An iPhone can be unlocked with a virtual keyboard pretending to type lots of passcodes, a security researcher revealed Friday. By sending all possible four-digit PIN combinations as if they came from a USB keyboard, the cracking method bypasses Apple’s protections against incorrect passcode entry, ultimately unlocking the phone once the correct combination is entered.
In a video posted mid-day Friday, security researcher Matthew Hickey demonstrates sending a continuous stream of keyboard input—the equivalent of typing keys very very fast—as all the possible combinations of passcodes doesn’t get blocked by Apple’s security features.
Apple IOS <= 12 Erase Data bypass, tested heavily with iOS11, brute force 4/6digit PIN's without limits (complex passwords YMMV) https://t.co/1wBZOEsBJl – demo of the exploit in action.
— hackerfantastic.x (@hackerfantastic) June 22, 2018
Apple has not yet responded to a request for comment. Hickey told ZDNet he reported the flaw to the company.
Apple’s protections against incorrect passcode entry include longer and longer delays between the entry of each wrong code as well as erasing the phone after 10 incorrect password attempts.
But Hickey shows that even with the erasing option enabled on his phone, his crack inputs code after code on an iPhone without that safeguard enabling.
Hickey’s technique may be the method—or one of them—allegedly employed by security firms Cellebrite and Grayshift to crack phones via brute force methods for governments and law enforcement agencies.
Apple recently confirmed an upcoming version of its iOS operating system for iPhones and iPads would have a USB timeout feature enabled by default. After an hour had passed since a user had unlocked their phone (via passcode, Touch ID, or Face ID), the iPhone Lightning port used for USB connections would no longer accept data. This would lock out current cracking tools.
The company also said it has made changes in the low-level software used to allow interaction with peripherals via USB, like keyboards, to fix security exploits and weaknesses it had found. Hickey’s demonstration only showed it in action against a recent release of iOS, version 11.3, while the current version is 11.4, and version 12 will be out later this fall.
In Hickey’s demo, the phone processes codes at a rate of about three to five seconds each. For a four-digit code and 10,000 possibilities, that would take days to iterate through every combination. For years, Apple’s iOS recommended that users employ six-digit security codes, which would take weeks to hack via Hickey’s method. But security researchers and malicious parties alike have tables of the most likely codes employed by most people, and prioritize their entry for faster cracking.
