Companies like Grayshift help police bypass the passcodes on locked iPhones. One might think that this requires some byzantine hacking skills. Apparently not.
A hacker reports that iOS has a soft spot when it comes to external keyboards, allowing someone to send as many passcode attempts as desired. The passcodes have to be submitted correctly, though.
Matthew Hickey, co-founder of Hacker House, told ZDNet that the secret to getting around the limit is “Instead of sending passcodes one at a time and waiting, send them all in one go. If you send your brute-force attack in one long string of inputs, it’ll process all of them, and bypass the erase data feature.”
He created a video demonstrating the technique:
Hickey has reported his finding to Apple.
We at CultOfMac tried this with an iPad and iPhone and a ZAGG Wired Lightning Keyboard. We were not able to reproduce Hickey’s reported effect, no matter how quickly we typed possible passcodes.
Apple responded to the hacker’s claims by saying “The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing.”
And Hickey himself admitted on Twitter that not all the passcode being submitted by his “brute force” attack are actually being tested. “The pins don’t always goto the SEP [the iPhone’s Secure Enclave] in some instances (due to pocket dialing / overly fast inputs) so although it ‘looks’ like pins are being tested they aren’t always sent and so they don’t count, the devices register less counts than visible.”
Hackers vs. iPhone passcode limit
Clearly, there is way to use the Lightning port to bypass the limit on the number of passcodes that can be entered. Grayshift’s GrayKey iPhone unlocker employs one, and many law enforcement agencies around the U.S. have purchased this tool.
That’s why Apple added USB Restricted Mode to iOS 12. This partially deactivates the Lightning port if the device isn’t unlocked with the correct passcode for an hour. When it kicks in, the lightning port can only be used for power.
This article was updated on June 25 at 9:45 am with Apple’s response to Hickey’s claim. The hacker admitting that maybe he made a mistake was also added.