Certain PIN codes are blacklisted on iOS. For example, iOS recommends you don't use 0000 or 0011, but doesn't have a problem with 0001 or 1001. But what combination of numbers are blacklisted, and does having this blacklist this improve security?
Also, is a six-digit PIN better than a four-digit PIN?
Security researchers Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv decided to find out and enlisted the help of a robot built from LEGO parts and a Raspberry Pi to extract a list of blocked four- and six-digit PIN codes.
The first problem that the researchers had to overcome is that iOS uses rate-limiting to prevent hammering it with PIN codes. However, this protection is not in place during the initial setup process.
Using this information, the researchers constructed a device to automate PIN code entry using LEGO bricks, and a Raspberry Pi equipped with a camera. The "robot," which is connected to the iPhone via the Lightning port, emulates a USB keyboard. A PIN is entered, and the camera takes a photo of the iPhone screen.
The photo is then processed to determine whether the PIN code is allowed or blacklisted.
It turns out that Apple has blacklisted 274 four-digit PINs and 2,910 six-digit PINs.
But does this improve security? According to the researchers, no, because the blacklists are too small, and iOS allows users to choose to use blacklisted PIN codes.
"We find that relatively small blacklists in use today by iOS offer little or no benefit against a throttled guessing attack," the researchers wrote. "Security gains are only observed when the blacklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blacklist at about 10% of the PIN space may provide the best balance between usability and security."
The researchers also found that six-digit PIN codes not much more effective than four-digit PINs because of the numbers users choose.
"Our study found there is little benefit to longer 6-digit PINs as compared to four-digit PINs. Our participants tended to select more-easily guessed six-digit PINs when considering the first 40 guesses of an attacker."
The findings, along with with the blacklists, a parts list, and the code to build your own blacklist-extracting robot, can be found at https://this-pin-can-be-easily-guessed.github.io/.