Interesting device, but I thought iOS folks were especially good about keeping their OS updated?

  • Reply 4 of 17
    It's a good thing I don't use a simple PIN anymore.

    Since I use TouchID... I locked my phone with a longer password with letters and numbers instead of a 4-digit code.

    I rarely have to put it in... so it can be much longer and more difficult to guess/crack.

    Oh and I keep my OS updated anyway :)
  • Reply 5 of 17
    gprovidagprovida Posts: 252member
    So if you have a iPhone 4, 3GS, or older than 5 years you need to implement longer than 4 digit PIn under iOS 7. If you have a 4S, 5, 5S, or 6 then update your iOS to latest version. Sounds pretty straight forward and not a
  • Reply 6 of 17
    mac_128mac_128 Posts: 3,454member
    Isn't this only a concern if you lose your older iDevice?

    And in that event cant most pre-iOS 8.1 devices still in use be remote wiped via iCloud?
  • Reply 7 of 17
    foggyhillfoggyhill Posts: 4,767member
    Quote:
    Originally Posted by gprovida View Post



    So if you have a iPhone 4, 3GS, or older than 5 years you need to implement longer than 4 digit PIn under iOS 7. If you have a 4S, 5, 5S, or 6 then update your iOS to latest version. Sounds pretty straight forward and not a

     

    You're right, this is fud again.

     

    You already lost your phone (probably old), you didn't upgrade it, seemingly didn't wipe it, and have some crap pin too.

     

    Hey, you won the bingo... ;-).

     

    If your pin is random, on average they'd need 5000 tries to crack the phone at 40 sec between tries, that's 55h to crack your good 4 digit pin.  Of course, they could crack it by luck in 1h; but they could also crack it after 100h...

     

    I don't see most crooks being that patient. But, if you're worried use a longer Pin, if remembering a long one is a hastle, just add one random digit and duplicate the rest. That alone would make this take 550h+ on average even if they knew your pin was only 5 digit long and knew the other digits were the same  (23 days!). Since they don't know, I'd expect them to not even try if they see the long pin :-).

     

    If you have  a 5S and 6, put a long pin and touch ID and this won't matter even if you do not upgrade.

     

    Phones that can't be upgraded to the latest are Iphone 4 and previous, which are worth about $120 bucks max I think if they're almost as new (which is often not the case). Would criminals crack really spend that much time and tie resources like that for $120 bucks?

     

    Only see this being used on 4S and 5 phones that users have not updated and use a short easy to guess pin. Good thing, there's less and less of these.

  • Reply 8 of 17
    williamhwilliamh Posts: 802member
    Quote:

    Originally Posted by Mac_128 View Post



    And in that event cant most pre-iOS 8.1 devices still in use be remote wiped via iCloud?

    That's true, but law enforcement isn't going to let your old device get network connectivity to prevent you from doing that.  Maybe needless to say, but you can buy special bags that will block radio signals and keep the device from connecting to anything.

  • Reply 9 of 17
    john.bjohn.b Posts: 2,740member
    Quote:
    Originally Posted by gregq View Post

     

    Interesting device, but I thought iOS folks were especially good about keeping their OS updated?


     

    That's only true for the more recent iPhones/iPads.  Older devices that can't run iOS 8 are left in the lurch, because Apple doesn't provide updates to iOS 7.x or earlier.

  • Reply 10 of 17
    nagrommenagromme Posts: 2,834member
    Older devices aren't left in the lurch--they need a longer password if they want greater security.

    PS Does this box require time, money, AND physically dismantling the device while leaving it operational, as seen in the photo?
  • Reply 11 of 17
    Besides, the phones that would have the most desirable info are the 6 and 6 Plus; the ones which are least vulnerable.
  • Reply 12 of 17
    linkmanlinkman Posts: 1,014member
    Quote:
    Originally Posted by foggyhill View Post

     

    Phones that can't be upgraded to the latest are Iphone 4 and previous, which are worth about $120 bucks max I think if they're almost as new (which is often not the case). Would criminals crack really spend that much time and tie resources like that for $120 bucks?


    Note that this crack is only for the main screen lock and is not for the Apple ID. In most circumstances finding the PIN will not enable a thief to remove the activation lock/turn off find my iPhone. A thief that cracks the PIN may also find he/she has wasted a bunch of time and resources only to find that the phone gets bricked a few hours later. It's a bit different if the PIN = Apple ID password though...

     

    I suspect that someone using this crack is looking to snoop or make use of the data/services more than fence it. In many cases they'll crack the PIN only to find they can't remove activation lock (which reduces the value of a stolen phone to almost zero) or get locked out before they can resell it.

  • Reply 13 of 17
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Mac_128 View Post



    Isn't this only a concern if you lose your older iDevice?



    And in that event cant most pre-iOS 8.1 devices still in use be remote wiped via iCloud?



    Hard to use Find my Phone when you're in handcuffs.

  • Reply 14 of 17
    fallenjtfallenjt Posts: 4,034member
    Quote:
    Originally Posted by Michael Scrip View Post



    It's a good thing I don't use a simple PIN anymore.



    Since I use TouchID... I locked my phone with a longer password with letters and numbers instead of a 4-digit code.



    I rarely have to put it in... so it can be much longer and more difficult to guess/crack.



    Oh and I keep my OS updated anyway image

    Same here. With Touch ID, who uses 4-digit PIN anymore? I used complex PIN since 5S and change PIN every 90 days starting from the day Apple Pay went live. 

    Good luck with whoever tries to break in my phone to get data. He ain't get sh.it but a bricked phone. I bet no Android phone user has my kind of confidence....lol

  • Reply 15 of 17
    davendaven Posts: 626member
    Quote:
    Originally Posted by mstone View Post

     



    Hard to use Find my Phone when you're in handcuffs.




    Even if you are in handcuffs, chances are you have at least one friend and you do get a phone call.

     

    A couple of years ago a coworker of mine had his iPhone stolen. The idiot who stole it entered in his appointment with his probation officer into the calendar. Duh, calendars are shared among your devices. The appointment with his probation officer didn't go to well from what I understand.

  • Reply 16 of 17
    coolfactorcoolfactor Posts: 1,832member
    Quote:

    Originally Posted by Wide with Pride View Post



    This is what some of these folks lives are reduced to? Sad.



    That's one way to look at it. The other is that any form of research and development moves technology forward.

  • Reply 17 of 17
    gregqgregq Posts: 62member
    Quote:

    Originally Posted by John.B View Post

     

     

    That's only true for the more recent iPhones/iPads.  Older devices that can't run iOS 8 are left in the lurch, because Apple doesn't provide updates to iOS 7.x or earlier.


    Good point, I forgot about that.

Sign In or Register to comment.