iPhone owners are at risk that the four-digit pin code of the device is cracked when their phone is stolen. This can be done automatically with a device that's available for less than $250, a security company has demonstrated.
The British security company IT-Governance reports about the IP-Box which is able to crack the four digit pin code of each iPhone with up to iOS 8.1 in less than 17 hours. MDSec, a company that published a video of a brute force attack on its website, claims that the device is mainly used by iPhone repair companies. Normally iOS allows only 10 attempts to enter the pin code after which the OS wipes all data. However, by disconnecting the power after each attempt, the flash memory isn't updated with a new attempt. Because the phone no longer tracks failed attempts it allows an unlimited number of tries. The entire process takes about 40 seconds per attempt.
The IP-Box device uses, according to MDSec, likely a vulnerability in iOS, bug CVE-2014-4451. This vulnerability has been fixed since iOS 8.1.1. The company is testing whether iOS 8.1.1 and up is indeed no longer vulnerable.
Users that are unable to update to the Tuesday rolled out update 8.2, for whatever reason, are advised to use a stronger and longer password. This can be done by disabling the pin code in the settings. After that a password with up to 100 characters can be entered.
