Apple iOS Passcode Crack Revealed by Security Researcher. Watch the Exploit in Action

An iPhone can be unlocked with a virtual keyboard pretending to type lots of passcodes, a security researcher revealed Friday. By sending all possible four-digit PIN combinations as if they came from a USB keyboard, the cracking method bypasses Apple’s protections against incorrect passcode entry, ultimately unlocking the phone once the correct combination is entered.

In a video posted mid-day Friday, security researcher Matthew Hickey demonstrates sending a continuous stream of keyboard input—the equivalent of typing keys very very fast—as all the possible combinations of passcodes doesn’t get blocked by Apple’s security features.

Apple has not yet responded to a request for comment. Hickey told ZDNet he reported the flaw to the company.

Apple’s protections against incorrect passcode entry include longer and longer delays between the entry of each wrong code as well as erasing the phone after 10 incorrect password attempts.

But Hickey shows that even with the erasing option enabled on his phone, his crack inputs code after code on an iPhone without that safeguard enabling.

Hickey’s technique may be the method—or one of them—allegedly employed by security firms Cellebrite and Grayshift to crack phones via brute force methods for governments and law enforcement agencies.

Apple recently confirmed an upcoming version of its iOS operating system for iPhones and iPads would have a USB timeout feature enabled by default. After an hour had passed since a user had unlocked their phone (via passcode, Touch ID, or Face ID), the iPhone Lightning port used for USB connections would no longer accept data. This would lock out current cracking tools.

The company also said it has made changes in the low-level software used to allow interaction with peripherals via USB, like keyboards, to fix security exploits and weaknesses it had found. Hickey’s demonstration only showed it in action against a recent release of iOS, version 11.3, while the current version is 11.4, and version 12 will be out later this fall.

In Hickey’s demo, the phone processes codes at a rate of about three to five seconds each. For a four-digit code and 10,000 possibilities, that would take days to iterate through every combination. For years, Apple’s iOS recommended that users employ six-digit security codes, which would take weeks to hack via Hickey’s method. But security researchers and malicious parties alike have tables of the most likely codes employed by most people, and prioritize their entry for faster cracking.

Related Posts:

  • No Related Posts

Twitter Suspends Accounts That Posted Trump Advisor Stephen Miller’s Phone Number

Twitter temporarily suspended user accounts that either posted Trump advisor Stephen Miller’s cell phone number, or that linked to an article in Splinter magazine that included the number, including the Splinter Twitter account. The total number of suspensions is unknown.

In explaining the suspensions, a Twitter spokesperson said, “It’s against our policies to share other people’s private information on Twitter, including directly linking to that information. Today, we temporarily blocked accounts that shared this information until they deleted the Tweet that violated our rules.”

Posting sensitive personal information about an individual or organization, especially a home address and direct phone number, is known as “doxing.” It can be judged as abusive behavior by social networks and websites even if the information is available publicly online with little effort required beyond searching.

What was rare in this case was Twitter suspending accounts that linked to a news site that contained the phone number in an article, as opposed to posting the information directly in a Twitter messages or via a screenshot. Twitter’s enforcement of its rule has been criticized as uneven, with many users noting that Donald Trump had in 2015 posted the personal numbers of Sen. Lindsey Graham and Jorge Ramos, an anchor at Univision. Most recently on June 19, Twitter suspended @iceHRgov, an account that was tweeting out a list of information about ICE employees scraped from publicly available LinkedIn biographies.

Splinter, part of Univision’s Gawker Media Group, published the phone number in an article mid-day Tuesday. Twitter users began tweeting the phone number directly and linking to Splinter’s article. The number was then posted in articles at other sites, such as The Wrap, and by other journalists at Splinter and partner publications, some of whose Twitter accounts were suspended, as well as those by unrelated journalists, such as David Klion.

Miller’s number was ostensibly provided through a reporter who had previously been in touch. The number was changed later in the day. The article remains active.

Twitter has multiple forms of account suspension, and it appeared to invoke one that locks an account and hides tweets that Twitter marked as violating its rules until the account owner agrees to delete the tweet. There is typically a 12-hour delay that follows before the user can then resume normal use of the account.

Later in the day, Twitter stopped suspending accounts, although it appears earlier suspensions remain in effect or are counting down the 12-hour ban. A spokesperson explained, “At this time, the number that was previously being shared is no longer a valid number and, as such, we are no longer enforcing our policy against individuals Tweeting or linking to that information.”

Related Posts:

  • No Related Posts