Don't panic! Hackers have not found a way to bypass the iPhone passcode limit
Enter the wrong passcode into an iPhone and you'll not only be denied access to it, but also run the risk of wiping its contents if you enter an incorrect code too many times. This is a problem faced by law enforcement agencies when they encounter iPhones in the cases they're working on -- as well as people trying to hack into phones for nefarious purposes -- so it's little wonder that hackers are constantly trying to find a way to earn unlimited guesses at passcodes.
One hacker thought he had cracked it. Security researcher Matthew Hickey proudly boasted at having discovered a delightfully simple method for brute-forcing entry into an iPhone -- he even posted a video of his hack in action. But there's no need to panic. Apple explains that "incorrect testing" renders Hickey's method worthless.
- Got a MacBook or MacBook Pro with sticky keys? Apple has a free service program for you
- Bricked iPhones with 'Error 53' just cost Apple $6.7 million in Australia
- Apple is updating iOS to lock out police iPhone hacking tools
Hickey initially took to Twitter to share what he believed were incredible findings: a way to "brute force 4/6digit PIN's without limits" [sic]. He posted a video of his "hack" in action, saying that by sending all possible passcodes to an iPhone that is plugged it at once, not leaving time for individual processing. He said: "Instead of sending passcode one at a time and waiting, send them all in one go. If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature".
A ZDNet article (since updated) explained how the bypass hack supposedly works:
An attacker can send all the passcodes in one go by enumerating each code from 0000 to 9999 in one string with no spaces. Because this doesn't give the software any breaks, the keyboard input routine takes priority over the device's data-erasing feature, he explained. That means the attack works only after the device is booted up, said Hickey, because there are more routines running.
CEO of security firm Antid0te UG, Stefan Esser, disputed the initial findings, saying on Twitter:
Is there a video where this actually works? I mean: you send the real passcode in one go and it ends up unlocking. I believe i tried something like this and it turned out that all those subsequent fails are because the device doesn’t actually try those passcodes until you pause https://t.co/AIFUT30amL
— Stefan Esser (@i0n1c) June 22, 2018
Later, he went on to tweet:
Wonder if Apple will publicly comment on this one and say that it is actually not true and just the result of wrong testing. https://t.co/3LJb9nVVFQ
— Stefan Esser (@i0n1c) June 23, 2018
Sure enough, Apple did issue a statement about the matter, with company spokesperson Michele Wyman saying:
The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing.
This may seem like an offhand dismissal -- and a little more detail from Apple certainly wouldn't have gone amiss here -- but it seems that, perhaps unsurprisingly, the company is correct.
Hickey tweeted, saying:
It seems @i0n1c maybe right, the pins don't always goto the SEP in some instances (due to pocket dialing / overly fast inputs) so although it "looks" like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible @Apple
— Hacker Fantastic (@hackerfantastic) June 23, 2018
He also updated the description of his video to make it clear that the bypass he thought he had found was not really a bypass at all:
iOS has a glitch in the UI when pins are sent as duplicates or too quickly, to prevent accidental pin entry these pins are never tested by the device. This video showed what was original believed to be a bypass exploit for the erase data function, however the SEP is not actually processing the majority of the input PIN's due to the aforementioned feature in iOS. So although the device appears to process multiple pins sent at once, it in fact only processes a smaller number of inputs. This means the bypass attack isn't valid as it only appears that those pins were tested.
In short, this is good news for iPhone owners. After a small scare, it would appear that passcodes are just as safe as they have ever been, and there is no brute force out there in the wild... yet.