Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Apple Says Bug Exploited by $500 Passcode Guessing Box to Crack iPhone 7 is Patched in iOS 11

MacRumors

macrumors bot
Original poster
Apr 12, 2001
51,028
12,565



iOS 11 patches an exploit that could be used to crack an iPhone 7 or iPhone 7 Plus passcode using a $500 hardware hacking solution, Apple confirmed to TechCrunch this afternoon.

The exploit, demonstrated by YouTube user EverythingApplePro yesterday, was never really of any concern to iPhone users because of the extreme parameters required to make it work in a timely manner, according to TechCrunch. It uses a $500 piece of hardware, requires physical access to an iPhone 7 or 7 Plus, realistically only works with a 4 digit passcode, and slows down drastically more than 10 minutes after an iPhone's passcode was last changed.


The "box" shown off in the video is similar to tools used by law enforcement officials, and while passcode-guessing hardware like this does not normally work at this speed because iOS devices lock you out after several failed passcode entry attempts, there is a bug in iOS 10 that makes it possible to guess a passcode over and over for a short period directly after the passcode has been changed. TechCrunch explains:
On iOS 10, there is a "bug" for lack of a better term, that allows repeated, rapid guesses of the passcode if you've changed it within the last minute or so. This allows the box to work within that period. Once another threshold is crossed -- say 10 minutes after a passcode is changed -- you no longer have the freedom to guess rapidly.
Without the rapid guessing enabled by the iOS 10 bug, it takes much, much longer for a solution like box to get into an iPhone because it's slowed down by Apple's passcode timeout. A six digit passcode (now the default on iOS devices) that had not been changed recently would take approximately 9.5 years to crack, for example.

According to Apple, the behavior that allows the box to work has been patched as of iOS 11 beta 4.

Article Link: Apple Says Bug Exploited by $500 Passcode Guessing Box to Crack iPhone 7 is Patched in iOS 11
 

826317

Cancelled
Jun 28, 2013
460
4,322
Rent-free in your head
That's just very bad programming if I may say so... As a software dev. you should know that at every passcode screen, a limited number of attempts should be set in place. If not, you get guys like these who think they're "hackers" by selling an overpriced iterative pin code guesser hahahaha
 
Last edited:
Comment

Zirel

Suspended
Jul 24, 2015
2,196
3,008
That's just very bad programming if I may say so... As a software dev. you should know that at every passcode screen, a limited number of attempts should be set in place. If not, you get guys like these who think they're "hackers" by selling an overpriced iterative pin code guesser hahahaha

iOS has a feature to wipe your device after 10 wrong attempts.

Also, it has a function for that, that makes you wait X seconds between the attempt.

This is an exploit of a bug. Not programmer's lenience.

To flog to YouTubers hoping to make money from adverts.

I think he already got the money from the people making this useless crap. They are going to sell a ton of these, while in the real world, it's 99.9% useless.
 
Comment

826317

Cancelled
Jun 28, 2013
460
4,322
Rent-free in your head
This is an exploit of a bug. Not programmer's lenience.
Considering that the pin code lock screen should be a uniform feature across the entire OS I don't see why the attempt limit was not implemented at that particular stage of up/downgrading the OS.... Essentially it was just missing code. I doubt there was actually a bug which allowed the user to enter infinite codes without being blocked out.
 
Comment

Nozuka

macrumors 68030
Jul 3, 2012
2,732
3,746
Most people never change their passcode anyway... so this bug exploit will never work.
 
Comment

xero9

macrumors 6502a
Nov 7, 2006
859
481
Did you read the entire article or just the headline? This won’t work unless you changed the passcode in the last 10 minutes or if erase after 10 attempts is enabled. It’s useless.

I read it, but I don't see any mention of the erase after 10 attempts you are talking about.

Are you saying if "erase after 10 failed attempts" is enabled, this allows the tool to work? That seems counter-productive to that features usefulness.
 
Comment

jinnj

macrumors 6502
Dec 9, 2011
412
285
They don't think they're hackers - they know how simple the product is. The person buying it thinks they're a hacker because they have the product.
Nah many of these "Script Kiddies" are delusional enough to think they are hackers! Same with the "Programmers" who torrent RetroPie/Kodi images, copy them onto SD cards, place them on Raspberry Pi's and sell them for $200!
 
Comment

uroshnor

macrumors member
Nov 4, 2015
63
69
So basically don't use your iPhone 7 until iOS 11 comes out lol.
No. It's basically , if you change your password before you have upgraded to iOS 11, plan to not lose your phone in the first few minutes after you change it.

The other thing here is that even given that starting point - it is only effective against 4 digit pins. All devices running iOS 9 and later with TouchID default to 6 digit pins , and you can always go for something longer and alphanumeric. You have to actively choose to downgrade to a 4 digit pin.

6 digit will take months, alphanumeric will take centuries easily.
[doublepost=1503168658][/doublepost]
I wonder how many other vulnerabilities iOS has that only Cellebrite knows about.

https://www.macrumors.com/2017/02/24/cellebrite-lawful-unlocking-iphone-6/

Celebrities mainly buy/broker research that other organizations have done, and package it up into simple easy to use tools that make the forensics more straightforward to capture.

Their marketing is effective & they get credited with way more than they can actually do.
 
Comment

now i see it

macrumors 603
Jan 2, 2002
5,986
12,347
It's was interesting to note that the "brute force" guessing algorithm is: 0001, 0002, 0003 sequentially up to eventually 9999. The presenter of the vid set his password to 0016, so it only took that gadget 16 guesses.
 
Comment

Westside guy

macrumors 603
Oct 15, 2003
5,744
2,935
The soggy side of the Pacific NW
On a side note... that video is a case in point of why I avoid YouTube videos when I'm trying to learn about anything - the dude took what should've been maybe a 1-2 minute video, but padded it out to 12+ rambling minutes.

The "best" how to's... and I've seen several of them... are the ones where it's just a camera showing the terminal screen of some guy typing Unix commands. Seriously, dude, one short web page with a single screen capture would answer my question, but you want me to listen to your whiny voice while I watch you type for six minutes?!
 
Comment

kdarling

macrumors P6
It's was interesting to note that the "brute force" guessing algorithm is: 0001, 0002, 0003 sequentially up to eventually 9999. The presenter of the vid set his password to 0016, so it only took that gadget 16 guesses.

Heh. True, a smarter "guessing" bot would at least start off with the most common passcodes used by the majority of people.

Passcodes like 0000, 1111, 1234, 7777 and so forth.

Researchers have also found a much better chance of running across a passcode if you search between 1930 and 2017, which follows the birthday years of the owner, their parents, or their kids. For that matter, passcodes between 1980 and 1999 are most common, which goes with a common age set of iPhone owners.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.