A USB-based vulnerability that allows for the brute forcing of a passcode on an iOS device has been discovered by security researcher Matthew Hickey, reports ZDNet.

The method, which bypasses the 10-entry attempt that erases an iOS device when the setting is enabled, allows a hacker to plug an iPhone or iPad into a computer and send all passcodes, from 0000 to 9999, all at once, triggering an input routine that takes priority over anything else on the device. Hickey demos the hack in the video below.

"Instead of sending passcodes one at a time and waiting, send them all in one go," he said.

"If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature," he explained.

All that's required to use this brute force password cracking method is an iPhone or iPad that's turned on and locked and a Lightning cable, according to Hickey. It works on iOS devices up to iOS 11.3.

Hickey's iPhone cracking method takes between three and five seconds for each four-digit passcode, which means it's slow and not as advanced as other passcode cracking methods employed by companies like Grayshift, which makes the GrayKey box. For this method to guess a six-digit passcode, Hickey says it would take weeks.

Apple in iOS 12 is introducing a new USB Restricted Mode that may put a stop to the vulnerability that Hickey has discovered, as well as vulnerabilities exploited by tools like the GrayKey Box.

ios12usbaccessoriessetting
With USB Restricted Mode, enabled by default on iOS devices running iOS 12, USB access to an iPhone or iPad is cut off if it's been more than an hour since the device was last unlocked.

That means computers and other accessories can't be used to access a locked iPhone if it's been locked for over an hour, disabling access via a USB to Lightning cable.

Update: In a statement obtained by iMore, Apple says "the recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing."

Top Rated Comments

B4U Avatar
80 months ago
Up to iOS 11.3...
Opens settings > general > about > version
Sees 11.4, close settings and move on with life.
Score: 23 Votes (Like | Disagree)
asdavis10 Avatar
80 months ago
Interesting bug.

Maybe instead of just coming up with ideas, Apple needs to have a team who’s job is to try to break or break into every Apple device. They should be full time employed with their sole mission being to find and exploit every possible weakness.
Somehow you seem to think that an almost trillion dollar company doesn't do this. Fact of the matter is that everything has a vulnerability. It's just a matter of how practical the exploit actually is for it to be useful.
Score: 13 Votes (Like | Disagree)
jonblatho Avatar
80 months ago
Testing and engineering design seem to have taken a backseat to thinness recently.
Great, this tired point again.

Apple has different employees who do different things. What you’re suggesting here is like asking a school custodian to take over a classroom from a teacher.
[doublepost=1529717755][/doublepost]
Up to iOS 11.3...
Opens settings > general > about > version
Sees 11.4, close settings and move on with life.
The iOS 11.4 security content notes ('https://support.apple.com/en-us/HT208848') don’t specify anything seemingly related to this bug.
Score: 9 Votes (Like | Disagree)
flyinmac Avatar
80 months ago
Interesting bug.

Maybe instead of just coming up with ideas, Apple needs to have a team who’s job is to try to break or break into every Apple device. They should be full time employed with their sole mission being to find and exploit every possible weakness.
Score: 7 Votes (Like | Disagree)
centauratlas Avatar
80 months ago
Testing and engineering design seem to have taken a backseat to thinness recently.

Between the root bug and ones like this, one wonders how many others are out there.
Score: 6 Votes (Like | Disagree)
TrulsZK Avatar
80 months ago
Get an alphanumeric passcode!

1 attempt takes 4 seconds, that means a 16 digit alphanumeric passcode with upper- and lower case, numbers, and two symbols will take up to 64^16=7,922816251e28 seconds which is in practice never. Unless you can run a dictionary attack or something.

With the brute force attempts an alphanumeric passcode is the only solution to stay safe.
[doublepost=1529735909][/doublepost]
3. Pops SIM out of tray
That is exactly why I want eSIM in the iPhone and passcode requirement when switching your phone off + auto restart after force shut down.
Score: 6 Votes (Like | Disagree)

Popular Stories

iPhone 17 Plus Feature

iPhone 17 Lineup Specs Detail Display Upgrade and New High-End Model

Monday July 22, 2024 4:33 am PDT by
Key details about the overall specifications of the iPhone 17 lineup have been shared by the leaker known as "Ice Universe," clarifying several important aspects of next year's devices. Reports in recent months have converged in agreement that Apple will discontinue the "Plus" iPhone model in 2025 while introducing an all-new iPhone 17 "Slim" model as an even more high-end option sitting...
iPhone SE 4 Vertical Camera Feature

iPhone SE 4 Rumored to Use Same Rear Chassis as iPhone 16

Friday July 19, 2024 7:16 am PDT by
Apple will adopt the same rear chassis manufacturing process for the iPhone SE 4 that it is using for the upcoming standard iPhone 16, claims a new rumor coming out of China. According to the Weibo-based leaker "Fixed Focus Digital," the backplate manufacturing process for the iPhone SE 4 is "exactly the same" as the standard model in Apple's upcoming iPhone 16 lineup, which is expected to...
Apple TV Plus Feature 2 Magenta and Blue

Apple TV+ Curbs Costs After Expensive Projects Fail to Capture Viewers

Monday July 22, 2024 5:11 am PDT by
Apple is scaling back its Hollywood spending after investing over $20 billion in original programming with limited success, Bloomberg reports. This shift comes after the streaming service, which launched in 2019, struggled to capture a significant share of the market, accounting for only 0.2% of TV viewership in the U.S., compared to Netflix's 8%. Despite heavy investment, critical acclaim,...
iPhone 16 Pro Sizes Feature

iPhone 16 Series Is Just Two Months Away: Everything We Know

Monday July 15, 2024 4:44 am PDT by
Apple typically releases its new iPhone series around mid-September, which means we are about two months out from the launch of the iPhone 16. Like the iPhone 15 series, this year's lineup is expected to stick with four models – iPhone 16, iPhone 16 Plus, iPhone 16 Pro, and iPhone 16 Pro Max – although there are plenty of design differences and new features to take into account. To bring ...
iPhone 17 Plus Feature Purple

These 5 Features Will Make the iPhone 17 the Biggest Update in Years

Monday July 22, 2024 4:02 pm PDT by
The upcoming iPhone 16 models that we're expecting to see in September are going to be quite similar to the iPhone 15 models, but rumors suggest that Apple is making big changes in 2025. We've been hearing hints of an all-new device in the iPhone lineup, and it may be the most expensive iPhone Apple has offered to date. New 'Slim' Design Rumors have taken to referring to the new iPhone 17...
iPhone SE 4 Thumb 1

iPhone SE 4 Rumored to Launch Early Next Year With OLED Display, 48MP Camera, and More

Monday July 22, 2024 7:22 am PDT by
The fourth-generation iPhone SE will offer a series of major upgrades over the current model, the leaker known as "Ice Universe" claims. The information was listed in a post on Weibo, which also detailed the specifications of the iPhone 17 lineup. As previously rumored, the fourth-generation iPhone SE is expected to feature Face ID and USB-C, marking a major upgrade from current and previous ...
bsod

Microsoft Blames European Commission for Major Worldwide Outage

Monday July 22, 2024 11:55 am PDT by
Last Friday, a major CrowdStrike outage impacted PCs running Microsoft Windows, causing worldwide issues affecting airlines, retailers, banks, hospitals, rail networks, and more. Computers were stuck in continuous recovery loops, rendering them unusable. The failure was caused by an update to the CrowdStrike Falcon antivirus software that auto-installed on Windows 10 PCs, but Mac and Linux...