Don't panic! Hackers have not found a way to bypass the iPhone passcode limit

iPhone passcode

Enter the wrong passcode into an iPhone and you'll not only be denied access to it, but also run the risk of wiping its contents if you enter an incorrect code too many times. This is a problem faced by law enforcement agencies when they encounter iPhones in the cases they're working on -- as well as people trying to hack into phones for nefarious purposes -- so it's little wonder that hackers are constantly trying to find a way to earn unlimited guesses at passcodes.

One hacker thought he had cracked it. Security researcher Matthew Hickey proudly boasted at having discovered a delightfully simple method for brute-forcing entry into an iPhone -- he even posted a video of his hack in action. But there's no need to panic. Apple explains that "incorrect testing" renders Hickey's method worthless.

See also:

Hickey initially took to Twitter to share what he believed were incredible findings: a way to "brute force 4/6digit PIN's without limits" [sic]. He posted a video of his "hack" in action, saying that by sending all possible passcodes to an iPhone that is plugged it at once, not leaving time for individual processing. He said: "Instead of sending passcode one at a time and waiting, send them all in one go. If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature".

Apple iOS "Erase data" UI glitch from Hacker Fantastic on Vimeo.

A ZDNet article (since updated) explained how the bypass hack supposedly works:

An attacker can send all the passcodes in one go by enumerating each code from 0000 to 9999 in one string with no spaces. Because this doesn't give the software any breaks, the keyboard input routine takes priority over the device's data-erasing feature, he explained. That means the attack works only after the device is booted up, said Hickey, because there are more routines running.

CEO of security firm Antid0te UG, Stefan Esser, disputed the initial findings, saying on Twitter:

Later, he went on to tweet:

Sure enough, Apple did issue a statement about the matter, with company spokesperson Michele Wyman saying:

The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing.

This may seem like an offhand dismissal -- and a little more detail from Apple certainly wouldn't have gone amiss here -- but it seems that, perhaps unsurprisingly, the company is correct.

Hickey tweeted, saying:

He also updated the description of his video to make it clear that the bypass he thought he had found was not really a bypass at all:

iOS has a glitch in the UI when pins are sent as duplicates or too quickly, to prevent accidental pin entry these pins are never tested by the device. This video showed what was original believed to be a bypass exploit for the erase data function, however the SEP is not actually processing the majority of the input PIN's due to the aforementioned feature in iOS. So although the device appears to process multiple pins sent at once, it in fact only processes a smaller number of inputs. This means the bypass attack isn't valid as it only appears that those pins were tested.

In short, this is good news for iPhone owners. After a small scare, it would appear that passcodes are just as safe as they have ever been, and there is no brute force out there in the wild... yet.

Image credit: KOKTARO / Shutterstock

© 1998-2018 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.