Brute force box lets researchers, Cops, pop iDevice locks
Passwords gone in 17 hours unless you upgrade to iOS 8.2
Apple fans have more reason to update to iOS 8.2 with the discovery of a device used in the computer repair industry that automates password exploitation.
The IP-Box tool exploits CVE-2014-4451 to conduct unlimited password guesses against iOS devices on 8.1 and below for iPhones and iPads.
A barrage of PINs are entered by resetting the phone which thanks to the since-patched vulnerability bypasses Cupertino's rate-limiters and settings to nuke personal data after a set about of failed attempts
MDSec researcher Dominic Chell brought attention to the tool after breaking into his iPhone 5s after 10 attempts.
"This obviously has huge security implications and naturally it was something we wanted to investigate and validate," Chell says.
"Although we’re still analysing the device it appears to be relatively simple in that it simulates the PIN entry over the USB connection and sequentially brute-forces every possible PIN combination."
Attacks against four-digit PINs take a maximum of 17 hours with each attempt taking about six seconds to complete. The total time could be reduced by prioritising the most likely passwords a target user may pick, or by selecting a pre-defined option to test date of birth combinations.
The unit uses a light sensor held to the front screen of an iThing to detect when it unlocks, signalling that the correct password has been entered.
Detective Cindy Murphy of the Madison, Wisconsin, Police department, one of many outfits to use the device (in this case to crack phones for "evidentiary purposes", says (pdf) iOS versions up to 8.1.2 could be bypassed at a slower rate using a tweak that resets iDevices after four attempts, however this required that the device battery be exposed.
Chell says he will test the unit on updated iDevices on the newly-released iOS version 8.2. ®