A piece of hardware costing just £120 could allow anyone to crack the pin code on an iPhone or iPad even if they have security measures turned on to prevent such a "brute force attack".
The piece of hardware is called the "IP-Box iPhone Password Unlock Tool" and is freely available online along with an adapter which will allow users to crack the passwords of iPhones and iPads even if they are running iOS 8.1.
The box is exploiting a known vulnerability in Apple's software which the company patched back in November with its iOS 8.1.1 update, but there are millions of its smartphones and tablets still vulnerable to this attack.
According to British security consultancy MDSec, which has been testing the hardware, the IP-Box "appears to be relatively simple in that it simulates the PIN entry over the USB connection and sequentially brute forces every possible PIN combination".
The security company said that this was not the surprising part however, as this technique had been known for some time. What was surprising was that the technique worked even if the user had the "Erase data after 10 attempts" option turned on.
The company successfully tested the device on an iPhone 5s running iOS 8.1. It said it plans on updating the test on iOS 8.2 in time.
Cutting the power
The IP Box is able to bypass the security measure by connecting directly to the iPhone/iPad's power source and "aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronised to flash memory".
Due to the way the system works, each attempt takes around 40 seconds, which means that cracking a four digit PIN code could take as long as 111 hours in total which is much longer than the manufacturer-advertised time of between "6 seconds and 17 hours".
Apple may have fixed the vulnerability in the latest version of its mobile operating system – iOS 8.1.1 – but any iPhone/iPad/iPod running an earlier version of the software is still at risk and considering that there are a lot of models (including the iPhone 4 and original iPad) which cannot update to the latest version of iOS, it means many devices will be vulnerable to this attack forever.
IBTimes UK has asked Apple for a comment on the availability of the IP-Box but at the time of publication, we have yet to hear a response.