IP-Box brute-force tool cracks any iPhone password

Passwords again. Always passwords.

A couple of weeks ago I mentioned a new phishing scam targeting the owners of lost or stolen Apple devices. Now comes a new reason to employ better security – or upgrade.

The IP-Box tool, yours online for about £170, will crack the four-digit passcode on any iPhone up to iOS 8 in less than 17 hours, aggressively cutting power to the device after each failed attempt, thereby bypassing the ‘Erase data after 10 attempts’ security configuration and allowing unlimited password guesses.

MDSec, which tested the device, believes it to exploit a known iOS vulnerability (CVE-2014-4451), and says that it “obviously has huge security implications”.

iPhone complex passcode

If you haven’t updated to iOS 8.2 – or are unable to because you’ve got an older handset that won’t support the new iOS – then there is something you can do if you’re worried about someone accessing your phone: use a stronger passcode. You didn’t know you could? Go to Settings > Passcode, then switch the Simple Passcode off. You can then set a code of more than 100 alphanumeric characters that also contains punctuation marks and symbols.

Yahoo! launches new password-free login

Meanwhile, at SXSW, Yahoo! announced the introduction of a new password-free login mechanism that works via SMS messages sent to users’ mobile phones. It still relies on single-factor authentication only – it’s not an authentication code that you’ll receive by SMS but a one-time password that enables access to your account – so if you’ve already got two-factor authentication enabled on your Yahoo! account, I’d stick with that.

BYOD

If your organisation supports BYOD (bring your own device), then your corporate information could be at risk if an employee’s iPhone is compromised. Does your BYOD policy detail any requirement for users to keep their devices up to date with the latest version of iOS, to implement the latest patches and updates, or to use specific handsets when accessing corporate information? If you’re not sure, you may be interested in our BYOD Policy Template Toolkit.

It contains a complete, customisable BYOD policy and Acceptable Use Agreement, together with implementation guidance, and is usable either on its own or with any other ITGP Documentation Toolkit.

Fully up to date with the March 2013 official guidance on data management and security from the UK’s Information Commissioner, the BYOD Policy Template Toolkit puts affordable best practice at the fingertips of CIOs and Security Managers everywhere.

DailySentinel-Subscription