Small $500 device shown to brute force hack iPhone 7 lock screen passcodes, but could take...

Posted:
in iPhone edited August 2017
A unique new exploit is said to take advantage of just Apple's iPhone 7 and iPhone 7 Plus running recent firmware, utilizing a small device to brute force hack and bypass the iOS lock screen passcode of up to three handsets at a time.




The hack was demonstrated on video by YouTuber "EverythingApplePro," who noted that the exploit does not work on older devices like an iPhone 6s or iPhone SE. In addition, it's specific to iOS 10.3.3 or the latest iOS 11 beta.

The hardware is sandwiched between two panes of glass, and features three full-size USB ports to attempt to crack three iPhone 7 units at a time. It also has a micro USB port and even an Apple Lightning port that can be used to power the hardware.

As for how it works, the hack apparently takes advantage of the update process in iOS.

"They found a loophole in the data recovery state that allows you to use as many passcode attempts as you want," the YouTube creator explained.



If the iPhone 7 is running an earlier version of iOS 10, it must be updated to iOS 10.3.3 for the hack to work. And if the device is running the latest firmware, an update to iOS 11 beta will also do the trick.

Interestingly, a download from iOS 11 beta to iOS 10.3.3 is also a suitable way for the crack to work, meaning virtually any iPhone 7 would be vulnerable -- if, of course, a hacker were to get their hands on the phone, and also have the $500 device.

While such updates or software downgrades usually require the user to unlock their iPhone, another hack is utilized to get around that requirement.

In the video, "EverthingApplePro" shows a process that involves connecting the iPhone 7 to a MacBook Pro running Windows. The iPhone is placed in DFU mode and an app called 3uTools is used to force the handset to update without a passcode.

The $500 box takes advantage of the white "press home to recover" screen that is displayed after a new iOS install. Once users are at this screen, they can begin the brute force hack.




The hardware even includes an array of light sensors that ensure the iPhone display stays turned on while the hack is in progress.

That's important, because the hack itself could take days, depending on the complexity of the passcode. For the purposes of the video, a simple passcode of "0016" was used to allow the brute force hack to work more quickly.

At first the device attempts a new passcode every 50 or so seconds, but that gradually ramps up to every 10 seconds. Still, with the sheer number of passcode possibilities (which are even greater if the user has a six-digit or alphanumeric passcode), it would take a number of days to crack an iPhone.

Given Apple's focus on security for its devices, it's likely that this exploit will be patched relatively soon. And considering the investment required, and the fact that the hardware must be in hand for the hack to work, and that it's limited to the iPhone 7 and iPhone 7 Plus, the exploit is unlikely to ever affect the vast majority of iPhone users.

iPhone hacks are rare, but they do happen. This latest hack is particularly noteworthy because it only applies to Apple's latest hardware.

Earlier this week, separate efforts managed to crack the secure encryption key for Apple's iPhone 5s. Twitter user "xerub" released an extraction tool for the device's Secure Enclave firmware -- though there are not currently any known exploits utilizing the tool.

Even before Apple began utilizing a secure hardware enclave with Touch ID in the iPhone, its security measures have stifled law enforcement and hackers alike. Last year, following the San Bernardino terrorist attack, the U.S. Federal Bureau of Investigation allegedly paid $900,000 to an Israeli security firm to have them crack an iPhone 5c, because the FBI could not do it themselves.

Update: Apple confirmed to TechCrunch that the discovered loophole will be patched in the final version of iOS 11. Further, the behavior is already fixed in the latest iOS 11 beta 4.
«1

Comments

  • Reply 1 of 39
    bcodebcode Posts: 138member
    I give this exploit a week.
  • Reply 2 of 39
    linkmanlinkman Posts: 847member
    bcode said:
    I give this exploit a week.
    I think it will take longer. Apple should thoroughly test the fix before releasing it. Since it requires a special piece of hardware it would take a much longer time for the exploit to spread than a software-only exploit. But the fact that this exists at all might mean that some other vulnerability exists -- I'm sure some people have already scarfed up the details of this and are working on cracking it further.
  • Reply 3 of 39
    mac_128mac_128 Posts: 3,255member
    bcode said:
    I give this exploit a week.
    In the meantime expect a rash of iPhone 7 thefts! Haha
  • Reply 4 of 39
    mknelsonmknelson Posts: 259member
    sog35 said:
    Easy fix:  if you loss  your phone then use Find My iPhone and wipe it clear
    Unless it gets picked up right away and turned off/SIM card removed.
    GeorgeBMacshapetables
  • Reply 5 of 39
    toboltobol Posts: 2member
    Well, you have more than a day to wipe your device. In a day it will reach almost 9000 combinations. Just make sure your PIN starts from 9 :-) But seriously, who with the right mind has 4 digit passcode when there is Touch ID. I suggest 8+ characters alphanumeric password because it isn't like you have to enter it every time, just once after reboot.
    Rayz2016randominternetpersonisidore
  • Reply 6 of 39
    robjnrobjn Posts: 200member

    One attempt every 10 seconds is a very slow brute force attack.

