Researcher Discloses Potential Brute Force Attack on iPhone; Apple Says It’s Not Real

A strong passcode is one of the most important elements of personal security on iOS devices. While it has been some time since Apple introduced the stronger six-digit passcodes (which they now recommend), many people continue to use the four-digit PIN. According to one recent report by a security researcher, the iPhone could be vulnerable to an extremely simple brute force attack which would render those four digits useless. However, Apple has since taken the public stance that the vulnerability as described does not exist. What’s going on here?

In a video posted by the researcher, Matthew Hickey, he demonstrates an attack using the iPhone’s USB connection to send password attempts to the device. Instead of sending each string individually (e.g., 0000, then 0001, then 0002), every possible combination all the way up to 9999 is sent to the phone en masse. According to Hickey, iOS becomes overwhelmed, and the string takes priority over any other system functions. It then tries each one, supposedly bypassing both the lock and the setting that erases the device after ten failures. At first glance, this would seem to be a serious and extremely simple attack to execute.

According to Apple, Hickey simply made a mistake in his testing and misunderstood what iOS was doing with the inputs. In reality, though the phone may appear as though it’s checking each passcode, it’s actually only sending a fraction of the attempts to the Secure Enclave coprocessor for validation. For example, in a second test Hickey conducted involving sending 20 passcodes at once, only about 25% were checked. In other words, there is no real vulnerability at work here. This method ultimately is as “effective” as trying to enter each 4-digit combination manually and does not impact security features such as the built-in time delays or the auto-erase feature.

Even if this attack were a possibility, the ability to use the USB port as an attack vector is shrinking with the upcoming rollout of iOS 12. As previously reported on SecureMac, Apple will soon deploy the “USB Restricted Mode,” designed to automatically shut off access to the phone’s data port one hour after the last valid user authentication. Designed to fight back against police unlockers and other exploitative devices such as GrayKey, USB Restricted Mode should put stories like this one to bed for good.