A security researcher has figured out how to brute force a passcode on any up-to-date iPhone or iPad, bypassing the software’s security mechanisms.
Since iOS 8 rolled out in 2014, all iPhones and iPads have come with device encryption. Often protected by a four- or six-digit passcode, a hardware and software combination has made it nearly impossible to break into an iPhone or iPad without cooperation from the device owner.
And if the wrong passcode is entered too many times, the device gets wiped.
Normally, iPhones and iPads are limited in how many times a passcode can be entered each minute. Newer Apple devices contain a “secure enclave,” a part of the hardware that can’t be modified, which protects the device from brute-force attacks, like entering as many passcodes as possible. The secure enclave keeps count of how many incorrect passcode attempts have been entered and gets slower at responding with each failed attempt.
Hickey found a way around that. He explained that when an iPhone or iPad is plugged in and a would-be-hacker sends keyboard inputs, it triggers an interrupt request, which takes priority over anything else on the device.
“Instead of sending passcodes one at a time and waiting, send them all in one go,” he said.
“If you send your brute-force attack in one long string of inputs, it’ll process all of them, and bypass the erase data feature,” he explained.
Hickey posted a demonstration video of his attack online.
An attacker can send all the passcodes in one go by enumerating each code from 0000 to 9999 in one string with no spaces. Because this doesn’t give the software any breaks, the keyboard input routine takes priority over the device’s data-erasing feature, he explained. That means the attack works only after the device is booted up, said Hickey, because there are more routines running.
Hickey’s exploit would be another black eye for the iPhone and iPad maker, which has been in a cat and mouse chase with the makers of one recently revealed phone unlocking tool.
Little is publicly known about the company or its flagship product, but the $15,000 box allows law enforcement to break any iOS device’s passcode, giving police full access to a device’s file system — messages, photos, call logs, browsing history, keychain, and user passwords, and more.
That’s thought to have been one of the reasons why Apple is rolling out a new feature called USB Restricted Mode in its upcoming iOS 12 update, which is said to make it far more difficult for police or hackers to get access to a person’s device — and their data.
The new feature will effectively prevent anyone from using the USB cable for anything other than charging the device if someone hasn’t unlocked the device with a passcode within the last hour.
Hickey’s attack is slow — running about one passcode between three and five seconds each or over a hundred four-digit codes in an hour — and may not stand up against Apple’s incoming feature.
His attack can work against six-digit passcodes — iOS 11’s default passcode length — but would take weeks to complete.
Hickey emailed Apple details of the bug, but he said it was “not a difficult bug to identify.” A spokesperson for Apple did not immediately respond to a request for comment.
“I suspect others will find it — or have already found it,” he said.