iPhone Brute Force Passcode Hack Discovered, Apple Says "Nope"
Apple's hard stance on protecting its customers' privacy through security and encryption is a double-edged sword. On the one hand, it paints a reassuring picture for users. But on the other hand, it practically challenges hackers, state-sponsored or otherwise, to break through. As such, Apple's device, particularly iPhones, have become a prime target of hacking attempts. One security researcher initially claimed he found a way to brute force passcode guessing despite iOS' hard limits. It turns out, however, that it might not be the case after all.
At the heart of this new vulnerability is Apple's Secure Enclave feature. In a nutshell, it's responsible for only unlocking the phone when a valid passcode or biometric is given. In the case of passcode input, it limits the number of tries someone can make, after which it will refuse to accept any input until a timed delay. Worst case scenario, a user can opt to have the device wiped after ten incorrect attempts.
Hacker House security firm co-founder Matthew Hickey revealed on Twitter that he may have found a way to bypass those attempt limits when passing data via a Lightning connection. According to Hickey, instead of trying a different passcode combination each time, you can send all the possible combinations as one, enormous string of numbers. Secure Enclave will then just test them all, as if having an infinite number of tries.
Apple IOS <= 12 Erase Data bypass, tested heavily with iOS11, brute force 4/6digit PIN's without limits (complex passwords YMMV) https://t.co/1wBZOEsBJl – demo of the exploit in action.
— hackerfantastic.x (@hackerfantastic) June 22, 2018
Replying to Apple Insider, Apple simply said that the report was erroneous and a result of incorrect testing. The company didn't go into further detail, unsurprisingly, but it seems they may have reached out to Hickey as well. The security researcher later changed his tune, saying in practice that it simply looked like dozens of pins were being tested but, in truth, only a small number were.
It seems @i0n1c maybe right, the pins don't always goto the SEP in some instances (due to pocket dialing / overly fast inputs) so although it "looks" like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible @Apple
— hackerfantastic.x (@hackerfantastic) June 23, 2018
That said, it might all be moot in iOS 12. Apple will be introducing a USB Restricted Mode which disables any data transfer through a cable after an hour has passed since the last successful unlocking attempt. This security feature is meant to cut off hacks like this and the famous GrayKey used by some government agencies right at the very root. Reports claim that GrayKey makers Grayshift already have a way around it.