Theoretically, you can crack the passcode on an iPhone or iPad, but that would take you days. Of course, you could automate it with some fancy computers or gadgets, but this is why Apple has the passcode counter in place to either lock someone out, or data wipe the device after ten incorrect attempts.
A security company called MDSec seems to have cracked that issue with what they’re calling as the ‘IP Box,’ but before you start getting worried about the existence of such a device, it is only a proof of concept.
The machine manages to gain access to iPhones running up to iOS 8.1 only, and it does so by “brute-forcing” the passcode, by connecting it to the device over a USB connection, and simulating keypad entries. Of course, now arises the automated lockout or data wipe issue, but the IP Box has that covered with a trick up its sleeve.
“The IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory.”
Basically, the IP Box checks for the light levels on the display to determine if access to the home screen has been gained or not, and in case it’s the latter, the box cuts off the power to the iPhone just fast enough where the passcode counter does not get triggered at all, and the phone simply restarts. Pretty cool, but with all these restarts and the number of passcode combinations that need to be tried, you’re looking at around 111 hours for testing every single code on the phone. Of course, the contraption is anything but practical given that you’d also need physical access to the device for 111 hours.
With the debate going on about how Touch ID seems to trump a U.S. citizen’s right to the Fifth Amendment, especially where the law cannot force a person to divulge such information during criminal investigations, and a fingerprint is not a possibility, such devices can lay all those debates to rest. As for the IP Box, iOS 8.1.1 and over seems to have removed any such possibilities, for now at least.