Simple hack bypasses iOS passcode entry limit, opens door to brute force hacks [u]
A security researcher recently discovered a flaw in Apple's iOS that allows anyone with a Lightning cable the ability to bypass an iPhone or iPad's passcode attempt limit, opening the door to brute force attacks.
GrayKey forensic tool. | Source: MalwareBytes
Matthew Hickey, co-founder of security firm Hacker House, uncovered a method of bypassing a ten-attempt passcode restriction designed to thwart brute force hacks on locked iOS devices, ZDNet reports.
Apple introduced system-wide encryption with iOS 8 in 2014, a security measure that was later backed by a special hardware safeguard called the secure enclave processor. First deployed in iPhone 5s to perform cryptographic operations and store encrypted Touch ID biometric data, secure enclaves now appear in all modern iOS devices to protect against unwarranted intrusions, silo financial data associated with Apple Pay, conduct biometric matching and more.
Combined with the latest iOS software, the secure enclave is able to shut down brute force attacks by delaying multiple incorrect passcode attempts. Specifically, the operating system pauses input after four consecutive attempts, the first starting at one minute and running to one hour for the ninth error. Users can further protect onboard data by enabling a feature that performs a system wipe after ten consecutive failed attempts.
Hickey, however, says the security protocol can be bypassed by sending passcode entries en masse over Lightning. Transmitting a string of passcodes via keyboard input triggers an interrupt request that takes precedent over all other device operations, including the data erase feature.
"Instead of sending passcodes one at a time and waiting, send them all in one go," Hickey said. "If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature," he explained.
The attack is slow going, with a tethered device taking about three to five seconds to ingest each code, but it has been proven to work on both four- and six-digit passcodes. A six-digit code, however, could take weeks to crack.
Hickey's method might be rendered obsolete when iOS 12 debuts. The upcoming iOS version includes a "USB Restricted Mode" that effectively disables hardwired USB data connections after a predetermined time period. A catchall response to USB attack vectors employed by hackers and digital forensics firms, the feature requires users enter a passcode when attempting to transfer data to or from a USB accessory connected to an iPhone that has not been unlocked within the last hour.
The new security feature also frustrates efforts from digital forensics firms like GrayShift, which markets a relatively inexpensive iPhone unlocking solution called GrayKey to law enforcement agencies. Reports suggest GrayShift has already defeated the feature, though how it has managed to do so is unclear.
Apple earlier this month confirmed USB Restricted Mode will disrupt unwarranted iPhone access attempts by hackers and governments that do not afford their citizens the same protections as U.S. laws.
Update: Apple has since disputed Hickey's claims, saying the supposed iOS vulnerability is the result of erroneous testing.
GrayKey forensic tool. | Source: MalwareBytes
Matthew Hickey, co-founder of security firm Hacker House, uncovered a method of bypassing a ten-attempt passcode restriction designed to thwart brute force hacks on locked iOS devices, ZDNet reports.
Apple introduced system-wide encryption with iOS 8 in 2014, a security measure that was later backed by a special hardware safeguard called the secure enclave processor. First deployed in iPhone 5s to perform cryptographic operations and store encrypted Touch ID biometric data, secure enclaves now appear in all modern iOS devices to protect against unwarranted intrusions, silo financial data associated with Apple Pay, conduct biometric matching and more.
Combined with the latest iOS software, the secure enclave is able to shut down brute force attacks by delaying multiple incorrect passcode attempts. Specifically, the operating system pauses input after four consecutive attempts, the first starting at one minute and running to one hour for the ninth error. Users can further protect onboard data by enabling a feature that performs a system wipe after ten consecutive failed attempts.
Hickey, however, says the security protocol can be bypassed by sending passcode entries en masse over Lightning. Transmitting a string of passcodes via keyboard input triggers an interrupt request that takes precedent over all other device operations, including the data erase feature.
"Instead of sending passcodes one at a time and waiting, send them all in one go," Hickey said. "If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature," he explained.
The attack is slow going, with a tethered device taking about three to five seconds to ingest each code, but it has been proven to work on both four- and six-digit passcodes. A six-digit code, however, could take weeks to crack.
