X
Tech

Apple pushes back on hacker's iPhone passcode bypass report

The researcher later found that passcodes he tested weren't always counted.
Written by Zack Whittaker, Contributor
istock-503734384.jpg

(Image: file photo)

A security researcher's demonstration that purportedly bypassed a passcode on up-to-date iPhones and iPads has been pushed back by Apple.

Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, tweeted Friday about a potential way to bypass security limits, allowing him to enter as many passcodes as he wants -- even on the latest version of iOS 11.3.

Beyond ten wrong passcodes, the device can be set to erase its contents.

Hickey said he found a way around that. He explained that when an iPhone or iPad is plugged in and a would-be-hacker sends keyboard inputs, it triggers an interrupt request, which takes priority over anything else on the device.

"Instead of sending passcode one at a time and waiting, send them all in one go," he said.

"If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature," he explained.

Despite several requests for comment, Apple spokesperson Michele Wyman said Saturday: "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing."

Apple did not say why it disputed Hickey's findings, which he reported to the company Friday, before tweeting.

We reported Friday on Hickey's findings, which claimed to be able to send all combinations of a user's possible passcode in one go, by enumerating each code from 0000 to 9999, and concatenating the results in one string with no spaces. He explained that because this doesn't give the software any breaks, the keyboard input routine takes priority over the device's data-erasing feature.

But Hickey tweeted later, saying that not all tested passcodes are sent to a the device's secure enclave, which protects the device from brute-force attacks.

"The [passcodes] don't always go to the [secure enclave processor] in some instances -- due to pocket dialing [or] overly fast inputs -- so although it 'looks' like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible," he tweeted.

Hickey credited Stefan Esser for his help.

"I went back to double check all code and testing," said Hickey in a message Saturday. "When I sent codes to the phone, it appears that 20 or more are entered but in reality its only ever sending four or five pins to be checked."

Apple is rolling out a new feature, called USB Restricted Mode, in its upcoming iOS 12 update, which is said to make it far more difficult for police or hackers to get access to a person's device -- and their data.

Corrected and updated: This story has been updated since Friday with comments from Apple and Hickey. We've updated the story.

Editorial standards