The IP-Box only works on iPads and iPhones using software update 8.1 or less, it allows users to bypass the iPhone’s lockout mechanism using a brute force attack.
The IP-Box exploits a little known vulnerability in Apple’s software, that allows the device to shut down the incorrect password attempt before the phone can register that it has happened, giving it the ability to bypass the phone locking the user out.
With there being 10,000 possible four digit pin numbers, each taking around 40 seconds, it could take the box 4.6 days to unlock the device - much longer than the advertised six seconds to 17 hours.
The box works by plugging in through the device’s lightning connector, which is attached to a small circuit board. When the correct code has been found, the phone is automatically unlocked.
The device does not reveal the correct code used, but allows the user instant access into the device.
Jamie Graves, CEO of Scottish cyber security company ZoneFox, said: “The issue of it being available to the public is a tricky one. The main issue here is that it is incredibly hard for technology like this to be controlled. With the internet, it’s difficult to stop people from getting their hands on one if they are determined enough to do so. Therefore simply banning them from the public would not be effective.”
Graves feels that it is the responsibility of big business to stay on top of security to protect users. He said: “The IP-Box shows that, certainly in the case of the iPhone, the bare-minimum of security measures have been implemented. “We know this because it implements a form of attack know as a ‘brute-force’ attack on the password, which simply-put means it guesses passwords until it gets the right one.
“There are measures that can, and have, been put in place to frustrate this form of attack.
“At the end of the day, though, it highlights that combating those intent on hacking into systems is an arms race where hackers are ultimately always one step ahead.”
Bryan Thomson of Edinburgh-based security consultants, TrustStream said: “Unfortunately what is secure today may not be secure tomorrow due to the exponential rate that technology advances.
“Large software/hardware companies should be thinking about security from the start and not as an after thought, which is often the case.”
But Thomson believed that devices such as the IP-Box were of benefit to the wider security community: “Restricting their use to only professionals would limit the security community input, which is a crucial element for security testing development.”