Passwords are important to prevent unauthorized access. In some cases, a strong password might not be thought necessary due to other security measures. Many iPhones are protected with a 4 digit pin, which is trivial to crack via brute force means. For security, iPhones are set to wipe all data on the phone after too many passcode mistakes are made. However, there’s a new attack that doesn’t allow the iPhone to keep track of passcodes attempted, making a short 4 digit pin much more dangerous.
Using a simple black box, a device that sends passcodes and keeps track of failed combinations, brute forcing an iPhone suddenly became viable. By wiring the device into the iPhone’s battery, the device can cut power to the iPhone before it can be recorded that a bad passcode was attempted. After a reboot, the phone has no idea that someone tried a bad passcode, allowing for every combination to be tried.
With the time it takes to reboots (~40 seconds) it would take upwards of 5 days to crack a 4 digit pin with 10,000 combinations. The issue is known and likely has been patched in iOS 8.2 (the vulnerability being in iOS 8.1). While the problem is easily fixed at the software level, the problem can also be easily avoided with a stronger password. The reason this brute force works is because of the 4 digit pin; having a character password or even a longer pin would make a brute force less viable. Even at the expense of convenience, a strong password is vital for protecting your information, as other means of security may not always be as secure as you think.
The researchers who discovered and tested the device – http://blog.mdsec.co.uk/2015/03/bruteforcing-ios-screenlock.html
Sophos blog with more details on the device and pin security – https://nakedsecurity.sophos.com/2015/03/17/black-box-brouhaha-breaks-out-over-brute-forcing-of-iphone-pin-lock/
One retailer with the device in question – http://www.teeltech.com/mobile-device-forensic-tools/ip-box-iphone-password-unlock-tool/
More about the device:
The actual device works via a usb connection to the iPhone and a separate connection to the battery. It sends virtual input to the iPhone, and measures the iPhone’s screen brightness for certain levels of intensity, so that it is known if a pin was good, cutting power if it wasn’t. It’s called an “IP Box”, and isn’t hard to get online, though it isn’t easy finding the original developer for this specific device. Devices like this that hook into phones for virtual input is not a new concept, so the same kind of exploit is theoretically possible for other types of phones (e.g. Android). However, it’s unknown whether this specific exploit to brute force without data being wiped is also on other phone platforms.