iOS passcode brute-forcing hardware


We recently became aware of a device known as an IP Box that was being used in the phone repair markets to bruteforce the iOS screenlock. [...]

What is surprising however is that this still works even with the "Erase data after 10 attempts" configuration setting enabled. Our initial analysis indicates that the IP Box is able to bypass this restriction by connecting directly to the iPhone's power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN.

4 digits: 4 1/2 days. 5 digits: 45 days. 6 digits: 16 months. 7 digits: 12 years.

Previously, previously, previously, previously.

Tags: ,

9 Responses:

  1. Otto says:

    Sadly, they could probably optimize that.

    • Aaron says:

      I wonder; the limiting factor is probably the length of the boot process.

      • Laura Rubin says:

        I mean, you start with the list of most-frequently-used PINs and go from there.

        • spoonyfork says:

          "Okay don't panic! Alright? Stop panicking! I can still stop this. Ahh. Oh there's a password. It's fine. I'll just hack it. Not a problem... umm..."
          "A...A...A...A...A... Umm... A."
          [BUZZER NOISE]
          "Nope. Okay. A... A... A... A... A... C."
          [BUZZER NOISE]
          "No. Wait, did I do B? Do you have a pen? Start writing these down."

        • Jackson Bloomston says:

          That's the first thing I thought too. Clearly this is proof of concept, without obvious optimizations like that.

          • Laura Rubin says:

            "Used in phone repair markets" sounds to me like some poor sap is stuck using it for real.

  2. ABC says:

    Surely the answer is to commit the attempt to flash prior to checking if it's right.

    • Bastiaan says:

      Yes, this kind of attack on PIN validation has been known for ages for smart cards.
      Standard practice is to decrement nr_of_attempts_left before checking, and reset to MAX_ATTEMPTS on success.

  • Previously