Security Researcher Reveals Method For Bypassing iOS Passcode

Joanna Estrada
June 25, 2018

The company also said it has made changes in the low-level software used to allow interaction with peripherals via USB, like keyboards, to fix security exploits and weaknesses it had found. Hickey's demonstration only showed it in action against a recent release of iOS, version 11.3, while the current version is 11.4, and version 12 will be out later this fall. That means the iPhone would be too busy to erase the device if the attacker sends it one passcode guess after another.

On newer devices, Apple's Secure Enclave takes things to the next level and helps offer an even greater and more intelligent level of protection on the device. Often protected by a four- or six-digit passcode, a hardware and software combination has made it almost impossible to break into an iPhone or iPad without cooperation from the device owner.

Hickey further explained that he double-checked his process and found that "when I sent codes to the phone, it appears that 20 or more are entered but in reality, it is only ever sending four or five pins to be checked". Thus, the keyboard input takes priority over the wiping feature.

It seems that the hack works by sending all possible passcodes to the device, from 0000 to 9999, in one long string, forcing the iOS platform to iterate through each number in one process, therefore getting around the entry-attempt restrictions.

Little is publicly known about the company or its flagship product, but the $15,000 box allows law enforcement to break any iOS device's passcode, giving police full access to a device's file system - messages, photos, call logs, browsing history, keychain, and user passwords, and more.

The new feature will effectively prevent anyone from using the USB cable for anything other than charging the device if someone hasn't unlocked the device with a passcode within the last hour. Hickey's attack is slow, taking about 3-5 seconds to try each passcode. In order to access that encrypted information, iPhones and iPads require users to enter a four- or six-digit passcode to protect the device that they choose during set-up.

Hickey has already informed Apple about the bug and said that it not a hard one to identify.

Apple spokesperson Michele Wyman disputed the researcher's claims on Saturday.

You can send tips securely over Signal and WhatsApp at 646-755-8849.

Other reports by Click Lancashire

Discuss This Article