A new device allows users to access a locked device running iOS 8.1 through a brute-force attack, even with the “Erase data after 10 attempts” setting on, according to security company MDSec. The IP Box — available in England for £200 (about $293) — bypasses Apple’s security measures by cutting the iPhone’s power after each failed attempt at guessing the PIN, shutting down the phone before the attempt can be logged in flash memory.
This method allows the device to break a four-digit PIN in approximately 111 hours. The vulnerability could be the issue noted in CVE-2014-4451 and addressed in Apple’s iOS 8.1.1 update, but MDSec recommends users create a “sufficiently complex” password rather than a simple PIN to protect their data regardless.
[via Daring Fireball].