iOS Pin Guessing Attack

In this post I would like to talk about the threat posed by lost or stolen mobile devices.It is inevitable that devices will be misplaced it's human nature, right? Mobile devices are also a common target for theft. Device passcodes are seen as the first line of defense to prevent unauthorized access and subsequent data compromise.

The length and complexity of  the passcode will largely determine how successful this measure will be against the malicious user. When deciding on a passcode complexity policy we also have to take the user into consideration since they will have to  enter it each time they want to access the device.

In order to demonstrate the pitfalls of weak passcodes we will use the iPhone Data Protection Tools project http://code.google.com/p/iphone-dataprotection/. With these tools we can mount a PIN guessing attack against the device. The initial setup is quite complex and requires multiple steps but once this is done the actual attack is quite easy. You will need an iOS device sucepitble to jailbreaking e.g. 5.1.1 and a Mac.

Fortunately there is an easy to follow document provided by Joshua Wright available here http://www.willhackforsushi.com/ios-key-recovery.pdf . Once you have the installation and preparation done we can walk through the exploit.

The first step is to plug the device into the Mac via USB and let iTunes start. Next power off the device ensuring that it is completely turned off

Start redsn0w to jailbreak the device using the patched iOS firmware file, custom kernel and ramdisk you created during the preparation.

When redsn0w starts you will see the window below:

Click next and follow the steps on the menu

• Press and hold the suspend button for 3 seconds
• Without releasing the suspend button, press the home button for 10 seconds
• Release the suspend button but keep holding the home button for another 15 seconds

After a minute or two you should see OK on the device. This signals a successful exploit.

Now start an SSH listener on the device using the command below. The tcprelay.sh script is part of the iPhone Data Protection Tools.

At this point you can SSH into the iOS device using the following command (Note: the default password will be alpine).

The final step is to launch the bruteforce attack. The script will start to iterate through all the possible combinations i.e. 0000 - 9999 until it hits the correct number. The attack will not trigger a lockout as it bypasses the UI calling the low-level MKBUnlockDevice() kernel function. As you can see below the passcode has been returned as 0022

Using this technique an attacker could recover a 4 digit pin in 13 minutes on average, increasing the length to 6 digits dramatically increases the recovery time to 22 hours. If the user has a strong alphanumeric passcode then it cannot be brute forced in a reasonable amount of time meaning it gives the user the ability to initiate a device wipe.

Once the pin has been recovered it is then possible to decrypt the keybag and recover wireless keys etc. It will also be possible to do an iTunes backup containing the victims email, SMS and photos. The device can then be rebooted leaving no trace of the attack and returned to the victim if desired. Pretty scary stuff!!