With almost every iteration of iOS, Apple has made it even more difficult to bypass a passcode lock. But the tiny box you see above is able to use brute force to bypass a passcode and gain entry to a locked iOS device while keeping its data intact.
The device is called an IP Box, according to MDSec, and it’s being used by gadget repairers to gain access to locked iPhones, iPads, and iPods when users forget their passcodes. It costs around £200 ($294), but of course, it’ll pay for itself over time.
What’s special about the IP Box is that it cannot just gain access to a locked device, but it can also bypass the security measure that automatically wipes data after 10 failed unlock attempts.
“This obviously has huge security implications and naturally it was something we wanted to investigate and validate,” MDSec reports.
After its investigation, MDSec found the way in which the IP Box worked was simple: It tried every PIN combination possibly in quick succession until it eventually reached the right one. That means it could take around 111 hours to complete the process.
By connecting directly to an iOS device’s power source, it’s able to quickly cut off the power supply after every failed PIN attempt — before the device is able to record it as a failed attempt. Here’s an example of how it works on an iPhone 5s running iOS 8.1:
“We plan to test the same attack on an 8.2 device and will update with our progress,” MDSec says. “In the mean time, our advice to all is ensure you have a sufficiently complex password applied to your device rather than a PIN.”
Of course, IP Boxes aren’t exactly widespread, and they’re not cheap, so they probably never will be. The chances of this happening to your iOS device are slim for now, then. But this video proves it is at least possible to bypass Apple’s security measures in iOS 8.
We’ll be keeping an eye on MDSec’s investigations with the IP Box, and we’ll be sure to let you know how they get on with iOS 8.2. If you’re worried than it may be prudent to set up a complex passcode on your device.[via MDSec]