A new device is causing commotion around the interwebs today, that has the ability to unlock PIN-protected iOS devices. The tool, first spotlighted by security firm MDSec, is being used in the phone repair markets to brute-force iPhone and iPad Lock screens.
According to MDSec, these ‘IP Boxes’ are about the size of an Apple TV, and you can acquire one for around $300. It works by simulating the PIN entry on a device over a USB connection, and is able to sequentially bruteforce every possible PIN combination.
The most genius, and scary, part is that the IP Box works even if the “Erase data after 10 attempts” setting is enabled. MDSec says it does this by cutting the device’s power after each failed PIN attempt, but before the attempt has been synchronized to memory.
It’s not a quick process though. Each PIN entry takes approximately 40 seconds, so it could take more than 110 hours to brute force an iPhone. It also only works for devices that are protected with 4 digit PIN codes, so those with more complex passwords are safe.
In their post, MDSec notes that they believe Apple patched the exploit used by IP Box in iOS 8.1.1.