iPhones and iPads vulnerable to brute force attack using £120 IP-Box freely available online
You can crack any 4 digit pin code on iPhone and iPad even when they have enabled the anti brute force attack ‘attempts limiter’ option with IP-Box according to British security consultancy company MDSec.
MDSec which has been testing the hardware called “IP-Box iPhone Password Unlock Tool” says the hardware is freely available online on sites such as fotofunshop and needs to be sued with a adapter also available on fotofunshop, to crack any pin code on iPhone and iPad even if they are running on iOS 8.1.
The IP-Box cracks any 4 digit iPhone/iPad pin code by exploiting a known vulnerability ‘CVE-2014-4451’ in Apple’s operating system upto version 8.1. Apple has patched this vulnerability in its iOS 8.1.1 which it released in November 2014, but MDSec says that millions of iPhone/iPad users have still not updated their smartphones and pads making them vulnerable to IP-Box brute force attack.
MDSec on its blogs states that IP-Box uses simple technique “that it simulates the PIN entry over the USB connection and sequentially brute forces every possible PIN combination”.
What makes IP-Box more unique is that it works even after the iPhone/iPad user enables the attempt limiter option with “Erase data after 10 attempts” option turned on.
The company successfully tested the device on an iPhone 5s running iOS 8.1 and has stated that it will be testing the IP-Box on iOS 8.2 in coming days.
The IP Box works by bypassing the attempt limiter measure and connecting directly to the iPhone/iPad’s power source and “aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronised to flash memory”.
According to MDSec, the way the iPhone/iPad works each attempt could take upto 40 seconds which means that the potential hacker can crack any four digit code in as long as 111 hours which it says is longer than Apple advertised time of between “6 seconds and 17 hours”.
You can see the PoC video posted by MDSec below :
As said above, Apple has fixed the vulnerability detailed in CVE-2014-4451 but many users are still to update their iPhone/iPad/iPod to it, further, many models such as iPhone 4 and the original iPad dont allow updating to the latest OS can be exploited with IP-Box easily.
Apple is yet to come out with the statement regarding IP-Box.