Apple disputes claims of iOS 'vulnerability' to brute force passcode hack

Posted:
in iPhone edited June 2018
Apple on Saturday responded to reports suggesting a security researcher had discovered a simple to execute bypass to iOS passcode protections, saying the supposed vulnerability is in fact the result of erroneous testing.


GrayKey forensic tool. | Source: MalwareBytes


On Friday, security researcher Matthew Hickey detailed a method of bypassing iPhone's built-in countermeasures to brute force passcode hacks.

Specifically, Hickey said sending passcodes en masse over Lightning to a locked iPhone or iPad triggers an interrupt request that takes precedent over other device operations. In such a scenario, a hacker would key in all possible passcode combinations enumerated from 0000 to 9999, or 000000 to 999999 in the case of a six-digit code, as one consecutive string without spaces.

Through this purportedly operable mechanism, Hickey said a nefarious user would be able to bypass Apple's secure enclave safeguards, including delays implemented between incorrect passcode inputs and an option to completely wipe stored device data after ten consecutive failed attempts.

Apple in a statement to AppleInsider said Hickey's claims are erroneous.

"The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," Apple said.

The statement is seemingly backed up by a Twitter post by Hickey, who on Saturday amended his original assertions to explain the supposed hack might not function as initially thought.

"It seems @i0n1c maybe right, the pins don't always goto the SEP in some instances (due to pocket dialing / overly fast inputs) so although it 'looks' like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible," he said in a tweet.

Whether Apple communicated with Hickey is unknown, though the researcher on Friday said he recently contacted the company about the ostensible exploit.

Hickey continues to examine the issue, though his initial findings have yet to be replicated or validated by a third party.

In any case, Apple is looking to render all USB-related iPhone and iPad exploits obsolete with an upcoming software update this fall. The company's iOS 12 incorporates a new "USB Restricted Mode" that disables hardwired USB data connections if a correct passcode is not provided after a predetermined time period. In current beta iterations, that time window stands at one hour.

According to Apple, the new feature is designed to disrupt unwarranted iPhone access by hackers and governments that do not afford their citizens the same protections as U.S. laws.
«13

Comments

  • Reply 1 of 42
    backstabbackstab Posts: 138member
    Kind of confusing. Is Apple suggesting that the guy is lying? Or was he, in fact, able to break into the phone; or not?
    Which is it?
    williamlondon
  • Reply 2 of 42
    tmaytmay Posts: 6,311member
    backstab said:
    Kind of confusing. Is Apple suggesting that the guy is lying? Or was he, in fact, able to break into the phone; or not?
    Which is it?
    From the article, my reading comprehension has that the guy isn't lying, just that the result "was in error, and a result of incorrect testing" according to Apple. The fact that the initial findings havn't been able to be replicated or validated by a third party indicates that Apple appears to be correct.
    edited June 2018 lkruppredgeminipaStrangeDaysnetmageradarthekatlongpathwatto_cobrachasm
  • Reply 3 of 42
    addisonaddison Posts: 1,185member
    The Israelis have a device that they sell to governments that can access all iPhones including the X at will. In the Uk the police will just snoop your phoes if they wish to and no search warrent is required.
  • Reply 4 of 42
    foggyhillfoggyhill Posts: 4,767member
    addison said:
    The Israelis have a device that they sell to governments that can access all iPhones including the X at will. In the Uk the police will just snoop your phoes if they wish to and no search warrent is required.
    it's not "at will", they have to fracking decap the god damn chip. Man, I'm tired of such crap.
    And even there, if you have a wacky long passcode, how the hell would they get in that way.

    All ways of getting in depend on bypassing the brute force restriction. The originality of the israeli method that used to work in older phones is that it also allows mirroring the device memory to allow cracking on another device. That can't happen in later phones. 

