Bargains for Under $25 HP Envy 34 All-in-One PC Review Best Fitbits T-Mobile Data Breach Settlement ExpressVPN Review Best Buy Anniversary Sale Healthy Meal Delivery Orville 'Out Star Treks' Star Trek
Want CNET to notify you of price drops and the latest stories?
No, thank you

Apple refutes hacker's claim he could break iPhone passcode limit

At first it looked liked he found a way to try as many passcodes as he wanted without destroying data. But it turned out the passcodes he tested weren't always counted.

Amazon, Instagram and Uber app on Various Devices
A hacker thought he found a way to by bypass the iOS passcode entry limit.

A security researcher thought he had figured out a way to bypass the passcode lock limit on an iPhone or iPad, ZDNet reported. But it turned out the passcodes he tested weren't always counted.

"The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," Apple said Saturday in an emailed statement. 

Since the 2014 release of iOS 8, all iPhones and iPads have come with device encryption protected by a four- or six-digit passcode. If the wrong passcode is entered too many times, the device gets wiped, explained ZDNet's Zack Whittaker.

But Hacker House co-founder Matthew Hickey figured out a way "to bypass the 10-time limit and enter as many codes as he wants -- even on iOS 11.3," Whittaker wrote. (See video below for Hickey's demo.)

Hickey "explained that when an iPhone or iPad is plugged in and a would-be-hacker sends keyboard inputs, it triggers an interrupt request, which takes priority over anything else on the device," Whittaker wrote.

"Instead of sending passcodes one at a time and waiting, send them all in one go," Hickey told ZDNet. "If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature."

But Hickey tweeted later Saturday that not all tested passcodes "go to the [secure enclave processor] in some instances -- due to pocket dialing [or] overly fast inputs -- so although it 'looks' like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible."

And in a message to Whittaker Saturday, Hickey added: "I went back to double check all code and testing ... When I sent codes to the phone, it appears that 20 or more are entered but in reality its only ever sending four or five pins to be checked."

First published June 23 at 1:04 p.m. PT.
Update at 9:10 p.m PT: Adds Apple refuting Hickey's report and Hickey tweeting and commenting to ZDNet about how passcodes weren't being counted.

Now playing: Watch this: 5 new features in iOS 12