Four Digit iPhone Passwords Are Not Enough

Photo via YouTube

(Jennifer Abel  @ ConsumerAffairs) If you have an iPhone you're required to use a minimum of four characters in your passcode, though you can set your passcode to require more characters than four – and for security reasons, you probably should.

A recent experiment from the U.K. security company MDSec provides another reminder of why. They tested a black box device which can use brute force to break a four-digit passcode in 111 hours or less, thus averaging out to 55 hours needed for hackers to access a typical iPhone with four-digit code.

In hacking terms, a brute-force attack means methodically trying every possible character combination until the right one is found. This is done with software, of course, since the number of possible different passcode combinations is more than any mere human can type in a decade — or even a lifetime.

Most passcode-protected systems are set up to make brute force attempts impossible. Have you ever temporarily forgotten your password for a given account (or only remembered “Okay, I know it's the release date and first-line lyrics to one of my five all-time favorite songs; I just can't remember which specific song I used?”), and then, after a few failed tries, got a message saying you now had to wait a period of some minutes before you'd be allowed to try entering a password again? That was to thwart brute force.

10 attempts

With iPhones, the devices allow 10 incorrect passcode attempts before going into either automatic lockout or data wipe, depending on which settings the owner chose. But the black box device tested by MDSec can circumvent this 10-guess limit and brute-force the iPhone anyway – provided it had physical possession of the phone itself, for up to four uninterrupted days:

For as little as £200 [about $300] we were able to acquire one of these devices and put it to work. … Our initial analysis indicates that the IP Box is able to bypass this [10-try limit] restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN. 

Essentially, after every failed password attempt, the black box device shut off the iPhone's power source before the phone could “count” that failed try toward any 10-failure total.

Of course, this particular black box hacking device has little practical real-world value for everyday hackers, and even for everyday iPhone users it's more of a laboratory curiosity than an actual threat. But it's also another example illustrating why sometimes, bigger really is better — at least where iPhone passwords are concerned.