    If you have a six digit numerical passcode this exploit would take an average of 64.3 days to find it.
    edited August 2017 GeorgeBMac
  • Reply 7 of 39
    SoliSoli Posts: 8,380member
    "They found a loophole in the data recovery state that allows you to use as many passcode attempts as you want."

    We talk a lot about how Apple has better security than their competitors, but let's not forget that being the best doesn't mean being great. While the risk is likely minimal and everyone on this forum should using the full keyboard for their passcode now that Touch ID adds a huge convenience to the process (only 4 charters is over 1 billion combinations), these annual discoveries that can bypass some or all of the iPhone's first defense is very poor. I don't think these should occur with the frequency in which they do, especially with the 11th version of iOS. Call me unreasonable, but I feel that the core device security should be hardened by now.
  • Reply 8 of 39
    SoliSoli Posts: 8,380member
    bcode said:
    I give this exploit a week.
    I wouldn't be surprised to see this resolved with both a tertiary iOS 10 update and the next beta of iOS 11, but Apple really shouldn't be playing catch up with these sort of security issues.
  • Reply 9 of 39
    macguimacgui Posts: 934member
    I wonder if Apple was notified in White Hat fashion. I'd like to think so.
  • Reply 10 of 39
    lkrupplkrupp Posts: 6,446member
    I use a 7 digit passcode. I wonder how long that would take to hack over a 4 digit passcode?
  • Reply 11 of 39
    nhtnht Posts: 4,302member
    Soli said:
    "They found a loophole in the data recovery state that allows you to use as many passcode attempts as you want."

    We talk a lot about how Apple has better security than their competitors, but let's not forget that being the best doesn't mean being great. While the risk is likely minimal and everyone on this forum should using the full keyboard for their passcode now that Touch ID adds a huge convenience to the process (only 4 charters is over 1 billion combinations), these annual discoveries that can bypass some or all of the iPhone's first defense is very poor. I don't think these should occur with the frequency in which they do, especially with the 11th version of iOS. Call me unreasonable, but I feel that the core device security should be hardened by now.
    What frequency is that?  One every few years?  That requires access to the device itself?  Some of which were discovered by national intelligence agencies?

    Right.
    ericthehalfbee
  • Reply 12 of 39
    lkrupplkrupp Posts: 6,446member
    Soli said:
    bcode said:
    I give this exploit a week.
    I wouldn't be surprised to see this resolved with both a tertiary iOS 10 update and the next beta of iOS 11, but Apple really shouldn't be playing catch up with these sort of security issues.
    I mean... so what? The hacker has to lay out $500 for the box, spends days trying to hack the passcode. Is the guy who steals your iPhone during a mugging going to do that? Why? Like so many of these ‘exploits’ you would need to be a targeted subject. Remember when TouchID first came out and some German hackers claimed they had fooled TouchID with lifted fingerprints...except that you had to have a $2000 high resolution printer to do it and had to lift those prints in a very specific way. I think there’s WAY too much paranoia and hysteria about stuff like this by people with an axe to grind or an ego to puff up. If it’s a real threat Apple will deal with it in due time, no panic button to be pushed. We hear almost daily about the millions of Android phones that are vulnerable with no hope of updates from their carriers but I’ve yet to see a report on how many Android  users have had their bank accounts emptied out because of it. Talk about Chicken Little! Oh, and then there’s the FUD and fake news being spread around about the Secure Enclave being ‘hacked’ when no such thing has happened.
    edited August 2017 lostkiwiericthehalfbee
  • Reply 13 of 39
    lkrupplkrupp Posts: 6,446member
    There are millions upon millions of iPhone users who have NO passcode set and leave their devices open all the time. Why buy this box when there’s a good chance the iPhone you steal will be open anyway? I know a bunch of people like this, both iOS and Android users for whom a passcode or fingerprint is just too much hassle.
  • Reply 14 of 39
    SoliSoli Posts: 8,380member
    lkrupp said:
    I use a 7 digit passcode. I wonder how long that would take to hack over a 4 digit passcode?
    10,000,000 v 10,000, or 1000x longer assuming that each check is a set duration. If you factor in a statistical average that just after 50% of the codes have been tested you'd get access, you still have a 1000x differential with 5,000,000 v 5,000.

