According to research conducted by MDsec, a new mobile phone repair device, known as IP Box, enables the bruteforce unlocking of the Apple iOS screenlock. The hardware, which costs around £200, is easily available for purchase and is quite simple in operation.
Analysis reveals that the mechanism uses a USB connection to simulate the PIN entry, using every PIN combination sequentially to bruteforce device entry. MDsec's report points out that this method is not a new discovery, and security tactics such as the “erase data after 10 unsuccessful login attempts” setting serve to thwart such attacks. However, IP Box is able to circumvent these settings by connecting directly to the iPhone's power source and “aggressively” cutting power after each failed attempt before the attempt has been registered to the phone's flash memory.
According to the analysis, since each PIN entry takes approximately 40 seconds to complete, a 4-digit PIN could take more than 100 hours to bruteforce. MDsec posted a video of their test attack on an iPhone 5S running iOS 8.1 on YouTube, and promises to test the same attack on the most updated iOS software. Meanwhile, the company advises, iOS users should implement a “sufficiently complex password” in place of a simple PIN.