Apple`s Four-Digit Passcodes Still a Weak Link in iOS8 Encryption, Researcher Says

Apple’s newly revised encryption system from iOS 8 is susceptible to brute-force attacks in certain circumstances as users pick four-digit passcodes, according to Joseph Bonneau’s research.

The new encryption system adopted in iOS 8 concerned US law enforcement because Apple would lack access to the encrypted user data, though it can still be vulnerable in some circumstances.

“Users with any Simple Passcode have no security against a serious attacker who`s able to start guessing with the help of the device`s cryptographic coprocessor,” Bonneau said.

If, for example, an IPhone is seized while turned off, cracking is very unlikely as the attacker needs to access and derive the security keys from iPhone’s cryptographic processor dubbed “Secure Enclave”.

But if one can boot and access the Secure Enclave, a path to brute-forcing the passcodes is opened up, which is the vulnerability of iOS 8 devices.

The researcher’s theory is applicable if and only if the attacker can bypass the “secure boot” sequence.

“Against an attacker able to copy the raw memory from a powered-off phone, it`s not a far jump to assume they can talk directly to the crypto coprocessor to guess passwords.”

Once again, the choice of passcodes is an influential factor in brute-force attacks, as many already employ four-digit passcodes even if Apple allows passcodes up to 12 digits.

“Against this level of attacker, any user choosing a 4-digit PIN (the default) will have their data compromised and a large number of users choosing a longer passcode will as well due to poor user choices of passwords.”

The fix for a brute-force attack can be the limit of guessing and the ban time after exceeding it.

For example, some WPS-enabled wireless routers allow an attacker to guess the WPS PIN five times. After five wrong guesses, the router automatically bans the attacker for a while. A ban of five minutes or more is too cumbersome for a brute-force attack that has to try 10,000 (for four-digit passcodes) or more combinations, depending on the length of the passcode.

The basic recommendation for iPhone users who employ passcodes for their devices would be to select a code longer than four digits, as the longer the passcode is, the harder it is to perform a brute-force attack.