SecureMac, Inc.

Computer security news. Just for Macs.

Get the latest computer security news for Macs and be the first to be informed about critical updates. Industry news, security events and all you need right at your fingertips. Malware threats change daily, so keep up to date on the latest developments to help ensure your privacy and protection. You can never be too safe.

Researcher Discloses Potential Brute Force Attack on iPhone; Apple Says It’s Not Real

Posted on July 3, 2018

A strong passcode is one of the most important elements of personal security on iOS devices. While it has been some time since Apple introduced the stronger six-digit passcodes (which they now recommend), many people continue to use the four-digit PIN. According to one recent report by a security researcher, the iPhone could be vulnerable to an extremely simple brute force attack which would render those four digits useless. However, Apple has since taken the public stance that the vulnerability as described does not exist. What’s going on here?

In a video posted by the researcher, Matthew Hickey, he demonstrates an attack using the iPhone’s USB connection to send password attempts to the device. Instead of sending each string individually (e.g., 0000, then 0001, then 0002), every possible combination all the way up to 9999 is sent to the phone en masse. According to Hickey, iOS becomes overwhelmed, and the string takes priority over any other system functions. It then tries each one, supposedly bypassing both the lock and the setting that erases the device after ten failures. At first glance, this would seem to be a serious and extremely simple attack to execute.

According to Apple, Hickey simply made a mistake in his testing and misunderstood what iOS was doing with the inputs. In reality, though the phone may appear as though it’s checking each passcode, it’s actually only sending a fraction of the attempts to the Secure Enclave coprocessor for validation. For example, in a second test Hickey conducted involving sending 20 passcodes at once, only about 25% were checked. In other words, there is no real vulnerability at work here. This method ultimately is as “effective” as trying to enter each 4-digit combination manually and does not impact security features such as the built-in time delays or the auto-erase feature.

Even if this attack were a possibility, the ability to use the USB port as an attack vector is shrinking with the upcoming rollout of iOS 12. As previously reported on SecureMac, Apple will soon deploy the “USB Restricted Mode,” designed to automatically shut off access to the phone’s data port one hour after the last valid user authentication. Designed to fight back against police unlockers and other exploitative devices such as GrayKey, USB Restricted Mode should put stories like this one to bed for good.

Join our mailing list for the latest security news and deals