back to article Brute force box lets researchers, Cops, pop iDevice locks

Apple fans have more reason to update to iOS 8.2 with the discovery of a device used in the computer repair industry that automates password exploitation. The IP-Box tool exploits CVE-2014-4451 to conduct unlimited password guesses against iOS devices on 8.1 and below for iPhones and iPads. A barrage of PINs are entered by …

  1. malfeasance

    So just switch to a strong password that's just numbers?

    I've never understood why people go for a simple "PIN" unlock when it's just easy to have a strong password that's just numbers.

    You still get a number pad; but there's no restriction on length. It's just as easy to use as the PIN unlock.

    It can still be 4 characters if you want (but the 17hour brute force means you should reconsider that).

    1. phil dude
      Boffin

      Re: So just switch to a strong password that's just numbers?

      I believe Android offers pin, pattern and password as options.

      Perhaps ethernet style exponential back off is required. Get past 4 passwords wait a day?

      P.

      1. malfeasance

        @Phildude Re: So just switch to a strong password that's just numbers?

        iOS devices only mentioned. But if we were to consider Android; if I enable "a passphrase" and I only use a numeric password; what does it present you with. If it's a full keyboard, then in this regard, iOS has it "correct for my usage model" (got fat fingers see, and a numeric keypad is better for that...).

        Also, the article mentions that the brute force flaw bypasses the rate limiting and wipe device settings; I have my iPhone set to "wipe" after 10 attempts... By the time I got to the 7th or 8th failed attempt I was waiting ~2hrs for the next attempt (I tested this myself); so the back off delay you mention is already there and has been bypassed through use of this flaw.

  2. knarf

    Just Wait

    There is will 100s of these sold / created and Apple will just do a small fix and render all of them useless, if the cops the create these than so can crooks

    1. chivo243 Silver badge

      Re: Just Wait

      How about if the cops can create this, the crooks already have! You have it a bit bassackwards.

      No need to thank me...

      1. SolidSquid

        Re: Just Wait

        And sold the device to the cops when they realised there was more money in it?

  3. Doctor_Wibble

    Just keep nothing important on it

    If device security is easy to crack, then don't use it for storing anything important or valuable and especially not anything where you only have the one copy.

    It does not seem wise to compound this by relying on a desirable and very stealable device which by its very nature is frequently waved around in public.

    Stone tablets for archives, if you need portability, copy the information to some scrolls. If you want to take your music with you, hire a travelling orchestra. As an added benefit this practical old-tech approach can lead to (nearly) full employment and the logistics of stone tablets will mean it's harder to offshore the work. It's all good and I don't know why anyone could possibly object.

  4. frank ly

    "... evidentiary purposes ..."

    Is that a constructionary error or is it a valid word?

    1. nematoad Silver badge
      Headmaster

      Re: "... evidentiary purposes ..."

      "Is that a constructionary error or is it a valid word?"

      To be pedantic it is a valid phrase, as it consists of more than one word.

      To answer your question it is valid. It is a legal term, and seems to be one favoured in the USA though it is used elsewhere.

      Here's a definition from The Free Dictionary

      evidentiary

      Also found in: Legal.

      ev·i·den·tia·ry

      (ĕv′ĭ-dĕn′shə-rē, -shē-ĕr′ē)

      adj. Law

      1. Relating to, providing, or constituting evidence: evidentiary rules.

      2. Conducted for the presentation or determination of evidence: an evidentiary hearing.

      So evidentiary purposes anything for the purpose of gathering evidence.

    2. Anonymous Coward
      Anonymous Coward

      Re: "... evidentiary purposes ..."

      It is evidently a real word ..... google is your friend and quicker than asking :=)

      Legalese is full of words that do not seem right but are correct english.

      Designed to confuse and confound those outside the legal 'secret circle'.

    3. Anonymous Coward
      Anonymous Coward

      Re: "... evidentiary purposes ..."

      Haha, "constructionary".

  5. David Roberts

    PIN over USB?

    Claiming no knowledge of the ability to do this on Android or Windoes phones, but....

    ...the central part of this hack is the automation of authentication over USB.

    Stop this and you go back to wearing your fingers out.

    If the phone won't talk to the computer if the screen is locked then it must be a bit more secure.

    1. Dazed and Confused

      Re: PIN over USB?

      It would be trivial to have electronic fingers that fooled the touch screen circuits.

      1. sqlrob

        Re: PIN over USB?

        But that would be a lot slower.

        1. Black Betty

          Re: PIN over USB?

          At 6 seconds per attempt, a PIN punching bot is very doable. Seems Apple has already speed limited the rate at which PIN's can be entered EVEN WHEN BYPASSING the usual interface.

          1. YetAnotherLocksmith Bronze badge

            Re: PIN over USB?

            Not really - the 6 second delay is while the iPhone comes back to life.

            The actual rate limiting is far more aggressive after a few attempts, making you wait ages, but cunningly cutting the power makes the phone forget the previous attempt.

            Blackberry is secure against this attack - my old one took 5 minutes to boot!

    2. Dan 55 Silver badge

      Re: PIN over USB?

      I can get past my Android phone's lock screen with a USB keyboard too.

      What's wrong is the iPhone is not immediately recording the failed PIN entry attempt to memory. Instead there's a slight pause before it does it and the box cuts the power in that pause, turns the power back on again, waits for the phone to start, and then tries the next PIN.

  6. JeffyPoooh Silver badge
    Pint

    Duh...

    The right handed L-shaped 7-8-5-2. Used by about 85%.

    If not that, then look at the smudges on the screen.

  7. Roland6 Silver badge

    17 hours is still a significant hurdle...

    So with a little equipment and patience the pin can be cracked in under 17 hours...

    What I find myself asking, who is going to invest this amount of time in cracking a 'hot' device? That could potentially be remotely disabled during this process and hence render the whole escapade worthless.

    1. Blane Bramble

      Re: 17 hours is still a significant hurdle...

      1. Place phone in Faraday cage

      2. Crack password (max time 17h, therefore probably less).

      3. Play Candy Crush

    2. Anonymous Coward
      Anonymous Coward

      Re: 17 hours is still a significant hurdle...

      Not so much of a hurdle. As others have said, MAX is 17hours so average is more like 8.5 hours.

      Lift phone from unsuspecting person (one who is, to quote private eye, "tired and emotional" - i.e. hammered) on their way home. Even if they realise the phone is missing they will assume they left it in the pub and will call them in the morning to check (no remote wipe reflex yet).

      By the time they wake up (more than 8 hours after the swipe) it's too late. Let's be honest, most people wouldn't even initiate a remote wipe until more than 17 hours anyway.

  8. Roland6 Silver badge

    Just how secure do we want our devices to be?

    I ask this question as in the last few days, I've had to deal with several Windows laptop/workstation systems where access has been locked down and the Admin passwords lost/forgotten - Hirens BootCD (in CD form) has seen a lot of use...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019