Device that cracks iPhone passcodes sidesteps data auto-delete feature
MDSec got ahold of one of the brute force attack boxes for about £200 (about US$297) to see how it works, and it turns out the device is pretty clever. After trying a bad passcode, it shuts down your iPhone before it gets written to device memory as a fail. Since it never registers as a failed login, the auto-delete process never kicks in.
The auto-delete option is an iPhone feature that wipes all data from your phone after 10 failed login attempts.
An MDSec blog post stated,
Although we're still analyzing the device it appears to be relatively simple in that it simulates the PIN entry over the USB connection and sequentially bruteforces every possible PIN combination. That in itself is not unsurprising and has been known for some time. What is surprising however is that this still works even with the 'Erase data after 10 attempts' configuration setting enabled.
MDSec successfully tested the device with an iPhone 5s, and plan to try it again with an iPhone running iOS 8.2 to see if recent security updates block this hardware-based attack. The IP Box MDSec tested could be used by criminals to reset stolen iPhones so they can be resold, and government agencies could use it to hack into iPhones to gather information, too.
While the device is concerning in that it works, it isn't something the average person is going to have sitting around, and it involves opening your iPhone to use. Since using the IP Box isn't a trivial process, you shouldn't have to worry about your friends using one to unlock your iPhone so they can post embarrassing photos to your Facebook and Twitter accounts.
It's simple, at least for now, to defeat this passcode cracker by switching from a four-digit passcode to a more complex passcode. You can change your passcode setting by going to Settings > Touch ID & Passcode > Simple Passcode. Disabling Simple Passcode lets you create longer passcodes that include letters as well as numbers, which are much harder to break.
It's possible this device could be updated to tryt brute force attacks on complex passcodes, but the amount of time it would take to break one would increase exponentially. For now, however, it can't—and that's a perfect excuse to use a stronger passcode on your iPhone.