Hickey's method might be rendered obsolete when iOS 12 debuts. The upcoming iOS version includes a "USB Restricted Mode" that effectively disables hardwired USB data connections after a predetermined time period. A catchall response to USB attack vectors employed by hackers and digital forensics firms, the feature requires users enter a passcode when attempting to transfer data to or from a USB accessory connected to an iPhone that has not been unlocked within the last hour.
The new security feature also frustrates efforts from digital forensics firms like GrayShift, which markets a relatively inexpensive iPhone unlocking solution called GrayKey to law enforcement agencies. Reports suggest GrayShift has already defeated the feature, though how it has managed to do so is unclear.
Apple earlier this month confirmed USB Restricted Mode will disrupt unwarranted iPhone access attempts by hackers and governments that do not afford their citizens the same protections as U.S. laws.
Update: Apple has since disputed Hickey's claims, saying the supposed iOS vulnerability is the result of erroneous testing.
Comments
2) If you use the "typical" character palette of upper case letters (26), lower case letters (26), numbers 10), you have 72 options per character, but why not use all those "special characters" that are also available which I think bring you another 35 options for a total of 107 options, which is more than any website I've seen which only give you a handful of extra character options based on their weak sense of security and the minimal effort they've had to put in so that the special characters don't mess with their database setup.
That means a 6-character passcode would be 107^6 for a total of 1.5 TRILLION possible combinations compared to your 6-digit PIN which is 10^6 for a total of 1 MILLION options. It really doesn't take much longer to input and because of Touch ID and Face ID not requiring you to unlock with your passcode constantly there's no reason not to have a more secure one.
3) If non-alphanumerics for passwords, like punctuation and other non-alphanumeric characters, are referred to as "special characters" I've deemed the much richer palette of characters available for the long-hold on the iOS virtual keyboard as "very special characters." For example, if you hold down the 'a' key on at the American English iOS keyboard (same for macOS, btw), you get the options (à, á, â, ä, æ, ã, å, ā). These are all valid for Apple OS passwords and they're all unique Unicodes so they won't be registered just the letter 'a'. But not all have so many options on the long-press. The ampersand (&), for example, only has the section sign (§) as an option.
By my last count—as I recall—of the American English iOS keyboard there are 210 options. That means that a 4-character passcode would be 1.944 BILLION options. Moving to 6-characters it's now 85.8 TRILLION.
PS: I'll also reiterate what having emoji as options for password could do. Perhaps not all characters could be used because they're too similar in look, and cross platform characters can look very different, but even a basic array of pictograms could be useful. Some people could remember them better by creating a story from them as their password, even if just interjecting one or two. This could increase the complexity of the character palette to around 1000 characters—or BASE-1000—which would make these brute force attacks virtually impossible as they stand now, even for very short passcodes. A 4 character passcode that was not limited to just numbers and letters would have 1 TRILLION possibilities with just 4 characters, which the user could quickly type in. Move that to 6-characters and you now have 1 QUINTILLION. I don't expect to see emoji added for a long time, but I do see the benefit of allowing them to be used in some fashion.
When you change or set up your passcode, you get a button that says Passcode Options under the passcode entry field. When you tap that, you get a choice of Custom Alphanumeric Code, Custom Numeric Code or 6-Digit Numeric Code.
1. If you enter a Custom Alphanumeric Code you can use the entire keyboard and have a code as long as you wish, using letters, numbers, and special characters, terminated by ENTER.
Note that the full keyboard is available, so you can put in accents, umlauts, and any other special characters. That is what @Soli meant by a simple long press character. I don't know if emoji work.
2. If you enter a Custom Numeric Code you can type in as many numeric digits as you wish, but will have to hit ENTER at the end of the code. The benefit of this is you get the numeric keypad to type in your code, which is less fiddly to use than the alphanumeric keyboard.
3. 6-Digit Numeric Code uses the numeric keypad, but you don't need to hit ENTER because it knows you are putting in 6 digits. (Also realize that anyone trying to crack your code ALSO knows you only have 6 digits.)
Highest security is a long custom alphanumeric code, but it's a PITA to type in if you don't have Touch ID or something like that.
