Apple Denies Researcher’s Claim Of Passcode Hack

Apple has dismissed claims by a security researcher, who had said he had discovered a way to gain a brute-force entry into an iPhone.

The researcher in question, Matthew Hickey co-founder of cybersecurity firm Hacker House, tweeted last week that he had found a way crack the passcode found on Apple’s iPhones.

Hickey even posted a video of the hack in action, which supposedly bypassed Apple’s security protections, by permitting him to enter as many passcodes as he wanted – even on the latest OS (iOS 11.3).

Brute-force claim

Hickey claimed on Twitter that he had a way to “brute force 4/6digit PIN’s without limits”. Essentially, his brute-force technique involves sending all possible passcodes (0000 to 9999) to an iPhone that is plugged in – all at once.

The claim is that by not leaving time for individual processing, and sending the brute-force attack in one long string of inputs (with no spaces), the iPhone will process all of them, and supposedly bypass the erase data feature.

As iPhone users are aware, they only have so many attempts to enter an incorrect passcode into an iPhone. Repeated attempts will see them being denied access to the device, as the FBI found out to its cost when Apple refused a FBI request to help unlock an iPhone belonging to one of the San Bernardino terrorists, Syed Rizwan Farook in early 2016.

Repeatedly trying incorrect passcodes will run the risk of wiping the iPhone contents if a person tries to enter an incorrect code too many times. This is because users can set the device to erase the contents after ten incorrect passcode attempts.

Maybe not

At the time of Hickey’s video, some in the security industry had cast doubts on its viability.

Stefan Esser, CEO of security firm Antid0te UG, disputed Hickey’s initial findings,

“Is there a video where this actually works?” he tweeted. “I mean: you send the real passcode in one go and it ends up unlocking. I believe i tried something like this and it turned out that all those subsequent fails are because the device doesn’t actually try those passcodes until you pause.”

And now Apple has stepped into the fray and dismissed Hickey’s initial claim in a brusqe statement.

“The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing,” company spokesperson Michele Wyman was quoted by BetaNews as saying.

Hickey later admitted he was wrong in another tweet, and said that Stefan Esser was right.

“It seems @i0n1c maybe right, the pins don’t always goto the SEP in some instances (due to pocket dialing / overly fast inputs) so although it “looks” like pins are being tested they aren’t always sent and so they don’t count, the devices register less counts than visible,” Hickey subsequently tweeted.

For the record the FBI said it had eventually cracked Syed Farook’s iPhone after it was “independently unlocked” by an outside party in late 2016. The bureau then dropped its lawsuit against Apple.

Do you know all about security? Try our quiz!