Security Researcher Discovers Method for Brute Forcing iPhone Passcode in iOS 11 [Updated]

[MacRumors]

A USB-based vulnerability that allows for the brute forcing of a passcode on an iOS device has been discovered by security researcher Matthew Hickey, reports ZDNet.

The method, which bypasses the 10-entry attempt that erases an iOS device when the setting is enabled, allows a hacker to plug an iPhone or iPad into a computer and send all passcodes, from 0000 to 9999, all at once, triggering an input routine that takes priority over anything else on the device. Hickey demos the hack in the video below.

"Instead of sending passcodes one at a time and waiting, send them all in one go," he said.

"If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature," he explained.

All that's required to use this brute force password cracking method is an iPhone or iPad that's turned on and locked and a Lightning cable, according to Hickey. It works on iOS devices up to iOS 11.3.

Hickey's iPhone cracking method takes between three and five seconds for each four-digit passcode, which means it's slow and not as advanced as other passcode cracking methods employed by companies like Grayshift, which makes the GrayKey box. For this method to guess a six-digit passcode, Hickey says it would take weeks.

Apple in iOS 12 is introducing a new USB Restricted Mode that may put a stop to the vulnerability that Hickey has discovered, as well as vulnerabilities exploited by tools like the GrayKey Box.

With USB Restricted Mode, enabled by default on iOS devices running iOS 12, USB access to an iPhone or iPad is cut off if it's been more than an hour since the device was last unlocked.

That means computers and other accessories can't be used to access a locked iPhone if it's been locked for over an hour, disabling access via a USB to Lightning cable.

Update: In a statement obtained by iMore, Apple says "the recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing."

Article Link: Security Researcher Discovers Method for Brute Forcing iPhone Passcode in iOS 11 [Updated]

 

[Mansu944]

Oh snap

 

[centauratlas]

Testing and engineering design seem to have taken a backseat to thinness recently.

Between the root bug and ones like this, one wonders how many others are out there.

 

[flyinmac]

Interesting bug.

Maybe instead of just coming up with ideas, Apple needs to have a team who’s job is to try to break or break into every Apple device. They should be full time employed with their sole mission being to find and exploit every possible weakness.

 

[newyorksole]

So if someone forgets their passcode and needs to DFU their iPhone, they won’t be able to if USB Restrict is turned on? Interesting.

I hope that setting isn’t on my default.

 

[asdavis10]

Interesting bug.

Maybe instead of just coming up with ideas, Apple needs to have a team who’s job is to try to break or break into every Apple device. They should be full time employed with their sole mission being to find and exploit every possible weakness.

Somehow you seem to think that an almost trillion dollar company doesn't do this. Fact of the matter is that everything has a vulnerability. It's just a matter of how practical the exploit actually is for it to be useful.

 

[B4U]

Up to iOS 11.3...
Opens settings > general > about > version
Sees 11.4, close settings and move on with life.

 

[thhertz]

Let’s see. This process would take weeks to succeed. At which time would the owner brick the phone remotely or change the passwords for sensitive accounts?

 

[jonblatho]

Testing and engineering design seem to have taken a backseat to thinness recently.

Great, this tired point again.

Apple has different employees who do different things. What you’re suggesting here is like asking a school custodian to take over a classroom from a teacher.
[doublepost=1529717755][/doublepost]

Up to iOS 11.3...
Opens settings > general > about > version
Sees 11.4, close settings and move on with life.

The iOS 11.4 security content notes don’t specify anything seemingly related to this bug.

 

[sully54]

Testing and engineering design seem to have taken a backseat to thinness recently.

Between the root bug and ones like this, one wonders how many others are out there.

This is the nature of software development. I would say it’s almost impossible to account for every vulnerability. At the end of the day software is just a bunch of 1s and 0s. One misplaced digit can cause a vulnerability.

 

[mariusignorello]

So if someone forgets their passcode and needs to DFU their iPhone, they won’t be able to if USB Restrict is turned on? Interesting.

I hope that setting isn’t on my default.

DFU mode takes priority over that setting.

 

[Analog Kid]

Somehow you seem to think that an almost trillion dollar company doesn't do this. Fact of the matter is that everything has a vulnerability. It's just a matter of how practical the exploit actually is for it to be useful.

True, but I have to agree that there has been a string of vulnerabilities here that really shouldn't have happened, and they seem to be happening at a higher rate than in the past. These haven't been subtle "buffer overflow from malformed WiFi packets" kind of vulnerabilities, they've been "access with an empty password" and "flood the USB interface with passcode attempts" kind of vulnerabilities.

I'm sure Apple has a QA team and a security team-- the question is whether they need to grow those efforts, give them more priority, and possibly change their processes.

Based on recent events, I'd lean toward answering "yes" to those questions.

 

[Mac 128]

The iOS 11.4 security content notes don’t specify anything seemingly related to this bug.

Are you suggesting they didn’t test it with 11.4, and therefore the bug persists? Otherwise, I’d presume they’d have tested it with 11.4 before releasing this and it doesn’t work with it.

