Friday, March 20, 2015

IP Box Unlocks iPhone By Brute Force

MDSec (via John Gruber):

Although we’re still analyzing the device it appears to be relatively simple in that it simulates the PIN entry over the USB connection and sequentially bruteforces every possible PIN combination. That in itself is not unsurprising and has been known for some time. What is surprising however is that this still works even with the “Erase data after 10 attempts” configuration setting enabled. Our initial analysis indicates that the IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN.

Another reason not to use a 4-digit PIN. I’m trying to figure out the implications for 1Password. It stores your master password in the iOS keychain but tries to remove it from the keychain when you reboot your device. However, it sounds like the latter is enforced by the application itself rather than the system. So if you could arrange for 1Password to quit or crash before the device restarts, the (obfuscated) master password would still be in the keychain. After unlocking the device, you could jailbreak it, which would then allow 1Password’s section of the keychain to be accessed by a nefarious app.

Update (2015-03-28): Hacker News comments.

Comments RSS · Twitter

Leave a Comment