If you use a PIN code to unlock your iPhone or iPad, then it’s possible that you have received a message saying something like “This Passcode Can Be Easily Guessed” when you tried to set the code. That’s because the code is part of a blacklist that Apple has developed. The codes on that blacklist are sequences like “0000” that are too easily guessed to be secure. But Apple hasn’t made that blacklist public — that would just further reduce security. To find out which codes are on that blacklist, a team of security researchers built a Raspberry Pi and LEGO robot to perform a brute force “attack.”
Devices running iOS allow you to set both four digit and six digit passcodes, and blacklists exist for both of them. The researchers wanted to identify those blacklists, and also to learn something about iOS security in the process. To accomplish that, they needed an automated way to perform brute force attacks. These kinds of attacks are usually prevented by limiting how often a password can be entered or by limiting the number of allowed attempts. But those limitations are not active when you’re simply choosing a passcode, which gave them an opportunity to perform a brute force attack.
The “robot” they built to perform the brute force attack was built using LEGO and a Raspberry Pi. It isn’t a robot in the traditional sense, as it doesn’t have any moving parts. Instead, it connects to an iPhone via the Lightning port as an emulated USB keyboard. The LEGO bricks are used to hold the iPhone in place and to position a camera connected to the Raspberry Pi. Each time a passcode is entered the Raspberry Pi snaps a photo and analyzes it to determine if the “Easily Guessed” message has appeared. If it has, then that means that particular passcode has been blacklisted. With this method, they were able to identify the 274 blacklisted four digit passcodes and the 2,910 blacklisted six digit passcodes. They also determined that six digit codes weren’t much more secure than the four digit codes.