Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Refutes Hacker's Claim He Could Break iPhone Passcode Limit (cnet.com)

Posted by msmash on from the he-says-she-says dept.

A security researcher claimed he had figured out a way to bypass the passcode lock limit on an iPhone or iPad, ZDNet reported. But it turned out the passcodes he tested weren't always counted. From a report: "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," Apple said Saturday in an emailed statement. Since the 2014 release of iOS 8, all iPhones and iPads have come with device encryption protected by a four- or six-digit passcode. If the wrong passcode is entered too many times, the device gets wiped, explained ZDNet's Zack Whittaker. But Hacker House co-founder Matthew Hickey figured out a way "to bypass the 10-time limit and enter as many codes as he wants -- even on iOS 11.3," Whittaker wrote.

11 of 96 comments (clear)

  1. He was holding it wrong by volodymyrbiryuk · · Score: 4, Funny

    The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing

    He was using/holding it wrong.

    --
    sudo rm -r -f --no-preserve-root /
  2. urgk by cascadingstylesheet · · Score: 4, Interesting

    What an unclear story. At first read, it sounds like Apple is saying "well, it's just that some of them don't get counted, so neener neener", which is, er, exactly what the guy was alleging.

    If I understand the clarifications, what Apple meant was that some of them don't get used at all (to try to unlock the device).

    1. Re:urgk by Anonymous Coward · · Score: 2, Informative

      They can claim that, but watch the video he tweeted

      https://twitter.com/hackerfantastic/status/1010240042990596096

      It looks pretty clearly to my like the iphone responded with 11 failed attempts. 11 times in a row, you can see the 6 dots (representing the digits) fill up and then the phone buzzed indicating a failed attempt and the dots all cleared. On the 12th time, it unlocked.

      So are they claiming the phone just pretended to try some of them without actually trying them, thus the user could have actually entered the correct code but the phone would have "rejected" it (gave the user the visual/vibration feedback indicating that it didn't work) without even actually trying?

    2. Re:urgk by Junta · · Score: 4, Informative

      Basically he was cramming in a lot of digits into a keyboard buffer, but the phone didn't even think about most of them. Meaning that even if he guessed the correct pin, it's most likely it wouldn't have worked because it would be discarded without checking.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    3. Re:urgk by NoNonAlphaCharsHere · · Score: 2

      Fucking Apple can't even handle a simple buffer overrun properly. If it were a Microsoft product it would have allowed remote arbitrary code execution with administrator privilege.

    4. Re: urgk by UnknowingFool · · Score: 5, Informative

      You mean it was an unclear summary. The story itself lays it out: the hacker said there is a way to send a stream of passcode attempts via cable to the iPhone which would override the 10 attempt limit. He later had to admit is that the method he used did not always send the attempt correctly to the phone and it was ignored thus not hitting the limit. He thought he sent 20 attempts when reality it was 5 or 6.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
  3. Re:Wipe phone?? by Anonymous Coward · · Score: 2, Informative

    So I can wipe someone's phone without their consent? Is this a feature or a bug?

    Well, yes. Of course after 5 attempts you have to wait an increasing time before another attempt - so all you have to do is type in 10 wrong passcodes spread unevenly over 3 hours.

  4. Re:I had a similar problem by Anonymous Coward · · Score: 2, Informative

    This cannot have anything to do with the phone. The PIN is verified and eventually blocked by the SIM card itself, the phone only submits the PIN to the card as provided and has no way to know if it is correct or not until the card responds. That is unless it caches a succesful PIN entry and then verifies subsequent PIN entries autonomously without submitting them to the card. That would be a crazy thing to do and certainly not a bug but a deliberate backdoor (not to mention that you could have changed the PIN in the meantime using another phone) .

  5. Option in settings... by The+New+Guy+2.0 · · Score: 4, Informative

    I can type ten bad passwords into my iPhone and not have it wiped. It's an option in settings that when turned off causes the phone to freeze and not accept a new attempt for a progressively longer time.

    So there you have it, not all iPhones wipe after ten bad attempts.

  6. Re:Wipe phone?? by jellomizer · · Score: 3, Funny

    Hey, no trying to use reasonable facts to get us off our irrational hate Apple Rant. We need to feel good about our Android Phones, sure Android has its own problems, but gosh darn it! Apple is evil ... EVIL!

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  7. Re:Wipe phone?? by F.Ultra · · Score: 2

    I would assume that the people who enable it (yes you have to enable it) have made a decision that the risk of having the phone accidentally wiped is less than the risk of the information on it getting leaked. There is also this odd thing called backups that you can do which will severely lessen the problem of a deliberate wipe.