New Bug Uncovered by Security Researcher Allows iPhone Passcode to be Hacked

Apple pushed back on the researcher's demonstration calling the method an error. The company was proven to be correct when the expert double-checked his testing.

A security researcher took to his Twitter account on Friday to reveal a bug on iOS devices that can allow passcodes to be bypassed through a brute force attack. The video demonstration caused Apple to push back calling the finding an "error."

A disabling interrupt request

Co-founder of cybersecurity firm Hacker House Matthew Hickey posted a video where he exhibited a method that allowed him to enter an unlimited number of passcodes even on the latest version of iOS 11.3. Under normal circumstances, the device is set to delete all its contents after ten faulty tries.

However, Hickey found that, if an iPhone or iPad was plugged in, any keyboard input would trigger a dangerous and disabling interrupt request. This, according to the expert, meant that sending a bunch of passcodes at once could bypass the erase feature.

"Instead of sending passcode one at a time and waiting, send them all in one go. If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature," he explained.

Apple spokesperson Michele Wyman disputed the researcher's claims on Saturday. "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," she said.

However, the company did not provide more information on why the demonstration was erroneous. Instead, Hickey himself tweeted later that he realized that not all tested passcodes were sent to the device.

Testing debunked!

"The [passcodes] don't always go to the [secure enclave processor] in some instances -- due to pocket dialing [or] overly fast inputs -- so although it 'looks' like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible," he said.

Hickey further explained that he double-checked his process and found that "when I sent codes to the phone, it appears that 20 or more are entered but in reality, it is only ever sending four or five pins to be checked." This measure would then indeed protect the phones from brute-force attacks. 

Mobile

Hackers May Be Able to Use the Sensors on Your Phone to Guess Your Pin

The news should disappoint law enforcement agencies that have a history of accessing iPhone data by relentlessly entering different passcodes and were reportedly frustrated with Apple's most recent self-erasing security measures. The release of iOS 12 scheduled later this year is also bound to further interfere with their investigative efforts.

The latest device will include a new feature called USB Restricted Mode that will restrict USB access on iOS devices after the iPhone or iPad has been locked for one hour. If not cracked in the first 60 minutes, the device will now essentially become a black box. So long hackers!