On Friday, security researcher Matthew Hickey discovered a USB-based vulnerability that allows for brute forcing of a passcode on an iOS device.
The security report notes that the method is able to bypass the 10-entry attempt that erases an iOS device when the appropriate setting is enabled. After plugging an iOS device into a computer, the hacker was able to send all possible 4-digit passcode combinations to the device.
“Instead of sending passcode one at a time and waiting, send them all in one go. If you send your brute-force attack in one long string of inputs, it’ll process all of them, and bypass the erase data feature.”
Earlier today, Apple spokesperson Michele Wyman released a statement saying:
“The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing.”
Apple did not offer any more detail about this dispute. Hickey later tweeted saying that not all passcodes are sent to the secure enclave, which protects the device from a brute force attack.
It seems @i0n1c maybe right, the pins don't always goto the SEP in some instances (due to pocket dialing / overly fast inputs) so although it "looks" like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible @Apple
— Hacker Fantastic (@hackerfantastic) June 23, 2018
In a statement, Hickey said:
“I went back to double check all code and testing. When I sent codes to the phone, it appears that 20 or more are entered but in reality its only ever sending four or five pins to be checked.”
In iOS 12, Apple is rolling out a new feature called USB Restricted Mode, which will make it a lot more difficult for anyone to get access into a person’s device even when they have physical access to it.