This Box Bruteforces Your iPhone PIN Without Triggering The 10-Guess Limit

Screen Shot 2015-03-19 at 5.21.45 PM

A simple PIN might keep your iPhone safe from the prying hands of a curious toddler or a drunk friend. But slap that thing in a robot that exists for no reason but to try every possible PIN one-by-one, and it’ll crack it right open.

These machines have existed for a while, but this one is particularly crazy: if you’ve got your iPhone set to clear all of its data after 10 failed guesses, it’ll try to exploit its way past that.

Note the “try” in that last sentence: while we’re still waiting on confirmation from Apple on this one, there’s a good chance that the trickery at play here only works if you’re on a build of iOS older than iOS 8.1.1 (Shipped November 2014). Apple’s notes for 8.1.1 mention patching a bug (CVE-2014-4451) that could circumvent the “the maximum number of failed passcode attempts”; it’s not clear if that’s the same bug at play here, though it seems likely.

Here’s the device in use, via MDSec, who was able to obtain the bruteforcer for around $300:

It can be a bit hard to tell what’s going on in the video, so here’s what you’re looking at:

  • On the left is the iPhone, splayed open for direct access to its internals
  • On the right is the bruteforcing box.
  • The iPhone’s internal battery appears to be disconnected, giving the bruteforce box the ability to cut the iPhone’s power instantly
  • Each time the device makes a guess, it sends it to the iPhone over USB. (It makes its first guess in the video above at 0:30)
  • If the guess fails, an optical sensor strapped to the screen recognizes it, and…
  • In a split second, the bruteforce box cuts the power and forces the iPhone to shut down before it can write the failed attempt to memory.
  • The iPhone resets, and the box is free to try again.
  • When the optical sensor detects a successful entry (like the one at 1:53 in the video above), the box stops guessing, logs the correct PIN, and starts beeping to get the attention of whoever was using it.

Because each failed attempt requires a reset, each run takes roughly 44 seconds. If it fails until the very last try on a 4-digit password, that’s 4.5 days of bruteforcing. That’s not exactly Hollywood spy movie speed hackery — but if they’ve outright stolen your phone and really want to see what’s inside, it’s plenty quick.

So, how can you protect your device from this?

  • Update. If this isn’t fixed in iOS 8.1.1 or 8.2 (and it seems likely that it is), you can bet that Apple is rushing to patch this one now that this video is floating around.
  • Use a longer password. As JWZ points out: at 44 seconds per try, a 4-digit pin take up to 4 1/2 days to crack. A 7-digit pin takes up to 12 years.

We’ve reached out to Apple for comment on the status of the exploit at play in the video, but have yet to hear back.