Back to Home

A way to bypass the password protection protection on the iPhone / iPad has been detected. Not really

The attack allows attackers to make any number of attempts to enter a password on a locked Apple device without risk · which will trigger a protective mechanism that erases all data. Since ...

A way to bypass the password protection protection on the iPhone / iPad has been detected. Not really

Original author: Zack Whittaker
  • Transfer
image

The attack allows attackers to make any number of attempts to enter a password on a locked Apple device without risk, which will trigger a protective mechanism that erases all data.

Since iOS 8 was released in 2014, all iPhones and iPads use encryption. Often protected by a 4- or 6-digit password, these devices become virtually invulnerable to hacking, thanks to a combination of software and hardware security. If the number of attempts to enter a password is exceeded, all data from the device is deleted.

But Matthew Hickey, a security researcher and co-founder of Hacker House, found a way to get around the limit of 10 attempts and enter as many passwords as he wants - even on iOS 11.3.
The attacker needs only the included locked smartphone and Lightning-cable.
Under normal conditions on iPhones and iPads, the number of attempts to enter a password per minute is limited. The latest Apple devices contain a separate chip for protection against brute force attacks, which counts how many password attempts were made and slows down the response with each new error.

Hickey managed to circumvent this defense. He explained that when an iPhone or iPad is connected, and the attacker sends keystrokes, this triggers the interrupt, which has the highest priority on the device.
Instead of sending passwords one at a time and waiting for a response, send them all at once. If you launch a brute force attack in one long line, it will be processed entirely as one attempt to enter a password, thus avoiding detection of picking and deleting data.

The attacker can send all passwords at once, listing them on one line without spaces. Due to the fact that this does not give the software breaks, the processing of keyboard input holds a higher priority, preventing the counting process of attempts to enter and delete data from the device to start. This means that the attack is possible only after loading the device, says Hickey, since then more programs are running.

In the upcoming iOS 12 update, the USB restriction mode will be introduced, which will make it impossible to use the port for anything other than charging the device if more than an hour has passed since the last unlock. This will limit the exploitation of the found vulnerability, since during a brute-force attack it takes 3-5 seconds to check each password, which will allow finding only a four-digit password in an hour, but not a six-digit one.

Hickey sent Apple a letter describing the vulnerability, but has not yet received a response.
Find this bug was easy. I think others will do it, or they have already done it.

UPD 06/23/2018

Matthew tweeted that Apple launched an investigation based on the information provided to them, during which they might explain this smartphone behavior and also call the existing protection measures against the demonstrated attack that they did not notice.

UPD June 24,

2017 Apple spokeswoman Michelle Wyman said the recent report on how to bypass the protection on the iPhone is a mistake and the result of incorrect testing.

Hickey later wrote on his Twitter feed that, it seems, not all transmitted passwords actually reached the device:
Passwords do not in all cases fall into the security module. That is, although it looked as if they had been entered, in fact they were not checked by the device for correctness and did not increase the count of entry attempts.

Hickey thanks Stefan Esser for his help.

I am back to re-checking the code and testing process. When I sent the passwords to the smartphone, it seemed that 20 or more of them were entered, but in fact only 4-5 passwords were sent to the device for checking.

Read Next