Apple will soon bring the controversial USB Restricted Mode to iPhone and iPad devices with the rollout of iOS 12 later this year. This toggle in the settings will cut off communication through the USB port when the phone has not been unlocked in an hour. With the move, Apple was preventing the use of brute-force attacks to guess the passcode, a method commonly employed by law enforcement authorities and security agencies to crack a locked iPhone. The company had said it was aiming to protect all customers, especially in countries where phones are readily obtained by police or by criminals with extensive resources, and to head off further spread of the attack technique. Despite this upcoming fix to the brute force, an ethical hacker posted a demonstration of a brute-force passcode attack on devices running versions lower than iOS 12. He claimed to have bypassed current protections by sending passcodes combinations at once. Apple replied to the claim by refuting the method, calling it "incorrect testing".
Matthew Hickey, who goes by the pseudonym @hackerfantastic, took to Twitter on Saturday to show how the iPhone's passcode could be bypassed with a simple hack. In a Vimeo video, Hickey is seen connecting a Lightning cable to an iPhone running the latest stable version of iOS 11.3. He also shows, in Settings, that the Erase Data (on multiple wrong attempts) option has been switched on. He then runs his software which sends all passcode attempts ranging from 0000 to 9999 to the iPhone at once, instead of once at a time. The one-minute video shows that the iPhone gets unlocked within seconds of running the software.
He explained the brute-force attack to ZDNet, "If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature." As you know, passcode bypass protections will erase a phone's data after multiple wrong attempts.
After a day of posting about the brute-force attack, the hacker suggested in a correction to his original claim, that the iPhone's Secure Enclave Processor (SEP) appeared to register less PINs than previously thought, due to instances of pocket dialling and/ or overly fast inputs. "When I sent codes to the phone, it appears that 20 or more are entered but in reality its only ever sending four or five pins to be checked," he explained to ZDNet. Hickey said he reported his findings to Apple before tweeting about them.
In a statement to ZDNet, Apple spokesperson Michele Wyman responded to the Hickey's claim, "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing." The company did not provide any details about precisely why it disputes the findings.