Hackers can Break iPhone Passwords by Brute Force? Apple: was in Error

A security researcher has found a way to brute force a password on a current iOS device. In doing so, he was able to bypass the security mechanisms for iOS, thereby putting encrypted data at risk, according to ZDNet. Soon, Apple said on Saturday in an emailed statement that the research was in error.

Apple provided the following statement to Rene Ritchie:

The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing.

Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, recently discovered a way to bypass some of Apple’s security measures meant to keep malicious actors out of devices. The attack works even on devices running the most recent version of iOS. According to his research, he could bypass Apple’s 10-error limit, and type as many times as he wants, even on iOS 12. Hickey assed, it would trigger an interrupt request if the hacker sent an input command via the keyboard, which will be prioritized if connecting an iPhone to an iPad.

As he noted: “An attacker just needs a turned on, locked phone and a Lightning cable.”

Since iOS 8 first launched in 2014, iPhones and iPad have come with device encryption. Protected by a four- or six-digit passcode, the combination of software and hardware has made it nearly impossible to break into an iPhone or iPad. Perhaps more importantly, after someone types in the wrong password 10 times on a device, its data gets wiped.

Until on June 24th, 9:30am: Apple pushed back against Hickey’s discovery, claiming that there is no vulnerability.

In a tweet, Hickey said that the PINs doesn’t always go to Apple’s Secure Enclave Processor, which houses the passcode. “So although it looks like PINs are being tested they aren’t always sent and so they don’t count,” he wrote. “The devices register less counts than visible.”