    This, of course, assumes a truly randomly chosen PIN as well not one that happens to fall into the most commonly used PIN combinations or can be determined through social hacking, like somehow having access to another 4-digt PIN by the user, them having used an easily searchable 4-digt street address number or a 7-digit phone number, for example.
  • Reply 15 of 39
    Adopt wireless charging and get rid of all ports, and then make the device be able to somehow detect when someone is cracking open the case and automatically wipe all data. Not that this eliminates all hacking, but puts a stop to a lot of it. 
  • Reply 16 of 39
    SoliSoli Posts: 8,380member
    lkrupp said:
    Soli said:
    bcode said:
    I give this exploit a week.
    I wouldn't be surprised to see this resolved with both a tertiary iOS 10 update and the next beta of iOS 11, but Apple really shouldn't be playing catch up with these sort of security issues.
    I mean... so what? The hacker has to lay out $500 for the box, spends days trying to hack the passcode. Is the guy who steals your iPhone during a mugging going to do that? Why?
    You're seriously asking why Apple should be concerned about basic security measures? Funny how in a thread yesterday where Aetna simply inquired about data protection people argued that "it's better than Android so you shouldn't ask about it" and now when an exploit is discovered the response is "security isn't that important." If it's not Apple's responsibly to secure their OS then whose is it?
    edited August 2017
  • Reply 17 of 39
    SoliSoli Posts: 8,380member
    Adopt wireless charging and get rid of all ports, and then make the device be able to somehow detect when someone is cracking open the case and automatically wipe all data. Not that this eliminates all hacking, but puts a stop to a lot of it. 
    Wireless charging likely isn't happening for a long time. Inductive charging as an option looks possible this year, but the Lightning port with USB 3.x speeds and fast charging will likely be around for a very long time.
    mike1
  • Reply 18 of 39
    holyoneholyone Posts: 377member
    Soli said:
    "They found a loophole in the data recovery state that allows you to use as many passcode attempts as you want."

    We talk a lot about how Apple has better security than their competitors, but let's not forget that being the best doesn't mean being great. While the risk is likely minimal and everyone on this forum should using the full keyboard for their passcode now that Touch ID adds a huge convenience to the process (only 4 charters is over 1 billion combinations), these annual discoveries that can bypass some or all of the iPhone's first defense is very poor. I don't think these should occur with the frequency in which they do, especially with the 11th version of iOS. Call me unreasonable, but I feel that the core device security should be hardened by now.
    True, just imagine the kind of out of hand mockery and shade throwing that would be ramping up on this thread if this was a Sumsung device, speaking of which, seeing as how better iOS is than the dairy products ;) this type of thing must be standard at android land, though haven't read anything like this, but its probaly hilarious, anyone with links?
  • Reply 19 of 39
    lkrupp said:
    There are millions upon millions of iPhone users who have NO passcode set and leave their devices open all the time. Why buy this box when there’s a good chance the iPhone you steal will be open anyway? I know a bunch of people like this, both iOS and Android users for whom a passcode or fingerprint is just too much hassle.

    I agree with you. There is NO way any system can be made perfectly secure. Also security is a NOT an absolute requirement, set-in-stone for ALL users of a device/platform. The levels of security would vary based on the needs of the end-users. A person who does not do any financial transaction using his/her mobile (and does not care about privacy or does not store any personal sensitive information in phone) would not even bother about setting up a PIN/fingerprint and so on. It is up-to the user to utilize the given security options based on his/her needs. As long as the given security options work reasonably well, AND it is quite difficult to break into the system in "normal" circumstances and known vulnerabilities patched fairly quickly, people should not complain too much.

    Edit: I guess I didn't grasp Soli's point of view adequately in this thread. People should not be hypocrites when similar issues are found out in other platforms (read Android). When that happens constantly, the standard expected from Apple has to be higher OR people should stop being hypocrites.

    edited August 2017
  • Reply 20 of 39
    mike1mike1 Posts: 1,749member
    Adopt wireless charging and get rid of all ports, and then make the device be able to somehow detect when someone is cracking open the case and automatically wipe all data. Not that this eliminates all hacking, but puts a stop to a lot of it. 
    Wireless charging should never be the only option. Many people need or want to use the device while it is charging.
    Soliviclauyyc
Sign In or Register to comment.