    Put a god damn string of 3-4 imojis in your passcode and your set for a quasi eternal crack time for whoever gets your device.
    capasicumSoliRayz2016racerhomie3mwhitenetmageairmanchairmanbrian greenlongpathwatto_cobra
  • Reply 5 of 42
    backstab said:
    Kind of confusing. Is Apple suggesting that the guy is lying? Or was he, in fact, able to break into the phone; or not?
    Which is it?
    The article is quite clear, actually. What happens is that when flooding the the device with PIN numbers, not every PIN is checked by the device. Some PINs are skipped, although it seems that all of them are checked. So, there is a non-zero probability that the correct PIN is skipped.
    StrangeDaysnetmagelongpath
  • Reply 6 of 42
    Rayz2016Rayz2016 Posts: 6,957member
    backstab said:
    Kind of confusing. Is Apple suggesting that the guy is lying? Or was he, in fact, able to break into the phone; or not?
    Which is it?
    No, no one is suggesting that the chap is lying. He thought that the input priority was not allowing the data erasure function to run.  As it turns out the data erasure function was not triggered because less than ten passwords from his string were being tested. What he is guilty of is not getting his results peer reviewed before going public. 


    SolientropyswilliamlondonlkruppStrangeDaysnetmageairmanchairmanmattinozradarthekatlongpath
  • Reply 7 of 42
    SoliSoli Posts: 10,035member
    Rayz2016 said:
    backstab said:
    Kind of confusing. Is Apple suggesting that the guy is lying? Or was he, in fact, able to break into the phone; or not?
    Which is it?
    No, no one is suggesting that the chap is lying. He thought that the input priority was not allowing the data erasure function to run.  As it turns out the data erasure function was not triggered because less than ten passwords from his string were being tested. What he is guilty of is not getting his results peer reviewed before going public. 
    👆
    olsradarthekatlongpathwatto_cobra
  • Reply 8 of 42
    tallest skiltallest skil Posts: 43,388member
    foggyhill said:
    Put a god damn string of 3-4 imojis in your passcode and your set for a quasi eternal crack time for whoever gets your device.
    I got excited when I read this and then found out you can’t do it.
    brian greenwatto_cobra
  • Reply 9 of 42
    Rayz2016Rayz2016 Posts: 6,957member
    backstab said:
    Kind of confusing. Is Apple suggesting that the guy is lying? Or was he, in fact, able to break into the phone; or not?
    Which is it?

    My apologies. I didn't actually answer your second question.

    In a word, no.

    No article I've read (including the one here), has said that he actually broken into the phone. What he has done is demonstrate that the iOS's data erasure function can be bypassed, which could, in theory, lead to the development of an exploit that could be used to break into the phone. If you can stop the phone from erasing itself then you have more chances to break into it.

    Unfortunately, this may not be the case because the reason the experimental phone did not erase itself is because it had not, as he first believed, received the ten password tries that triggers the function.



    Notsofastbackstabnetmagewatto_cobrachasm
  • Reply 10 of 42
    entropysentropys Posts: 4,152member
    No he wasn’t lying. He was just trashing his credibility.  
    Let this be a lesson to you all, folks. If conducting experiments, make sure you test your results and conclusions, including by a critical peer, not your mates at the next university.  And don’t ever rush to the social media sewer with untested results and conclusions.
    benji888dewmeairmanchairmanradarthekatDAalsethlongpathjcs2305watto_cobrachasm
  • Reply 11 of 42
    foggyhillfoggyhill Posts: 4,767member
    entropys said:
    No he wasn’t lying. He was just trashing his credibility.  
    Let this be a lesson to you all, folks. If conducting experiments, make sure you test your results and conclusions, including by a critical peer, not your mates at the next university.  And don’t ever rush to the social media sewer with untested results and conclusions.
    The best thing is to test you are actually testing what you think you are testing.

    Getting result X means nothing if you don't even know what you actually tested.

    For example,
    If you give poison to a test subject, make sure they actually swallowed it before declaring it can't kill the subject  (in this case it is "kill it" :-), but the principle is the same).
    benji888longpathwatto_cobra
  • Reply 12 of 42
    asdasdasdasd Posts: 5,686member
    capasicum said:
    backstab said:
    Kind of confusing. Is Apple suggesting that the guy is lying? Or was he, in fact, able to break into the phone; or not?
    Which is it?
    The article is quite clear, actually. What happens is that when flooding the the device with PIN numbers, not every PIN is checked by the device. Some PINs are skipped, although it seems that all of them are checked. So, there is a non-zero probability that the correct PIN is skipped.
    Not too clear to me. Are they bypassing the text input at the lock screen, it’s probably the lock screen that imposes the limit and back off. 
  • Reply 13 of 42
    lkrupplkrupp Posts: 10,557member
    Rayz2016 said:
    backstab said:
    Kind of confusing. Is Apple suggesting that the guy is lying? Or was he, in fact, able to break into the phone; or not?
    Which is it?
    No, no one is suggesting that the chap is lying. He thought that the input priority was not allowing the data erasure function to run.  As it turns out the data erasure function was not triggered because less than ten passwords from his string were being tested. What he is guilty of is not getting his results peer reviewed before going public. 



