Security Researcher Discovers Method for Brute Forcing iPhone Passcode in iOS 11 [Updated]

Discussion in 'iOS Blog Discussion' started by MacRumors, Jun 22, 2018.

  1. MacRumors macrumors bot


    Apr 12, 2001

    A USB-based vulnerability that allows for the brute forcing of a passcode on an iOS device has been discovered by security researcher Matthew Hickey, reports ZDNet.

    The method, which bypasses the 10-entry attempt that erases an iOS device when the setting is enabled, allows a hacker to plug an iPhone or iPad into a computer and send all passcodes, from 0000 to 9999, all at once, triggering an input routine that takes priority over anything else on the device. Hickey demos the hack in the video below.

    All that's required to use this brute force password cracking method is an iPhone or iPad that's turned on and locked and a Lightning cable, according to Hickey. It works on iOS devices up to iOS 11.3.

    Hickey's iPhone cracking method takes between three and five seconds for each four-digit passcode, which means it's slow and not as advanced as other passcode cracking methods employed by companies like Grayshift, which makes the GrayKey box. For this method to guess a six-digit passcode, Hickey says it would take weeks.

    Apple in iOS 12 is introducing a new USB Restricted Mode that may put a stop to the vulnerability that Hickey has discovered, as well as vulnerabilities exploited by tools like the GrayKey Box.


    With USB Restricted Mode, enabled by default on iOS devices running iOS 12, USB access to an iPhone or iPad is cut off if it's been more than an hour since the device was last unlocked.

    That means computers and other accessories can't be used to access a locked iPhone if it's been locked for over an hour, disabling access via a USB to Lightning cable.

    Update: In a statement obtained by iMore, Apple says "the recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing."

    Article Link: Security Researcher Discovers Method for Brute Forcing iPhone Passcode in iOS 11 [Updated]
  2. Mansu944 macrumors 6502

    Mar 11, 2012
  3. centauratlas macrumors 65816


    Jan 29, 2003
    Testing and engineering design seem to have taken a backseat to thinness recently.

    Between the root bug and ones like this, one wonders how many others are out there.
  4. flyinmac macrumors 68040


    Sep 2, 2006
    United States
    Interesting bug.

    Maybe instead of just coming up with ideas, Apple needs to have a team who’s job is to try to break or break into every Apple device. They should be full time employed with their sole mission being to find and exploit every possible weakness.
  5. newyorksole macrumors 68040

    Apr 2, 2008
    New York.
    So if someone forgets their passcode and needs to DFU their iPhone, they won’t be able to if USB Restrict is turned on? Interesting.

    I hope that setting isn’t on my default.
  6. asdavis10 macrumors 6502


    Feb 3, 2008
    Somehow you seem to think that an almost trillion dollar company doesn't do this. Fact of the matter is that everything has a vulnerability. It's just a matter of how practical the exploit actually is for it to be useful.
  7. B4U macrumors 68000


    Oct 11, 2012
    Undisclosed location
    Up to iOS 11.3...
    Opens settings > general > about > version
    Sees 11.4, close settings and move on with life.
  8. thhertz macrumors newbie


    Oct 29, 2012
    Michigan’s Gold Coast
    Let’s see.:eek: This process would take weeks to succeed. At which time would the owner brick the phone remotely or change the passwords for sensitive accounts?
  9. jonblatho macrumors 6502a


    Jan 20, 2014
    Great, this tired point again.

    Apple has different employees who do different things. What you’re suggesting here is like asking a school custodian to take over a classroom from a teacher.
    --- Post Merged, Jun 22, 2018 ---
    The iOS 11.4 security content notes don’t specify anything seemingly related to this bug.
  10. sully54, Jun 22, 2018
    Last edited: Jun 23, 2018

    sully54 macrumors regular


    Sep 15, 2012
    This is the nature of software development. I would say it’s almost impossible to account for every vulnerability. At the end of the day software is just a bunch of 1s and 0s. One misplaced digit can cause a vulnerability.
  11. mariusignorello macrumors 65816

    Jun 9, 2013
    DFU mode takes priority over that setting.
  12. Analog Kid macrumors 601

    Analog Kid

    Mar 4, 2003
    True, but I have to agree that there has been a string of vulnerabilities here that really shouldn't have happened, and they seem to be happening at a higher rate than in the past. These haven't been subtle "buffer overflow from malformed WiFi packets" kind of vulnerabilities, they've been "access with an empty password" and "flood the USB interface with passcode attempts" kind of vulnerabilities.

    I'm sure Apple has a QA team and a security team-- the question is whether they need to grow those efforts, give them more priority, and possibly change their processes.

