We recently became aware of a device known
as an IP Box that was being used in the phone repair markets to bruteforce the
iOS screenlock. This obviously has huge security implications and naturally it was something we wanted to investigate and validate. For as little as £200 we were able to
acquire one of these devices and put it to work.
Although we’re still analyzing the device
it appears to be relatively simple in that it simulates the PIN entry over the
USB connection and sequentially bruteforces every possible PIN combination. That
in itself is not unsurprising and has been known for some time. What is
surprising however is that this still works even with the “Erase data after 10 attempts” configuration setting
enabled. Our initial analysis indicates that the IP Box is able to bypass this
restriction by connecting directly to the iPhone’s power source and
aggressively cutting the power after each failed PIN attempt, but before the
attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN.
We tested the attack on an iPhone 5s
running iOS 8.1; a video of our results can be found here:
Further research suggests this could be the
issue detailed in CVE-2014-4451 but this has yet to be confirmed. We plan to
test the same attack on an 8.2 device and will update with our progress. In the mean time, our advice to all is ensure you have a sufficiently complex password applied to your device rather than a PIN.
Hardware used in the attack shown below:
 |
| The internals of the IP box |
 |
| The iOS 8 adapter |
 |
| Inside the iPhone 5s |
 |
| Success, PIN found! |
This blog post was written by Dominic Chell (@domchell).
No comments:
Post a Comment
Note: only a member of this blog may post a comment.