Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Refutes Hacker's Claim He Could Break iPhone Passcode Limit (cnet.com)

Posted by msmash on from the he-says-she-says dept.

A security researcher claimed he had figured out a way to bypass the passcode lock limit on an iPhone or iPad, ZDNet reported. But it turned out the passcodes he tested weren't always counted. From a report: "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," Apple said Saturday in an emailed statement. Since the 2014 release of iOS 8, all iPhones and iPads have come with device encryption protected by a four- or six-digit passcode. If the wrong passcode is entered too many times, the device gets wiped, explained ZDNet's Zack Whittaker. But Hacker House co-founder Matthew Hickey figured out a way "to bypass the 10-time limit and enter as many codes as he wants -- even on iOS 11.3," Whittaker wrote.

6 of 96 comments (clear)

  1. Re:Wipe phone?? by Anonymous Coward · · Score: 2, Informative

    So I can wipe someone's phone without their consent? Is this a feature or a bug?

    Well, yes. Of course after 5 attempts you have to wait an increasing time before another attempt - so all you have to do is type in 10 wrong passcodes spread unevenly over 3 hours.

  2. Re:I had a similar problem by Anonymous Coward · · Score: 2, Informative

    This cannot have anything to do with the phone. The PIN is verified and eventually blocked by the SIM card itself, the phone only submits the PIN to the card as provided and has no way to know if it is correct or not until the card responds. That is unless it caches a succesful PIN entry and then verifies subsequent PIN entries autonomously without submitting them to the card. That would be a crazy thing to do and certainly not a bug but a deliberate backdoor (not to mention that you could have changed the PIN in the meantime using another phone) .

  3. Re:urgk by Anonymous Coward · · Score: 2, Informative

    They can claim that, but watch the video he tweeted

    https://twitter.com/hackerfantastic/status/1010240042990596096

    It looks pretty clearly to my like the iphone responded with 11 failed attempts. 11 times in a row, you can see the 6 dots (representing the digits) fill up and then the phone buzzed indicating a failed attempt and the dots all cleared. On the 12th time, it unlocked.

    So are they claiming the phone just pretended to try some of them without actually trying them, thus the user could have actually entered the correct code but the phone would have "rejected" it (gave the user the visual/vibration feedback indicating that it didn't work) without even actually trying?

  4. Re:urgk by Junta · · Score: 4, Informative

    Basically he was cramming in a lot of digits into a keyboard buffer, but the phone didn't even think about most of them. Meaning that even if he guessed the correct pin, it's most likely it wouldn't have worked because it would be discarded without checking.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  5. Re: urgk by UnknowingFool · · Score: 5, Informative

    You mean it was an unclear summary. The story itself lays it out: the hacker said there is a way to send a stream of passcode attempts via cable to the iPhone which would override the 10 attempt limit. He later had to admit is that the method he used did not always send the attempt correctly to the phone and it was ignored thus not hitting the limit. He thought he sent 20 attempts when reality it was 5 or 6.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  6. Option in settings... by The+New+Guy+2.0 · · Score: 4, Informative

    I can type ten bad passwords into my iPhone and not have it wiped. It's an option in settings that when turned off causes the phone to freeze and not accept a new attempt for a progressively longer time.

    So there you have it, not all iPhones wipe after ten bad attempts.