Apple refutes hacker's claim he could break iPhone passcode limit
At first it looked liked he found a way to try as many passcodes as he wanted without destroying data. But it turned out the passcodes he tested weren't always counted.
A security researcher thought he had figured out a way to bypass the passcode lock limit on an iPhone or iPad, ZDNet reported. But it turned out the passcodes he tested weren't always counted.
"The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," Apple said Saturday in an emailed statement.
Since the 2014 release of iOS 8, all iPhones and iPads have come with device encryption protected by a four- or six-digit passcode. If the wrong passcode is entered too many times, the device gets wiped, explained ZDNet's Zack Whittaker.
But Hacker House co-founder Matthew Hickey figured out a way "to bypass the 10-time limit and enter as many codes as he wants -- even on iOS 11.3," Whittaker wrote. (See video below for Hickey's demo.)
Hickey "explained that when an iPhone or iPad is plugged in and a would-be-hacker sends keyboard inputs, it triggers an interrupt request, which takes priority over anything else on the device," Whittaker wrote.
"Instead of sending passcodes one at a time and waiting, send them all in one go," Hickey told ZDNet. "If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature."
But Hickey tweeted later Saturday that not all tested passcodes "go to the [secure enclave processor] in some instances -- due to pocket dialing [or] overly fast inputs -- so although it 'looks' like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible."
And in a message to Whittaker Saturday, Hickey added: "I went back to double check all code and testing ... When I sent codes to the phone, it appears that 20 or more are entered but in reality its only ever sending four or five pins to be checked."
First published June 23 at 1:04 p.m. PT.
Update at 9:10 p.m PT: Adds Apple refuting Hickey's report and Hickey tweeting and commenting to ZDNet about how passcodes weren't being counted.