At first it looked liked he found a way to try as many passcodes as he wanted without destroying data. But it turned out the passcodes he tested weren’t always counted.
A security researcher thought he had figured out a way to bypass the passcode lock limit on an iPhone or iPad, ZDNet reported. But it turned out the passcodes he tested weren’t always counted.
« The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing, » Apple spokeswoman Michele Wyman said Saturday in an emailed statement.
Since the 2014 release of iOS 8, all iPhones and iPads have come with device encryption protected by a four- or six- digit passcode. If the wrong passcode is entered too many times, the device gets wiped, explained ZDNet’s Zack Whittaker.
But Hacker House co-founder Matthew Hickey figured out a way « to bypass the 10-time limit and enter as many codes as he wants — even on iOS 11.3, » Whittaker wrote. (See video below for Hickey’s demo.)
Hickey « explained that when an iPhone or iPad is plugged in and a would-be-hacker sends keyboard inputs, it triggers an interrupt request, which takes priority over anything else on the device, » Whittaker wrote.
« Instead of sending passcodes one at a time and waiting, send them all in one go, » Hickey told ZDNet. « If you send your brute-force attack in one long string of inputs, it’ll process all of them, and bypass the erase data feature. »
But Hickey tweeted later Saturday that not all tested passcodes « go to the [secure enclave processor] in some instances — due to pocket dialing [or] overly fast inputs — so although it ‘looks’ like pins are being tested they aren’t always sent and so they don’t count, the devices register less counts than visible. »
And in a message to Whittaker Saturday, Hickey added: « I went back to double check all code and testing… When I sent codes to the phone, it appears that 20 or more are entered but in reality its only ever sending four or five pins to be checked. »
First published June 23 at 1:04 p.m. PT. Update at 9:10 p.m PT: Adds Apple refuting Hickey’s report and Hickey tweeting and commenting to ZDNet about how passcodes weren’t being counted.