As you say, it would be a PITA if not for Touch ID and Face ID, but we have that luxury of no longer having to input our PINs every time we unlock our devices.
PS: I'm enjoying the Dan Brown's latest novel "Origin" but I'm bothered that the protagonist was able to use the fingerprint of someone to unlock a smartphone and then go into settings to disable the fingerprint check all security without any additional security checks. For that don't know, youu can't even access that part of Settings without knowing the passcode. I'm not sure how he could've moved the story forward but it felt lazy.
Often, the websites will tell the user what the limitations are; like the minimum length, the types of characters allowed, and minimum number of different character types that must be used. That's fine, but password generators don't read that data so you're left with having to fiddle with the slider, adjust other various settings, and even do manual replacements of special characters that aren't allowed for ones that are in order to satisfy the requirement. For me, this isn't a huge deal, but I know it can be a daunting task for those that still don't fully grasp the difference between a password manager and password generator… which is surprisingly more common than you may realize if you're only communicating with people on tech sites.
Furthermore, one pet peeve of my mine is that most websites will state a minimum number of characters, but not a maximum number. 1Password's slider goes to 64-characters, which I use quite well with Dropbox, Google, and other websites built well. Sometimes you won't even get an error when you input a password that is too long, but you go to sign in and it fails, so then you're left with trying again with one less character on each attempt until you find the length that it decided to truncate and save as your password in their system, which you have to now save manually in your password manager.
My solution for this is something along the lines of how robots.txt works. All password generators will be able to look at the read-only, passwords.txt file (for example) on any website's root to be able to see all the parameters by which a password must be made so it can create the most secure, randomized password possible without the user having to spend any time manually altering settings to make it work. Hopefully this would help those making websites to better understand the need for full transparency in their password criteria, help users create stronger passwords, and help users create unique passwords for each website.
Example 1:
Example 2:
Example 3
Example 4:
Example 5
Of course, the user would never have to worry about this. This would all happen in the background instantly. For security, password generators could easily be made to look for anything hinky, like a password.txt file that had been changed to make the password far too simple, which would indicate that the site had been compromised, but that would only work if the server that records the password was also comprised so I doubt that would be an attack vector at all for hackers.
If the site doesn't use this so-called password.txt file then your password generator will make a randomized password like it does now.
As for running old, out dated versions of iOS, you're taking a lot more risks than this single one. Apple fixes security bugs multiple times a year in every version of iOS -- so your outdated device has multiple vulnerabilities...
)
I go back to what a security analyst told me decades ago:
2) The first thing that someone might do if they stole your device is put it in Airplane Mode, turn it off (if that wasn't possible, or just stick it a bag that would block any RF that you could use to remotely wipe the device. Find My iPhone is a great feature, but it does have its limitations since it requires a handshake from Apple's servers to know to wipe itself.
3) That security analyst is correct. If you're being targeted—like a celebrity might be—you're likely going to have data stolen, but if you're just part of the pack just don't be the slowest and weakest of the herd. For example, I shred every document at my house that contains personal data, but I don't burn it. If someone was really hell bent on getting that data they could piece to get all that confetti to find what I shred. It's all mundane, but there is info if one wanted to steal my identity, for instance. If I was a celebrity I'd be burning it.
1) I don't know if the warrants or permission to search one thing gives the right to search others like a Russian nesting dolls, but Apple does make it easy to kill your biometric logins so that they can compile you all you want to unlock it with your finger or face and it won't do anything.
Additionally, 1Password introduced Travel Mode last year to limit how much personal data is being stored on your device in case you're entering into a country with less than savory laws about data protection.
Frankly, I'm still bothered that so much data is showing up after a restart without me putting my passcode in. The device should show nothing. I know in the past it was even less secure after a restart because it would show the phone numbers and emails of the sender, not just their common name. It's one thing to show "Mom" on the screen and another to show my mother's email and/or phone number which they could then use to get more data. How hard would it be to say you got the message, which they can read, then figure out a scam to say your device is broken, to send money, or something else.
But it's all a bit of a moot point when the iOS lock screen still probably has ways to break in using a series of weird commands with Siri and accessing Contacts. I don't know this could be implemented with Face ID? Make a goofy face? ¯\_(ツ)_/¯