Posted on June 25, 2018 at 5:20 PM
A security researcher from Hacker House found a way to bypass Apple’s limited number of passcode input due to a glitch. The company stated that the researcher’s success is a result of the incorrect testing and that the glitch is actually non-existent. After a second test, however, the researcher confirmed that the company’s statement is correct.
A glitch in the passcode security system
After conducting tests to see whether the iPhone passcode system can really protect the phones, Matthew Hickey, a security researcher and a co-founder of a security firm called Hacker House reported a bug. Hickey announced on Twitter last Friday that the passcode system protecting the iPhone can be bypassed through a brute force attack, and has even posted a video that proves it.
The passcode protecting Apple’s iPhones allows users to protect their device and shield it from surveillance or intrusion. The device would allow for 10 attempts to unlock the iPhone before deleting all of its content as a safety precaution. Hickey wanted to uncover whether or not the device is truly as safe as it seems.
As part of his tests, he connected the phone to a computer and used his keyboard to send input. Instead of trying once and waiting to see if the device would accept or reject the passcode, he sent a large number of requests, which basically disabled the erase feature.
He posted his findings on Twitter, along with the video that proves that the device did not erase the content after being attacked.
Apple IOS <= 12 Erase Data bypass, tested heavily with iOS11, brute force 4/6digit PIN's without limits (complex passwords YMMV) https://t.co/1wBZOEsBJl – demo of the exploit in action.
— Hacker Fantastic (@hackerfantastic) June 22, 2018
Apple responded with claims of testing error
After posting his findings online, Hickey provoked a response from Apple, or rather, its spokesperson, Michele Wyman. Wyman said that the passcode bypass reports were not possible and that the results of Hickey’s tests are an error.
The company did not release any more information which would explain how they came to the conclusion that Hickey’s tests were wrong. However, their statement was confirmed by Hickey himself, who realized that Apple’s statement was correct.
The bug is not really there
According to Hickey’s update, the passcodes that he entered via computer did not always go to the passcode processor. This is likely a part of the feature that prevents pocket dialing, or other issues that might accidentally lead to phone’s content being erased.
Hickey also said that even though it looked like the pins are being tested, the device did not count them as valid attempts, which basically means that the passcode did not register them. After double-checking the process, he noticed that the device only registered four or five of the codes, despite the fact that he sent over 20 of them.
It would seem that Apple’s statement was correct all along and that the bug is not really there.
Hackers and law enforcement disappointed by the result
Despite the fact that this is actually a good news for iPhone users, it probably came as a disappointment for law enforcers. Various law-enforcing agencies have had quite a history with Apple and its devices. They are constantly trying to find a way to bypass the iPhone’s security in order to access private information of their suspects but to no avail.
Requests to Apple to provide them with a way to unlock the phones also did not receive a warm welcome, and the company continued to refuse the requests. Apple’s claims to protect their client’s privacy continue to stand, and each new model comes with even more improvements.
In fact, they already announced that the new device will have an additional security feature – USB Restricted Mode. The feature will restrict the access that a third party can get via USB, and it will be activated after the iOS devices were locked for one hour or more. Basically, this means that hackers and law enforcers have 60 minutes to crack the device’s defenses after the phone was locked, and if they fail, the data stored on the device will be completely and permanently off limit.