A hacker figured out how to brute force iPhone passcodes

(Image: file photo)

A security researcher has figured out how to brute force a passcode on any up-to-date iPhone or iPad, bypassing the software’s security mechanisms.

Since iOS 8 rolled out in 2014, all iPhones and iPads have come with device encryption. Often protected by a four- or six-digit passcode, a hardware and software combination has made it nearly impossible to break into an iPhone or iPad without cooperation from the device owner.

And if the wrong passcode is entered too many times, the device gets wiped.

But Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, found a way to bypass the 10-time limit and enter as many codes as he wants — even on iOS 11.3.

“An attacker just needs a turned on, locked phone and a Lightning cable,” Hickey told ZDNet.

Normally, iPhones and iPads are limited in how many times a passcode can be entered each minute. Newer Apple devices contain a “secure enclave,” a part of the hardware that can’t be modified, which protects the device from brute-force attacks, like entering as many passcodes as possible. The secure enclave keeps count of how many incorrect passcode attempts have been entered and gets slower at responding with each failed attempt.

Hickey found a way around that. He explained that when an iPhone or iPad is plugged in and a would-be-hacker sends keyboard inputs, it triggers an interrupt request, which takes priority over anything else on the device.

“Instead of sending passcodes one at a time and waiting, send them all in one go,” he said.

gif-load-final-2.gif

gif-load-final-2.gif

“If you send your brute-force attack in one long string of inputs, it’ll process all of them, and bypass the erase data feature,” he explained.

Hickey posted a demonstration video of his attack online.

An attacker can send all the passcodes in one go by enumerating each code from 0000 to 9999 in one string with no spaces. Because this doesn’t give the software any breaks, the keyboard input routine takes priority over the device’s data-erasing feature, he explained. That means the attack works only after the device is booted up, said Hickey, because there are more routines running.

Hickey’s exploit may give the first insight into how one recently revealed phone unlocking tool, used by law enforcement, can access locked iPhones.

“It looks likely to be one of the related bugs from GrayKey’s magic box,” he said.

Little is publicly known about the company or its flagship product, but the $15,000 box allows law enforcement to break any iOS device’s passcode, giving police full access to a device’s file system — messages, photos, call logs, browsing history, keychain, and user passwords, and more.

That’s thought to have been one of the reasons why Apple is rolling out a new feature called USB Restricted Mode in its upcoming iOS 12 update, which is said to make it far more difficult for police or hackers to get access to a person’s device — and their data.

The new feature will effectively prevent anyone from using the USB cable for anything other than charging the device if someone hasn’t unlocked the device with a passcode within the last hour.

Hickey’s attack is slow — running about one passcode between three and five seconds each or over a hundred four-digit codes in an hour — and may not stand up against Apple’s incoming feature.

His attack can work against six-digit passcodes — iOS 11’s default passcode length — but would take weeks to complete.

Hickey emailed Apple details of the bug, but he said it was “not a difficult bug to identify.” A spokesperson for Apple did not immediately respond to a request for comment.

“I suspect others will find it — or have already found it,” he said.

Got a tip?

You can send tips securely over Signal and WhatsApp at 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

ZDNET INVESTIGATIONS

READ MORE HERE