    Based on recent events, I'd lean toward answering "yes" to those questions.
  13. Mac 128 macrumors 603

    Mac 128

    Apr 16, 2015
    Are you suggesting they didn’t test it with 11.4, and therefore the bug persists? Otherwise, I’d presume they’d have tested it with 11.4 before releasing this and it doesn’t work with it.

    Of course that doesn’t help me with my older equipment that doesn’t support 11.4. Guess I’d better wipe what I’m not using, and use the most complicated passcode I can for the ones I’m still using.
  14. Mcmeowmers macrumors 6502

    Jun 1, 2015
    Apple, are you even trying?

    Never trust the client.
  15. expiredyogurt macrumors regular


    Jul 20, 2016
    not america
    oh boy, looks like apple care advisors will have lots of fun getting calls from hard headed people asking about this 'feature' to unlock their phones.

    The number of times customers called in to get us to unlock their passcode locked phone is too damn high and it often results in screaming because they have to reset the device and ofcourse they don't have a recent back up too...
  16. dannyyankou macrumors 604


    Mar 2, 2012
    Scarsdale, NY
    This guy knows what he’s doing. Report it to tech blogs before law enforcement figures out how to do it. Apple will patch this very quickly.
  17. now i see it macrumors 68030

    Jan 2, 2002
    Just another vulnerability in iOS found by one guy tinkering with an iPhone.

    One guy.

    There are nation states working on the very same thing (cracking iPhones) and they will never reveal the vulnerabilities they've found.

    People have got to get over the fantasy that iOS devices are secure. Sure they're secure enough to keep a purse snapper at bay, but if you run afoul of the law, expect your iPhone to incriminate you better than 10 eye witnesses.
  18. elvisimprsntr macrumors 6502

    Jul 17, 2013
    You assume:
    1. The owner is smart enough to disable access to airplane mode control from the lock screen, which would render remote wipe useless.
    2. The phone is not in a location which has no cell service.
  19. PBG4 Dude macrumors 68030

    PBG4 Dude

    Jul 6, 2007
    3. Pops SIM out of tray
  20. TrulsZK macrumors member


    May 1, 2018
    Get an alphanumeric passcode!

    1 attempt takes 4 seconds, that means a 16 digit alphanumeric passcode with upper- and lower case, numbers, and two symbols will take up to 64^16=7,922816251e28 seconds which is in practice never. Unless you can run a dictionary attack or something.

    With the brute force attempts an alphanumeric passcode is the only solution to stay safe.
    --- Post Merged, Jun 22, 2018 ---
    That is exactly why I want eSIM in the iPhone and passcode requirement when switching your phone off + auto restart after force shut down.
  21. fairuz, Jun 23, 2018
    Last edited: Jun 24, 2018

    fairuz macrumors 68000


    Aug 27, 2017
    Silicon Valley
    Well if I ever want to commit a crime (or put innocent banking data on my phone), I'll certainly set a longer alphanumeric code instead. Of course there can be a bug where data is left unencrypted, but it's much less likely, and it seems at least the tools we know about don't exploit something like that.
    --- Post Merged, Jun 23, 2018 ---
    Non-cryptographic hardware security always has a vulnerability. Crypto is a different story.
    --- Post Merged, Jun 23, 2018 ---
    This bug or something equivalent has probably existed for a very long time. And unrelated, remember when you could jailbreak your iPhone by visiting a website in mobile Safari? Also, setting aside the bugs and fixes, Apple's been leading the way in mobile security features.

    As for the Music app design and several other parts of the iOS UI, I wish it took backseat to something so they'd just leave it alone. Gets worse every update.
  22. Regime2008 Suspended


    Oct 3, 2017
    Basshead in ATL
    How come Apple totes "privacy and security", yet we are constantly seeing vulnerabilities. I rarely ever see anything like this on Android.
  23. elvisimprsntr macrumors 6502

    Jul 17, 2013
  24. gnasher729 macrumors P6


    Nov 25, 2005
    Important information missing: Does it have to be a trusted computer?

    For the iPhone to trust a computer, you must plug it in while it is unlocked and press a button to trust the computer. That would be a strong obstacle: You either need a computer belonging to the user, or you must take away an _unlocked_ iPhone.
    --- Post Merged, Jun 23, 2018 ---
    On Android, nobody bothers mentioning anything like this anymore on Android. On iOS, everything will be published.

    And practically, the default is now six digits passcode. At 3-4 seconds per test, it takes a _long_ time. With TouchID or FaceID, there's no problem changing to an eight digit passcode, and then you are safe.
    --- Post Merged, Jun 23, 2018 ---
    That's always my biggest fear, what they will do to the Music app.
  25. WarHeadz macrumors 6502a


    Aug 30, 2015
    Long Beach, California
    And yet law enforcement agencies aren’t constantly whining about their inability to unlock Android phones. So I’m assuming it’s a hell of a lot easier. I’ll stick with the company that law enforcement agencies despise.

Share This Page