If you needed any more incentive to beef up your iPhone’s password, here’s one: security researchers at MDSec have tracked down a device called an “IP Box” that can brute force the phone’s 4-digit security code and gain access to its data.
In and of itself, that’s not particularly surprising: a 4-digit PIN is widely considered to be insecure. What is novel about the IP Box’s approach is that it can bypass one of iOS’s optional built-in security features, which erases the device after 10 incorrect PIN attempts.
To do so, the box connects to the iPhone via USB and directly to the device’s power supply. After it enters an incorrect attempt–which it cleverly determines via a light sensor, as the screen brightness changes when the correct code is input–it cuts power to the phone and reboots it, before iOS can record a failed entry.
Granted, that means this hack takes a lot of time–around 40 seconds per attempt. Trying all 10,000 possible combinations at that rate would take around 4 and a half days, though that may not be that long for someone really determined to get at your data.
Fortunately, it’s pretty easy to protect yourself against this kind of hack. Simply adding another digit to your passcode (on iOS, by going to Settings > Passcode and turning off Simple Passcode) increases the number of combinations to 100,000, which, according to security firm Sophos, would take the IP Box a month and a half at the same speed. Up it to 7 digits and you’re looking at 12 and a half years. And that’s not even counting using an alphanumeric passcode, which would increase the number of combinations astronomically.
Of course, if you’re using a recent iPhone, there’s no reason at all not to use Touch ID fingerprint scanner in concert with a complex passcode. Touch ID may not be totally secure, but as of yet there’s no box to automatically crack it, so that’s a plus.