Decoder Able to Undermine iPhone Security

By April 20, 2015
Iphone security

A device currently in circulation enables those who steal iPhones to access the owners’ personal data quite easily. Fortunately you can protect yourself against this risk by beefing up your password.

Researchers at UK company MDSec, which provides online Web Application Security training and technical Security Consulting to clients, have become aware of a device that seems to all the rage among telephone resellers who have acquired the phones in a somewhat dubious manner. For just under €300, MDSec managed to get hold of one of the ingenious devices and has checked out its capabilities. Known as the ‘IP Box’, the device enables you to ‘bruteforce’ any forgotten four-digit password on any iPhone, up to iOS 8, so that you can unlock it. There is of course nothing dramatically new in this, as four-digit codes are well-known to be very insecure. But the cunning trick with the IP Box is that it also allows hackers to get around the additional security option available on the iPhone whereby you can enable the ‘Erase Data’ function to automatically erase all data on your phone after ten failed passcode attempts.

Given enough time, the IP Box can come up with the four-digit code of any iPhone

Unlimited number of tries

All the hacker has to do is plug the IP Box into the USB port of the stolen smartphone. The Box has a light sensor which can tell whether the PIN code that has been entered into the iPhone has been accepted as correct or not, since the screen brightness level of the phone changes when the correct code is entered, but not otherwise. If the screen stays dark, the IP Box deduces that the attempted PIN is not the right one and immediately starts up again. It gets around the ‘Erase Data’ function, even when this is enabled, by connecting directly to the iPhone’s power source and instantly cutting the power after each failed PIN attempt, i.e. before the failed attempt has been synchronised to flash memory. In this way, the forcing tool is able to try out many different combinations until it finally finds the right one. However the procedure is time-consuming, with each PIN entry taking approximately 40 seconds.

Beefing up your password

However, iPhone owners can prevent themselves from falling victim to this scam and ensure that their data remains secure by changing the composition of their password. One of the security options featured on the phone lets you turn off ‘Simple Passcode’ and enter a longer, alphanumeric passcode. According to UK-based developer and vendor of computer security software and hardware Sophos, moving from a four-digit code to five digits increases the potential number of combinations from 10,000 to 100,000 and extends the time needed to test them all out from four and a half days to a month and a half,. With a seven-digit code it will take twelve and a half years. Meanwhile, the most recent iPhones now feature ‘Touch ID’, a system which gets round possible password vulnerabilities by recognising your fingerprint. However, hackers have found a way around this entry protection method as well.  Nevertheless, as with most things, it is much easier to protect yourself against any impending threat when you are aware of it upfront.

Legal mentions © L’Atelier BNP Paribas