Apple touts its iPhone and iPads to be highly secure and difficult to break into, but these bold claims were recently challenged by security researcher Matthew Hickey. He took to Twitter to detail a ‘brute force’ method that reportedly bypassed an iOS passcode on any up-to-date iPhone or iPad.
Hickey, who’s also the co-founder of cybersecurity firm Hacker House, demonstrated the whole brute force hack process on video. It showed him transmitting passcodes over the lightning cable to a locked iOS device, running the latest iOS 11.3 software.
This mechanism inputs all possible 4/ 6-digit combinations without spaces, thus, bypassing the security limits placed on Apple devices. Instead of erasing the content on ten wrong tries, the hacker found a way to trigger an interrupt request, which takes priority over all other requests on iOS. Hickey explains,
Instead of sending passcode one at a time and waiting, send them all in one go. If you send your brute-force attack in one long string of inputs, it’ll process all of them, and bypass the erase data feature.
Apple IOS <= 12 Erase Data bypass, tested heavily with iOS11, brute force 4/6digit PIN's without limits (complex passwords YMMV) https://t.co/1wBZOEsBJl – demo of the exploit in action.
— Hacker Fantastic (@hackerfantastic) June 22, 2018
In a statement received by the AppleInsider, Apple spokesperson Michele Wyman stated that Hickey’s claims were erroneous and disputed the issue by adding that “the recent report about a passcode bypass on iPhone was in error and a result of incorrect testing.”
This was accompanied by a tweet from Hickey, who may or may not have contacted the Cupertino giant. He added to his original assertion saying that the potential ‘brute force’ hack may not work as initially imagined by him. He further adds that not all passcodes are sent to the secure enclave on an iOS device, so the counter registers fewer counts than a number visible to us – while also being shown as being tested.
It seems @i0n1c maybe right, the pins don't always goto the SEP in some instances (due to pocket dialing / overly fast inputs) so although it "looks" like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible @Apple
— Hacker Fantastic (@hackerfantastic) June 23, 2018
Hickey finally concludes that he will continue to examine the purported hack as the same hasn’t been replicated by anyone else just yet. But, all this hubbub may soon come to an end as Apple is now looking to render lightning ports useless once the device isn’t found to have been unlocked in the past hour. This feature is under testing on iOS 11.4, as well as iOS 12, so we can expect to see it very soon.