Matthew Hickey, a security researcher and hacker, has purportedly discovered a method to brute force the passcode of any up-to-date iPhone or iPad, reports ZDNet.
Normally, after ten incorrect passcode attempts, your iPhone will lock you out or wipe your device. Additionally, after six attempts a time delay is introduced to prevent rapid unlock attempts.
Hickey found a way around this. When an iPhone or iPad is plugged in and keyboard inputs are sent, an interrupt request is triggered which takes priority over everything else.
"Instead of sending passcodes one at a time and waiting, send them all in one go... If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature," says Hickey.
This can be done by enumerating each code from 0000 to 9999 in one string with no spaces. Since this doesn't give the software any breaks, the keyboard input routine takes priority over the data-erase feature. The attack only works after the device is booted up because there are more routines running.
It's unclear if this attack is similar to the one used by Grayshift's GrayKey box. Apple is introducing a new USB Restricted Mode with iOS 12 that will prevent use of the iPhone's USB connection if your iPhone hasn't been unlocked in the past hour. It's likely that feature is intended to reduce the window for attacks such as these; however, Grayshift claims it's already defeated the feature.
Hickey's attack is slow, taking about 3-5 seconds to try each passcode. It can also work on six digit passcodes but it could take weeks to complete.
Check out the attack demonstrated in the video below!
Update:
Hickey tweets that this hack may not be as good as it appears.
"It seems @i0n1c maybe right, the pins don't always goto the SEP in some instances (due to pocket dialing / overly fast inputs) so although it "looks" like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible @Apple"
Read More
Normally, after ten incorrect passcode attempts, your iPhone will lock you out or wipe your device. Additionally, after six attempts a time delay is introduced to prevent rapid unlock attempts.
Hickey found a way around this. When an iPhone or iPad is plugged in and keyboard inputs are sent, an interrupt request is triggered which takes priority over everything else.
"Instead of sending passcodes one at a time and waiting, send them all in one go... If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature," says Hickey.
This can be done by enumerating each code from 0000 to 9999 in one string with no spaces. Since this doesn't give the software any breaks, the keyboard input routine takes priority over the data-erase feature. The attack only works after the device is booted up because there are more routines running.
It's unclear if this attack is similar to the one used by Grayshift's GrayKey box. Apple is introducing a new USB Restricted Mode with iOS 12 that will prevent use of the iPhone's USB connection if your iPhone hasn't been unlocked in the past hour. It's likely that feature is intended to reduce the window for attacks such as these; however, Grayshift claims it's already defeated the feature.
Hickey's attack is slow, taking about 3-5 seconds to try each passcode. It can also work on six digit passcodes but it could take weeks to complete.
Check out the attack demonstrated in the video below!
Update:
Hickey tweets that this hack may not be as good as it appears.
"It seems @i0n1c maybe right, the pins don't always goto the SEP in some instances (due to pocket dialing / overly fast inputs) so although it "looks" like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible @Apple"
Read More