Researcher finds way to bruteforce pin codes on iOS – update

A researcher has managed to circumvent the security in iOS that ensures that incorrect PINs cannot be entered too often. A setting that deletes all data after entering an incorrect PIN code ten times is ignored with the trick.

The security researcher, named Matthew Hickey, demonstrated his way of bypassing PIN protection in iOS via a video. To apply the method, an iPhone or iPad must be connected to a PC or laptop via a Lightning cable. The iOS device must be turned on for the method to work.

Hickey found that the iOS operating system prioritizes keyboard input over its security routine that checks how many times an incorrect PIN has been entered. This allowed Hickey to brute-force all possible PINs to the iPhone via a single string, then try them all until the iPhone was unlocked.

Apple will probably take measures against the hack shown with the upcoming version of iOS. In iOS 12 there is a ‘usb restricted mode’, where the Lightning port can only be used for charging after an hour. This means that hacks such as those shown by Hickey only work if the device has been unlocked in the past hour. Furthermore, the researcher’s method is slow; only around 400 four-digit PINs are checked per hour.

An Apple spokesperson has said it disputes the investigator’s findings. In a response to ZDNet, Michele Wyman indicated that it was an error due to incorrect testing. However, no further explanation was given.

Update 12:19 pm: the security researcher has another look at his test results watched, and noted that not all codes sent to iPhone were actually checked. As a result, it is not clear whether the method actually bypasses security in iOS.