In order to prevent a locked Apple iPhone from being opened by a hacker, Apple allows users to choose a four or six digit passcode. And to further protect the passcode from being discovered, after ten incorrect attempts to punch in the correct digits, the iPhone will automatically be wiped and the information inside is gone forever. Now, a security researcher named Matthew Hickey has discovered a way to bypass the passcode limit allowing him to try as many different passcode combinations as he wants, even on iOS 11.3.
All that is required for the hack is a locked iPhone turned on, and a Lightning cable. When a user starts punching in passcodes trying to unlock the device, a part of the hardware called the secure enclave keeps track of the number of attempts that have been made, and is slower to respond with each incorrect entry. Getting around this is actually easy with the use of a brute force attack. Instead of entering passcodes one at a time and waiting after each entry, Hickey says you should send your entries in one very long string of inputs. Doing this will bypass the passcode limit and the phone will process all of your passcode entries.
All four-digit codes from 0000 to 9999 should be sent with no spaces. When an iPhone is plugged in, keyboard input has precedence over the phone's passcode limit feature. Thus, using this brute force attack results in the handset working on the strong of four-digit passcodes you've inputted and unlocking the phone before the device is wiped. Time, however, is an issue. Because the iPhone takes three to five seconds to process each passcode, it would take an hour to go through just 100 different passcodes. And while this method will also work with six-digit passcodes by running all of the possibilities between 000000 and 999999 at one time, it would take weeks for the iPhone to complete the task. If you've got enough time to test this out, remember that the iPhone you're cracking open must be plugged in.
Earlier this month, we told you that on iOS 12, Apple's USB Restricted Mode will prevent the proprietary Lightning USB port on the iPhone from being used to communicate with other devices if the phone has not been unlocked within the past hour
. That will prevent cracking machines like the GrayKey from using the Lightning port to disable the passcode limit on an iPhone. But Grayshift, the company behind the GrayKey, says that it has been able to defeat the USB Restricted mode
. If true, that puts the ball back in Apple's court as each side works hard to stay one step ahead of the other.
The USB Restricted Mode does limit the time that someone has to employ Hickey's brute force hack. With iOS 12, you must enter the string of passcodes before an hour passes since the last time that the phone was unlocked. While that doesn't make it impossible to use the hack with iOS 12, it does complicate things a great deal.
Meanwhile, you can check out a video showing Hickey's brute force hack by clicking on the clip found at the top of this article.