Security Researcher Discovers Method for Brute Forcing iPhone Passcode in iOS 11 [Updated]

A USB-based vulnerability that allows for the brute forcing of a passcode on an iOS device has been discovered by security researcher Matthew Hickey, reports ZDNet.

The method, which bypasses the 10-entry attempt that erases an iOS device when the setting is enabled, allows a hacker to plug an iPhone or iPad into a computer and send all passcodes, from 0000 to 9999, all at once, triggering an input routine that takes priority over anything else on the device. Hickey demos the hack in the video below.

"Instead of sending passcodes one at a time and waiting, send them all in one go," he said.

"If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature," he explained.
All that's required to use this brute force password cracking method is an iPhone or iPad that's turned on and locked and a Lightning cable, according to Hickey. It works on iOS devices up to iOS 11.3.

Hickey's iPhone cracking method takes between three and five seconds for each four-digit passcode, which means it's slow and not as advanced as other passcode cracking methods employed by companies like Grayshift, which makes the GrayKey box. For this method to guess a six-digit passcode, Hickey says it would take weeks.

Apple in iOS 12 is introducing a new USB Restricted Mode that may put a stop to the vulnerability that Hickey has discovered, as well as vulnerabilities exploited by tools like the GrayKey Box.


With USB Restricted Mode, enabled by default on iOS devices running iOS 12, USB access to an iPhone or iPad is cut off if it's been more than an hour since the device was last unlocked.

That means computers and other accessories can't be used to access a locked iPhone if it's been locked for over an hour, disabling access via a USB to Lightning cable.

Update: In a statement obtained by iMore, Apple says "the recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing."


Top Rated Comments

(View all)
Avatar
13 weeks ago
Up to iOS 11.3...
Opens settings > general > about > version
Sees 11.4, close settings and move on with life.
Rating: 23 Votes
Avatar
13 weeks ago

Interesting bug.

Maybe instead of just coming up with ideas, Apple needs to have a team who’s job is to try to break or break into every Apple device. They should be full time employed with their sole mission being to find and exploit every possible weakness.


Somehow you seem to think that an almost trillion dollar company doesn't do this. Fact of the matter is that everything has a vulnerability. It's just a matter of how practical the exploit actually is for it to be useful.
Rating: 13 Votes
Avatar
13 weeks ago

Testing and engineering design seem to have taken a backseat to thinness recently.

Great, this tired point again.

Apple has different employees who do different things. What you’re suggesting here is like asking a school custodian to take over a classroom from a teacher.
[doublepost=1529717755][/doublepost]

Up to iOS 11.3...
Opens settings > general > about > version
Sees 11.4, close settings and move on with life.

The iOS 11.4 security content notes ('https://support.apple.com/en-us/HT208848') don’t specify anything seemingly related to this bug.
Rating: 9 Votes
Avatar
13 weeks ago
Interesting bug.

Maybe instead of just coming up with ideas, Apple needs to have a team who’s job is to try to break or break into every Apple device. They should be full time employed with their sole mission being to find and exploit every possible weakness.
Rating: 7 Votes
Avatar
13 weeks ago

It’s stansard practice to indicate that there’s an update to these articles. The rest of us can read to the bottom and don’t need a special write up. Also the original story is still right there on the front so what is being pushed aside?


The headline isn't true and the story's been moved to the "more stories" side bar, whereas it was previously a leading news item on the site. Given the importance of the original item, they should properly correct it by changing the headline on the existing article (not just adding "updated", which makes it seem like there's now more detail but that the nature of the story hasn't fundamentally changed) and then write a new leading news item that points out that what they previously published is now known to be false.
Rating: 6 Votes
Avatar
13 weeks ago
Testing and engineering design seem to have taken a backseat to thinness recently.

Between the root bug and ones like this, one wonders how many others are out there.
Rating: 6 Votes
Avatar
13 weeks ago
Get an alphanumeric passcode!

1 attempt takes 4 seconds, that means a 16 digit alphanumeric passcode with upper- and lower case, numbers, and two symbols will take up to 64^16=7,922816251e28 seconds which is in practice never. Unless you can run a dictionary attack or something.

With the brute force attempts an alphanumeric passcode is the only solution to stay safe.
[doublepost=1529735909][/doublepost]

3. Pops SIM out of tray


That is exactly why I want eSIM in the iPhone and passcode requirement when switching your phone off + auto restart after force shut down.
Rating: 6 Votes
Avatar
13 weeks ago

Somehow you seem to think that an almost trillion dollar company doesn't do this. Fact of the matter is that everything has a vulnerability. It's just a matter of how practical the exploit actually is for it to be useful.

True, but I have to agree that there has been a string of vulnerabilities here that really shouldn't have happened, and they seem to be happening at a higher rate than in the past. These haven't been subtle "buffer overflow from malformed WiFi packets" kind of vulnerabilities, they've been "access with an empty password" and "flood the USB interface with passcode attempts" kind of vulnerabilities.

I'm sure Apple has a QA team and a security team-- the question is whether they need to grow those efforts, give them more priority, and possibly change their processes.

Based on recent events, I'd lean toward answering "yes" to those questions.
Rating: 5 Votes
Avatar
13 weeks ago
Just another vulnerability in iOS found by one guy tinkering with an iPhone.

One guy.

There are nation states working on the very same thing (cracking iPhones) and they will never reveal the vulnerabilities they've found.

People have got to get over the fantasy that iOS devices are secure. Sure they're secure enough to keep a purse snapper at bay, but if you run afoul of the law, expect your iPhone to incriminate you better than 10 eye witnesses.
Rating: 5 Votes
Avatar
13 weeks ago
So... when is MR going to publish a front page article about the fact that this story was bunk from the start? Because if you publish something that turns out to be incorrect as a front page story, you should issue a front page story about that too, not just update the existing post and push it to the side.
Rating: 4 Votes
[ Read All Comments ]