Of course that doesn’t help me with my older equipment that doesn’t support 11.4. Guess I’d better wipe what I’m not using, and use the most complicated passcode I can for the ones I’m still using.

 

[Mcmeowmers]

Apple, are you even trying?

Never trust the client.

 

[expiredyogurt]

oh boy, looks like apple care advisors will have lots of fun getting calls from hard headed people asking about this 'feature' to unlock their phones.

The number of times customers called in to get us to unlock their passcode locked phone is too damn high and it often results in screaming because they have to reset the device and ofcourse they don't have a recent back up too...

 

[dannyyankou]

This guy knows what he’s doing. Report it to tech blogs before law enforcement figures out how to do it. Apple will patch this very quickly.

 

[now i see it]

Just another vulnerability in iOS found by one guy tinkering with an iPhone.

One guy.

There are nation states working on the very same thing (cracking iPhones) and they will never reveal the vulnerabilities they've found.

People have got to get over the fantasy that iOS devices are secure. Sure they're secure enough to keep a purse snapper at bay, but if you run afoul of the law, expect your iPhone to incriminate you better than 10 eye witnesses.

 

[elvisimprsntr]

Let’s see. This process would take weeks to succeed. At which time would the owner brick the phone remotely or change the passwords for sensitive accounts?

You assume:
1. The owner is smart enough to disable access to airplane mode control from the lock screen, which would render remote wipe useless.
2. The phone is not in a location which has no cell service.

 

[PBG4 Dude]

You assume:
1. The owner is smart enough to disable access to airplane mode control from the lock screen, which would render remote wipe useless.
2. The phone is not in a location which has no cell service.

3. Pops SIM out of tray

 

[TrulsZK]

Get an alphanumeric passcode!

1 attempt takes 4 seconds, that means a 16 digit alphanumeric passcode with upper- and lower case, numbers, and two symbols will take up to 64^16=7,922816251e28 seconds which is in practice never. Unless you can run a dictionary attack or something.

With the brute force attempts an alphanumeric passcode is the only solution to stay safe.
[doublepost=1529735909][/doublepost]

3. Pops SIM out of tray

That is exactly why I want eSIM in the iPhone and passcode requirement when switching your phone off + auto restart after force shut down.

 

[fairuz]

Just another vulnerability in iOS found by one guy tinkering with an iPhone.

One guy.

There are nation states working on the very same thing (cracking iPhones) and they will never reveal the vulnerabilities they've found.

People have got to get over the fantasy that iOS devices are secure. Sure they're secure enough to keep a purse snapper at bay, but if you run afoul of the law, expect your iPhone to incriminate you better than 10 eye witnesses.

Well if I ever want to commit a crime (or put innocent banking data on my phone), I'll certainly set a longer alphanumeric code instead. Of course there can be a bug where data is left unencrypted, but it's much less likely, and it seems at least the tools we know about don't exploit something like that.
[doublepost=1529740658][/doublepost]

Somehow you seem to think that an almost trillion dollar company doesn't do this. Fact of the matter is that everything has a vulnerability. It's just a matter of how practical the exploit actually is for it to be useful.

Non-cryptographic hardware security always has a vulnerability. Crypto is a different story.
[doublepost=1529740749][/doublepost]

Testing and engineering design seem to have taken a backseat to thinness recently.

Between the root bug and ones like this, one wonders how many others are out there.

This bug or something equivalent has probably existed for a very long time. And unrelated, remember when you could jailbreak your iPhone by visiting a website in mobile Safari? Also, setting aside the bugs and fixes, Apple's been leading the way in mobile security features.

As for the Music app design and several other parts of the iOS UI, I wish it took backseat to something so they'd just leave it alone. Gets worse every update.

 

[Regime2008]

How come Apple totes "privacy and security", yet we are constantly seeing vulnerabilities. I rarely ever see anything like this on Android.

 

[elvisimprsntr]

Already running iOS12b2, so I am good.

 

[gnasher729]

Important information missing: Does it have to be a trusted computer?

For the iPhone to trust a computer, you must plug it in while it is unlocked and press a button to trust the computer. That would be a strong obstacle: You either need a computer belonging to the user, or you must take away an _unlocked_ iPhone.
[doublepost=1529757084][/doublepost]

How come Apple totes "privacy and security", yet we are constantly seeing vulnerabilities. I rarely ever see anything like this on Android.

On Android, nobody bothers mentioning anything like this anymore on Android. On iOS, everything will be published.

And practically, the default is now six digits passcode. At 3-4 seconds per test, it takes a _long_ time. With TouchID or FaceID, there's no problem changing to an eight digit passcode, and then you are safe.
[doublepost=1529757201][/doublepost]

As for the Music app design and several other parts of the iOS UI, I wish it took backseat to something so they'd just leave it alone. Gets worse every update.

That's always my biggest fear, what they will do to the Music app.

 

[WarHeadz]

How come Apple totes "privacy and security", yet we are constantly seeing vulnerabilities. I rarely ever see anything like this on Android.

And yet law enforcement agencies aren’t constantly whining about their inability to unlock Android phones. So I’m assuming it’s a hell of a lot easier. I’ll stick with the company that law enforcement agencies despise.