A security researcher took to his Twitter account on Friday to reveal a bug on iOS devices that can allow passcodes to be bypassed through a brute force attack. The video demonstration caused Apple to push back calling the finding an "error."
A disabling interrupt request
Co-founder of cybersecurity firm Hacker House Matthew Hickey posted a video where he exhibited a method that allowed him to enter an unlimited number of passcodes even on the latest version of iOS 11.3. Under normal circumstances, the device is set to delete all its contents after ten faulty tries.
However, Hickey found that, if an iPhone or iPad was plugged in, any keyboard input would trigger a dangerous and disabling interrupt request. This, according to the expert, meant that sending a bunch of passcodes at once could bypass the erase feature.
"Instead of sending passcode one at a time and waiting, send them all in one go. If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature," he explained.
Apple IOS <= 12 Erase Data bypass, tested heavily with iOS11, brute force 4/6digit PIN's without limits (complex passwords YMMV) https://t.co/1wBZOEsBJl - demo of the exploit in action.— Hacker Fantastic (@hackerfantastic) June 22, 2018
Apple spokesperson Michele Wyman disputed the researcher's claims on Saturday. "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," she said.
However, the company did not provide more information on why the demonstration was erroneous. Instead, Hickey himself tweeted later that he realized that not all tested passcodes were sent to the device.
"The [passcodes] don't always go to the [secure enclave processor] in some instances -- due to pocket dialing [or] overly fast inputs -- so although it 'looks' like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible," he said.
Hickey further explained that he double-checked his process and found that "when I sent codes to the phone, it appears that 20 or more are entered but in reality, it is only ever sending four or five pins to be checked." This measure would then indeed protect the phones from brute-force attacks.
The news should disappoint law enforcement agencies that have a history of accessing iPhone data by relentlessly entering different passcodes and were reportedly frustrated with Apple's most recent self-erasing security measures. The release of iOS 12 scheduled later this year is also bound to further interfere with their investigative efforts.
The latest device will include a new feature called USB Restricted Mode that will restrict USB access on iOS devices after the iPhone or iPad has been locked for one hour. If not cracked in the first 60 minutes, the device will now essentially become a black box. So long hackers!