Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Simple hack bypasses iOS passcode entry limit, opens door to brute force hacks [u]

GrayKey forensic tool. | Source: MalwareBytes

Last updated

A security researcher recently discovered a flaw in Apple's iOS that allows anyone with a Lightning cable the ability to bypass an iPhone or iPad's passcode attempt limit, opening the door to brute force attacks.

Matthew Hickey, co-founder of security firm Hacker House, uncovered a method of bypassing a ten-attempt passcode restriction designed to thwart brute force hacks on locked iOS devices, ZDNet reports.

Apple introduced system-wide encryption with iOS 8 in 2014, a security measure that was later backed by a special hardware safeguard called the secure enclave processor. First deployed in iPhone 5s to perform cryptographic operations and store encrypted Touch ID biometric data, secure enclaves now appear in all modern iOS devices to protect against unwarranted intrusions, silo financial data associated with Apple Pay, conduct biometric matching and more.

Combined with the latest iOS software, the secure enclave is able to shut down brute force attacks by delaying multiple incorrect passcode attempts. Specifically, the operating system pauses input after four consecutive attempts, the first starting at one minute and running to one hour for the ninth error. Users can further protect onboard data by enabling a feature that performs a system wipe after ten consecutive failed attempts.

Hickey, however, says the security protocol can be bypassed by sending passcode entries en masse over Lightning. Transmitting a string of passcodes via keyboard input triggers an interrupt request that takes precedent over all other device operations, including the data erase feature.

"Instead of sending passcodes one at a time and waiting, send them all in one go," Hickey said. "If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature," he explained.

The attack is slow going, with a tethered device taking about three to five seconds to ingest each code, but it has been proven to work on both four- and six-digit passcodes. A six-digit code, however, could take weeks to crack.

Hickey's method might be rendered obsolete when iOS 12 debuts. The upcoming iOS version includes a "USB Restricted Mode" that effectively disables hardwired USB data connections after a predetermined time period. A catchall response to USB attack vectors employed by hackers and digital forensics firms, the feature requires users enter a passcode when attempting to transfer data to or from a USB accessory connected to an iPhone that has not been unlocked within the last hour.

The new security feature also frustrates efforts from digital forensics firms like GrayShift, which markets a relatively inexpensive iPhone unlocking solution called GrayKey to law enforcement agencies. Reports suggest GrayShift has already defeated the feature, though how it has managed to do so is unclear.

Apple earlier this month confirmed USB Restricted Mode will disrupt unwarranted iPhone access attempts by hackers and governments that do not afford their citizens the same protections as U.S. laws.

Update: Apple has since disputed Hickey's claims, saying the supposed iOS vulnerability is the result of erroneous testing.



50 Comments

Soli 9 Years · 9981 comments

Use the full keyboard for your passcode! Even add a simple long press character to make it crazy hard to crack without invoking much of a hassle for you.

gerard 11 Years · 83 comments

This flaw probably why Gray key stated they have a workaround. Hopefully Apple will fix this so called simple but effective hack. 

dewme 10 Years · 5775 comments

I’m generally sympathetic about security issues that exist because the designers and developers at a much earlier point in time had no compelling reason to consider a risk that was unknown at the time. But the Lightning brute force attack vector is simply bad design, plain and simple. It violates even the most elementary design-for-security (DfS) prescriptions. The Lightning port is by design both a point of ingress and a point of egress from the device. There is no logical reason why the designers and engineers working under a DfS umbrella would not have identified the Lightning port, upstream & downstream processing related to the Lightning port, including all exception handling, scheduler impacts, buffers/caches/queues, etc., (all the usual security subjects) as part of their design process. But everyone makes mistakes and Apple will have to fix this one pronto so they can free up resources and bandwidth to prepare for the next one. 

mac_128 12 Years · 3452 comments

gerard said:
This flaw probably why Gray key stated they have a workaround. Hopefully Apple will fix this so called simple but effective hack. 

Hopefully they fix it in iOS 11 since any device which won’t run 12 will be vaunerable. I’ll need to go back to any older iOS device I’m still using which won’t run iOS 11 or 12 and use the longest password allowed. That’s gonna be a real pain, as I currently use 4-digit passcodes for easy access without Touch ID. But it’s probably a good idea for any device even running iOS 12 since there’s a one-hour window in which someone could steal a phone and get lucky.

Soli 9 Years · 9981 comments

mac_128 said:
gerard said:
This flaw probably why Gray key stated they have a workaround. Hopefully Apple will fix this so called simple but effective hack. 
Hopefully they fix it in iOS 11 since any device which won’t run 12 will be vaunerable. I’ll need to go back to any older iOS device I’m still using which won’t run iOS 11 or 12 and use the longest password allowed. That’s gonna be a real pain, as I currently use 4-digit passcodes for easy access without Touch ID. But it’s probably a good idea for any device even running iOS 12 since there’s a one-hour window in which someone could steal a phone and get lucky.

I thought they required a 6-digit password years ago? For something you don't have to input often I don't understand why people aren't using the complexity of the iOS virtual keyboard for faster and hyper-secure password where only 4 charcters can be much as 1.9 BILLION possible combinations. Your PIN only gets you 10K.