Tens of millions of bestselling smartphones can easily be hacked by criminals using a £120 device that cracks their four-digit passcode.
An investigation found the gadget, sold openly on the internet, could be used to gain access to private and confidential details stored on Apple iPhones, including photographs, emails, contact details and call histories.
Using the device called an IP Box this newspaper was able to break the passcode of an Apple iPhone 5C, the model that America’s Federal Bureau of Investigation had been fighting to access in order to gain information about a terrorist massacre.
The FBI entered a high-stakes legal battle with Apple over the handset belonging to Syed Farook, who died with his wife in a gun battle with police after the couple killed 14 people in December in San Bernardino, California.
Apple had refused to help investigators find the code to unlock the murderer’s phone, saying it feared it would set a legal precedent and allow law enforcement officials to probe the contents of millions of its phones in future investigations.
After a two-month stalemate, the FBI last week announced it had finally broken the four-digit code, finding the right sequence out of a possible 10,000 numeric combinations.
But what took the FBI weeks can apparently be done in a matter of hours with devices like the IP Box, which launch a ‘brute force’ attack on the password by going through all the possible combinations until it finds the right one.
Normally, iPhones are disabled once five wrong attempts are entered but the IP Box is able to keep trying codes.
Other devices such as iPads and mini iPads are also susceptible to the attack.
This newspaper purchased an IP Box from the online store Fone Fun Shop, which has a retail premises in Sheffield.
The device can also be bought on eBay.
Our device arrived the following day and we tested it by setting a random four-digit number as the passcode on an iPhone 5C.
We plugged the device in to the phone and watched as it tried codes starting from 0000 upwards.
After nearly six hours, the device cracked the code 3298 – and started beeping and lighting up the iPhone screen to signify a successful hack.
With the code we were able to access all the data on the device, as well as change its passcode to one of our choosing. As each entry takes six seconds to input, an iPhone can be cracked within seconds ranging up to 17 hours.
iPhones run on computer programs called operating systems which are updated over time to increase security and make other features more efficient. While the phone tested by the MoS was the same model as the San Bernardino one, it was running an older operating system iOS 7.
The San Bernardino one was on iOS 9. That said, experts claim similar devices can also now hack this system. Company director of Fone Fun Shop Mark Strachan, 45, said: ‘We discovered the device via our Hong Kong office and were sceptical as to whether it would work but after testing we discovered it worked perfectly.
‘We already supply forensic tools to law enforcement within the UK and worldwide and decided to introduce it into our line of products. There are certain scenarios where this kind of technology is needed to help people for the right reasons, it’s not all bad.
‘We have helped many families who had a family member die suddenly get sentimental photos off their locked device.
‘We have also helped many people get access to all their phone book contacts, especially people in business, who put everything in their iPhones such as suppliers and customer contact details that would be totally lost unless they cracked the passcode to their phone.’
Mr Strachan added that this month they will start selling a new device that can crack into the latest Apple iPhone software – the iOS 9 system that was on the San Bernardino phone. This means hundreds of millions of iPhones even the ones with the latest software – could be vulnerable to attack.
He said: ‘It is the same technology the FBI got access to crack the passcode on the San Bernardino device.’
Director of the Cyber Security Centre at The University of Warwick, Professor Tim Watson, said: ‘Phones are incredibly useful devices but the problem is there are thieves who are constantly seeking access to them. The answer is you should always make sure you have your phone updated to the latest piece of software.’
A spokesman for the FBI refused to comment but a source close to the US intelligence agency said: ‘The FBI is well aware of IP Boxes and have highly sophisticated versions of the product.’
An Apple spokesman refused to comment. The IP Box is not illegal but if it were to be used to hack someone’s iPhone then it would be a crime under section 55 of the Data Protection Act 1998.
