Security Researcher Finds Way to Brute Force Locked iPhone Running iOS 11 [Update: Apple Responds]


iPhone 8 Plus front view

Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, has managed to find a way to brute-force his way into an iPhone or iPad running the latest version of iOS. 

Apple has various security measures, including hardware and software, that ensures hackers are unable to bypass the passcode and gain unauthorized access into a locked iOS device. While hackers have tried and continue to brute force their way into a locked iPhone or iPad, Apple has managed to thwart such attempts using dedicated security chip called Secure enclave on its devices and other software enhancements.

The Secure enclave chip keeps a count of the number of times an incorrect passcode is entered and then progressively makes it more difficult to enter a passcode. If a user has enabled the option, after 10 failed attempts, the device in question is completely wiped.

However, Mattew Hickey has found a way to bypass all these security measures from Apple and all he needs is a lightning phone and the device to turn on. This works on all iPhones and iPads running iOS 11.4 or lower. He explains that when a keyboard input is sent to an iPhone or iPad, there is an interrupt request that takes priority over any other action on the device.

A hacker needs to take advantage of this interrupt request and send one long string of inputs instead of sending one passcode at a time.

An attacker can send all the passcodes in one go by enumerating each code from 0000 to 9999 in one string with no spaces. Because this doesn’t give the software any breaks, the keyboard input routine takes priority over the device’s data-erasing feature, he explained.

This does mean that the hack relies on the iPhone or iPad in question is up an running, though this is not really a major problem.

Apple iOS “Erase data” bypass attack from Hacker Fantastic on Vimeo.

While Hickey’s hack can work with six-digit passcodes, it is extremely long as it runs one passcode in about free to five seconds and takes about an hour to run over a hundred four-digit codes. It might not also survive the USB Restricted mode that Apple is introducing with iOS 12 which will essentially only allow an iOS device to be charged if it remains locked for more than an hour.

Hickey has already informed Apple about the bug and said that it not a difficult one to identify.

It is possible that the GrayKey box made use of a similar vulnerability in iOS to unlock locked iPhones or iPads. However, with USB Restricted mode in iOS 12 possibly putting an end to this hack as well, it still remains a mystery as to how the company has managed to ensure that its GrayKey box is able to brute-force into locked iOS devices running iOS 12.

Update: Apple has issued a statement to iMore saying the passcode bypass was due to an incorrect testing.

“The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing”

[Via ZDNet]

Like this post? Share it!