Devices that break into iPhones by brute-forcing passwords have been around since the iPhone was released, but iOS engineers developed countermeasures, including the latest: a nuclear option that wipes phone data if the wrong password is entered 10 times. But this clever (and insidious) $300 black-market IP Box has beaten that system by plugging directly into the phone, according to a post by security consultancy firm MDSec.
The MDSec tinkerers believe that the IP Box gets around the auto-wipe by plugging into the lightning charging port and, if the password fails, instantly rebooting the phone before it can save that failed attempt into its flash memory. Perpetual rebooting extends the time it takes to find the right password to about 111 hours, but a wiped phone is far less useful to a potential hacker than one with user data intact. Below is the firm’s demonstration of the IP Box in action:
MDSec used the IP Box to successfully crack phones running Apple iOS 8.1, and they will attempt to repeat the break-in on a phone running the latest iOS, 8.2, which was released weeks ago. MDSec theorizes that this method could be an automated exploit of a known issue, CVE-2014-4451, which was made public in November 2014 and fixed for the release of iOS 8.1.1, according to AppleInsider.
Anyone looking for extra security beyond the four-digit iOS standard can change it to a longer alphanumeric code by dipping into the iPhone’s Settings -> Password and turning off “Simple Passcode,” says AppleInsider.