Some PINs are blacklisted on iOS. For example, iOS recommends not using 0000 or 0011, but not having a problem with 0001 or 1001. But what combination of numbers is blacklisted and does this blacklist improve security?
Also, is a 6-digit PIN better than a XNUMX-digit?
Security researchers Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth and Adam J. Aviv decided to find out what was going on and asked for the help of a robot made from parts of LEGO and a Raspberry Pi to extract a list of blocked ones. XNUMX-digit and XNUMX-digit PINs.
The first problem that researchers had to overcome is that iOS uses rate constraints to prevent a problem with PINs. However, this protection does not exist during the initial setup process.
Using this information, the researchers developed a device to automate PIN code entry using LEGO bricks and a Raspberry Pi equipped with a camera. The "robot", which is connected to the iPhone via the port lightning, simulates a USB keyboard. Enter the PIN and the camera takes a photo of the iPhone screen.
The photo is then processed to determine whether the PIN code is blacklisted.
It turns out that Apple has a blacklist of 274 four-digit PINs and 2.910 six-digit PINs.
But this improves security. According to researchers, no it does not improve it, because the blacklists are too small, and iOS allows users to choose to use PINs from the blacklist.
"We find that relatively small blacklists used today by iOS offer little or no benefit," wrote researchers. “Profits are only observed when blacklists are much larger, which in turn comes at the cost of increased frustration with users. Our analysis suggests that a blacklist of about 10% of PIN space can provide the best balance between usability and security.
The researchers also found that six-digit PINs are not much more effective than four-digit PINs because of the numbers users choose.
“Our study found that there was little avail for the six-digit PIN compared to the four-digit. Our participants tended to select more easily assumed 6-digit PINs when examining the first 40 assumptions of a intruder. "
The findings, along with the blacklists and code for creating your own blacklisted robot, are there here.