The US government wants Apple to give it access to a password-protected iPhone used by a terrorist who killed 14 people in San Bernardino, California last year. Apple has refused. The two are fighting it out in court, at Congressional hearings, and in other venues where data privacy and mass-surveillance tradeoffs are debated.
But the government has unlocked iPhones before, without permission from Apple or anyone else, using off-the-shelf equipment that can be bought on eBay. There may be more than 100 million iPhones in use today that can be unlocked this way.
The hacking equipment is called IP Box, and can be found on eBay for about $200. It’s a black box that connects to an iPhone and systematically runs through every possible PIN combination to unlock it. This method of hacking, called “brute forcing,” is why Apple added an option for users to erase a phone’s data after 10 failed password attempts.
Cleverly, IP Box gets around Apple’s auto-erase feature by cutting power to the device after each failed attempt. This means the wrong guesses don’t accumulate, opening the door for brute-force hacks, according to an analysis by British security consultancy MDSec. The firm used IP Box to successfully unlock an iPhone 5s running iOS 8.1 protected by a four-digit PIN in March 2015. Here’s a video of it in action (0:30 and 1:53):
There is confusion over which versions of iOS IP Box is able to unlock in this way. Dominic Chell, who runs MDSec, says Apple plugged the security hole after iOS 8.1. But a US government agent has testified that the hack works on later versions of iOS, too.
The testimony surfaced in a New York court case in December 2015, when a ruling referred to a Department of Homeland Security special agent named David Bauer who told a court that he had unlocked three phones with IP Box. The target phone in the case in question, though, was an iPhone 5 running iOS 8.1.2, which Bauer had not personally unlocked before. He said, however, that law enforcement agents in Bergen County, New Jersey, had successfully unlocked iPhones running later versions of iOS.
A conservative estimate of the number of iPhones vulnerable to IP Box—that is, phones running iOS 8 or earlier—would be over 100 million. It’s difficult to be precise because Apple doesn’t say how many active iPhones are out there, and it’s not entirely clear which versions of iOS are hackable with IP Box. But analysts have estimated that the number of active iPhones stands at between 450 and 475 million.
Apple says that 23% of active iOS devices (including things like iPods and Apple TVS) run iOS 8 or earlier. Applying that ratio to our estimate of active iPhones gives a lower limit of 104 million phones running iOS 8 or earlier:
Although IP Box may work with millions of devices, it’s not a simple process. When MDSec tested IP Box, it took about 111 hours to unlock a phone protected by a four-digit PIN. That’s because it takes 40 seconds for each PIN entry. That’s a lot longer than the 13 minutes it takes to brute-force the PIN if entries were made at the fastest possible speed of 80 milliseconds each, which risks erasing all the phone’s data if the wipe-after-10-attempts feature is on.
What’s more, Apple has given users the option of making passcodes more complex than four digits since iOS 5, which was released in June 2011. Adding two more digits to a passcode means brute-forcing takes 100 times as long.
Bauer’s testimony was highlighted in a ruling issued this week by James Orenstein, a federal judge in New York. Orenstein was considering a government request for Apple’s help in unlocking an iPhone linked to a drug-dealing ring, citing Bauer’s comments as background to the case. The judge ruled in Apple’s favor, which strengthens the company’s position when it comes to the ongoing case in California with the San Bernardino shooter’s phone. That iPhone is running iOS 9, which is almost certainly immune to a brute-force hack, Chell says.