Apple pushes back on hacker’s iPhone passcode bypass report

By: Zack Whittaker

Bangkok, Thailand – December 12, 2015 : Apple iPhone5s held in one hand showing its screen with numpad for entering the passcode.

The researcher later found that passcodes he tested weren’t always counted.

A security researcher’s demonstration that purportedly bypassed a passcode on up-to-date iPhones and iPads has been pushed back by Apple.

Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, tweeted Friday about a potential way to bypass security limits, allowing him to enter as many passcodes as he wants — even on the latest version of iOS 11.3.

Beyond ten wrong passcodes, the device can be set to erase its contents.

Hickey said he found a way around that. He explained that when an iPhone or iPad is plugged in and a would-be-hacker sends keyboard inputs, it triggers an interrupt request, which takes priority over anything else on the device.

“Instead of sending passcode one at a time and waiting, send them all in one go,” he said.

“If you send your brute-force attack in one long string of inputs, it’ll process all of them, and bypass the erase data feature,” he explained.

Despite several requests for comment, Apple spokesperson Michele Wyman said Saturday: “The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing.”

Apple did not say why it disputed Hickey’s findings, which he reported to the company Friday, before tweeting.

We reported Friday on Hickey’s findings, which claimed to be able to send all combinations of a user’s possible passcode in one go, by enumerating each code from 0000 to 9999, and concatenating the results in one string with no spaces. He explained that because this doesn’t give the software any breaks, the keyboard input routine takes priority over the device’s data-erasing feature.

But Hickey tweeted later, saying that not all tested passcodes are sent to a the device’s secure enclave, which protects the device from brute-force attacks.