Friday, 27 March 2015

Upcoming Training Events 2015

If you're interested in web and/or mobile security and want to learn some cutting-edge techniques, then we have just the thing!

This April and June we're running two training courses from the Hacker's Handbook series in London. Don't miss out on this opportunity to get hands on, instructor-led training from the authors.

We've partnered with 44Con to bring the very first Mobile Application Hacker's Handbook Live training this April. The course follows chapters 1-9 of the book (which sold out in under 24 hours!) and
has a strong focus on practical attacks. Over the 2-day training course delivered by the lead author Dominic Chell, delegates will learn the tricks and techniques to hack mobile applications on the iOS and Android platforms.

So if you've read the book and want to learn more, or you just want to hack Android and iOS, then sign up today!

Mobile not your thing? Don't worry, we've got you covered! In London this June, we're offering seats on our popular Web Application Hacker's Handbook Live course. The course will be run by Marcus Pinto, co-author of the book, and follows the chapters of the 2nd edition of the Web Application Hacker's Handbook. Not only that, but we're offering 8 hours of self-paced learning with access to the online training materials that you can use to continue your learning at home!

So if you want to know how to get the most out of BurpSuite or pop a SQLi at 30 paces, then sign up today!

Wednesday, 11 March 2015

Apple iOS Hardware Assisted Screenlock Bruteforce

We recently became aware of a device known as an IP Box that was being used in the phone repair markets to bruteforce the iOS screenlock. This obviously has huge security implications and naturally it was something we wanted to investigate and validate. For as little as £200 we were able to acquire one of these devices and put it to work.

Although we’re still analyzing the device it appears to be relatively simple in that it simulates the PIN entry over the USB connection and sequentially bruteforces every possible PIN combination. That in itself is not unsurprising and has been known for some time. What is surprising however is that this still works even with the “Erase data after 10 attempts” configuration setting enabled. Our initial analysis indicates that the IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN. 

We tested the attack on an iPhone 5s running iOS 8.1; a video of our results can be found here:

Further research suggests this could be the issue detailed in CVE-2014-4451 but this has yet to be confirmed. We plan to test the same attack on an 8.2 device and will update with our progress. In the mean time, our advice to all is ensure you have a sufficiently complex password applied to your device rather than a PIN.

Hardware used in the attack shown below:

The internals of the IP box

The iOS 8 adapter

Inside the iPhone 5s

Success, PIN found!

This blog post was written by Dominic Chell (@domchell).