iPhone 6-digit PIN can be easily guessed

Recently, security experts from the Ruhr University Bochum, Max Planck Institute for Security and Privacy, and the George Washington University conducted research on the PIN security of iPhones and how they are affected by the blacklist mechanism. The results were surprising: the results of the study indicate that the longer six-digit PIN does not provide much enhancement in security compared to the four-digit PIN, and sometimes even reduces its strength.

The researchers created a camera-equipped Raspberry Pi device, which can simulate a USB keyboard connected to the iPhone, to quickly test the PIN blacklist that comes with the iPhone through brute force.

In the research paper, the researchers provided the first comprehensive study of the user’s 4- and 6-digit PIN codes (n =1220) collected on smartphones, of which four-digit PIN code samples were from the 2011 Amitay-4 application (204432), and the six-digit PIN was leaked from RockYou ’s password (2758490). It was found that using a 6-digit PIN instead of a 4-digit PIN provides little security and may even reduce security.

Researchers also studied the impact of Apple’s blacklist. iOS devices used two blacklists, of which 4 PIN blacklists contained 274 PINs and 6 PIN blacklists contained 2910 PINs. The researchers extracted two blacklists through the above violent device and compared them with four other blacklists, including a small 4-digit PIN blacklist (27 PINs) and a large 4-digit PIN blacklist ( 2740 PIN) and two placebo blacklists to exclude 4 and 6 PINs, respectively.

It turns out that the relatively small blacklist currently used by iOS is of little benefit to restricted guess attacks. Increased security can only be observed when the blacklist is large, which in turn comes at the cost of increased user frustration. Research analysis shows that a blacklist, which accounts for about 10% of the PIN space, may strike the best balance between usability and security.