    And just like the tech news media, security researchers are driven by their egos to get a “scoop” on anything negative about Apple. This guy thought he had Apple by the gonads and went with his “research” before double checking and finding out if his colleagues could reproduce the results. It’s typical in the Internet era for journalists and pundits to run with half-baked facts in order to be first.
    edited June 2018 backstabdewmerob53watto_cobra
  • Reply 14 of 42
    addison said:
    The Israelis have a device that they sell to governments that can access all iPhones including the X at will. In the Uk the police will just snoop your phoes if they wish to and no search warrent is required.
    MOSSAD and Shin-Bet don't give a fig about civil liberties or human rights. In the UK I believe people rely on plausible deniability.
  • Reply 15 of 42
    StrangeDaysStrangeDays Posts: 12,840member
    so much for the folks on the other thread that decried, “Apple is getting lazy! Sloppy design!” etc. 
    watto_cobra
  • Reply 16 of 42
    nunzynunzy Posts: 662member
     I never had any doubts about this. Apple builds in security from the ground up.
  • Reply 17 of 42
    NotsofastNotsofast Posts: 450member
    Rayz2016 said:
    backstab said:
    Kind of confusing. Is Apple suggesting that the guy is lying? Or was he, in fact, able to break into the phone; or not?
    Which is it?

    My apologies. I didn't actually answer your second question.

    In a word, no.

    No article I've read (including the one here), has said that he actually broken into the phone. What he has done is demonstrate that the iOS's data erasure function can be bypassed, which could, in theory, lead to the development of an exploit that could be used to break into the phone. If you can stop the phone from erasing itself then you have more chances to break into it.

    Unfortunately, this may not be the case because the reason the experimental phone did not erase itself is because it had not, as he first believed, received the ten password tries that triggers the function.

    Eureka!  Apple Insider please use this post to update your article to explain what happened.  Rayz  thank for you for clarifying what no writer evidently was able to decipher.




  • Reply 18 of 42
    backstabbackstab Posts: 138member
    tmay said:
    backstab said:
    Kind of confusing. Is Apple suggesting that the guy is lying? Or was he, in fact, able to break into the phone; or not?
    Which is it?
    From the article, my reading comprehension has that the guy isn't lying, just that the result "was in error, and a result of incorrect testing" according to Apple. The fact that the initial findings havn't been able to be replicated or validated by a third party indicates that Apple appears to be correct.
    Then I just don't understand whet the "result" was. I had thought the "result" was that this guy had, indeed, brute-forced his way into an iPhone with this method (?)
    watto_cobra
  • Reply 19 of 42
    backstabbackstab Posts: 138member

    Rayz2016 said:
    backstab said:
    Kind of confusing. Is Apple suggesting that the guy is lying? Or was he, in fact, able to break into the phone; or not?
    Which is it?

    My apologies. I didn't actually answer your second question.

    In a word, no.

    No article I've read (including the one here), has said that he actually broken into the phone. What he has done is demonstrate that the iOS's data erasure function can be bypassed, which could, in theory, lead to the development of an exploit that could be used to break into the phone. If you can stop the phone from erasing itself then you have more chances to break into it.

    Unfortunately, this may not be the case because the reason the experimental phone did not erase itself is because it had not, as he first believed, received the ten password tries that triggers the function.



    Thank you. That actually does answer my question.
    I'm still seeing 'newly published' headlines on this subject that make it sound like, indeed, the iPhone "has been hacked" with this method.
    ...infuriating.
    watto_cobra
  • Reply 20 of 42
    barjohn5670barjohn5670 Posts: 1unconfirmed, member
    i'm not sure how this security protect citizens from governments that don't provide them the same protections as the U.S.  In many of those countries they can just torture you to get your pass code. No fancy equipment required. :)
    watto_cobra
Sign In or Register to comment.