Apple is a perpetual battle to stay ahead of hackers and secure its devices but a new bug discovered by a security researcher and reported by ZDNet shows the passcode that protects iOS devices can be bypassed through a brute force attack, leaving iPhones and iPads vulnerable to being exploited.
Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, recently discovered a way to bypass some of Apple’s security measures meant to keep malicious actors out of devices. The attack works even on devices running the most recent version of iOS.
To understand how the attack works, here’s what you need to know: Apple started encrypting iOS devices back in 2014. In order to access that encrypted information, iPhones and iPads require users to enter a four- or six-digit passcode to protect the device that they choose when first setting up the device. If the passcode is entered incorrectly on 10 occasions, Apple’s operating system wipes the device and deletes the information forever.
These security measures have been the bedrock of Apple’s privacy-first approach in recent years, and have pissed off law enforcement agencies that used to be able to access iPhone data by endlessly entering passcodes or asking Apple to just grab the information for them. (Apple doesn’t have access to a user’s passcode, so theoretically only the device owner can unlock the iPhone or iPad.)
What Hickey discovered, according to ZDNet, is a way to bypass the 10 guess limit when entering a passcode, allowing someone to endlessly enter combinations until the device is unlocked. All a malicious actor needs to carry out the brute force attack, per Hickey, is “a turned on, locked phone and a Lightning cable.”
In a demonstration video Hickey posted online, he demonstrates how the attack works. Basically, when the iPhone or iPad is plugged in, a hacker can use keyboard inputs to enter passcode guesses instead of tapping the numbers on the device’s screen. When the keyboard inputs occur, it triggers an interrupt request that takes priority over everything else happening on the device. An attacker could create a massive string of inputs and send them all at once and iOS would allow an endless string of guesses without erasing the device.
The attack is slow, entering just one passcode every three to five seconds, per ZDNet, which works out to about 100 four-digit codes every hour. But it appears to be effective, even against iOS devices running version 11.3 of the mobile operating system. That could make the tool valuable to government agencies and the groups that work with law enforcement to crack open iPhones. It isn’t clear if the vulnerability is already in use by devices like GrayShift’s GrayKey.
When iOS 12 is released later this year, the brute force attack may become less valuable. Apple is introducing a new feature called USB Restricted Mode. Once implemented, the feature will restrict USB access on iOS devices after the iPhone or iPad has been locked for one hour, making the device a black box if it’s not cracked in the first 60 minutes.
Update, June 24th, 9:30am: Apple pushed back against Hickey’s discovery, claiming that there is no vulnerability. “The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing,” a spokesperson for the company told Gizmodo.
In a tweet, Hickey said that the PINs doesn’t always go to Apple’s Secure Enclave Processor, which houses the passcode. “So although it looks like PINs are being tested they aren’t always sent and so they don’t count,” he wrote. “The devices register less counts than visible.”