Apple boasts on the security of its iOS devices, but sometimes even the best measures cannot prevent a malicious attack. In what can be a dangerous vulnerability for iPhones and iPads, a security researcher has notified Apple of a bug that could crack the passcode security with a brute force attack.
Mathew Hickey, a security researcher and co-founder of Hacker House cybersecurity firm, is said to have discovered a flaw in the iOS platform that allowed him to crack a locked iPhone by bypassing Apple's passcode protection against multiple incorrect entries. Apple's protection against incorrect passcode entry prevents users from attempting to unlock an iPhone, leading to even erasing the data on the phone after 10 incorrect password attempts.
But Hickey was able to make multiple incorrect attempts to unlock an iPhone until finally guessing the right passcode (which he knew already). The video shared by the security researcher shows the erasing option enabled on the iPhone while making more than 10 incorrect attempts (11 to be precise) to unlock the iPhone and finally log in with the right passcode at the 12th attempt.
Check the exploit in action below:
Apple IOS <= 12 Erase Data bypass, tested heavily with iOS11, brute force 4/6digit PIN's without limits (complex passwords YMMV) https://t.co/1wBZOEsBJl - demo of the exploit in action.
— Hacker Fantastic (@hackerfantastic) June 22, 2018
Hickey reported the flaw to Apple and the iPhone maker fired back saying there's no vulnerability as shown in the video. "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," a spokesperson for the company told Gizmodo.
So how did Hickey do it?
Hickey's brute force unlocking method isn't shown in full length. All that is needed to execute an attack is locked, turned on iPhone and a lightning cable. When the locked iPhone is plugged in, a hacker can use keyboard inputs to enter passcodes and an interrupt request is triggered, which takes priority over everything else, even the erase security in this case.
Hacker could send series of inputs at once until the right passcode combination is accepted without erasing the data on the device.
How secure are iOS devices?
Let's just say the vulnerability is real, but it would take days just to crack the iPhone using multiple passcode combinations. But for someone with the right resources and the luxury of time, it is not an impossible task.
To put this into perspective, a four-digit numerical code has 10,000 possible combinations and the video shows the passcode entries at about 3-5 seconds each. At this rate, it would take days to iterate every combination. In the case of 6-digit code, there are one million possible combinations. So as long as you have the 6-digit passcode on your iPhone, you are giving hackers a nightmare provided you've lost your iPhone at the hands of someone with the intent to access your data.
If you're not convinced, a little patience can go a long way. Apple might have rubbished Hickey's brute force break-in, but a new feature called USB Restricted Mode in the upcoming iOS 12 could save the day for all iPhone users.
With the USB Restricted Mode enabled, USB access on iOS devices will be locked to one hour, after which there will be no data exchange for USB connections.