Discovered a way to bypass the protection from brute force password on iPhone/iPad

Attack allows criminals to carry out any number of password attempts on locked Apple device without the risk that the protective mechanism works, erasing all data.

Since then, in 2014, has been released iOS 8, all iPhones and iPads use encryption. Often protected 4 - or 6-digit password these devices are practically invulnerable to tampering, thanks to a combination of hardware and software security. In case of exceeding the allowed number of password attempts all data on the device are removed.

But Matthew Hickey, a security researcher and co-founder of Hacker House found a way to bypass the limitation of 10 attempts to enter as many passwords as you want — even on iOS 11.3.

The attacker need only blocked enabled smartphone and Lightning cable.

Under normal conditions on the iPhones and iPads are limited in the number of password attempts per minute. Latest Apple devices have a separate chip to protect against brute force attacks, which counts the number of password attempts has been done, and slows the response with each new error.

Hickey was able to bypass this protection. He explained that when an iPhone or iPad is connected, and the attacker sends keystrokes, it triggers an interrupt that has the highest priority on the device.

Instead of having to send passwords one at a time and wait for response, send them all at once. If you run brute force attack a long string, it will be treated entirely as one try a password that will allow you to avoid the detection of selection and deletion of data.

An attacker may send all the passwords at once, listing them on one line with no spaces. Due to the fact that it does not give the software breaks the process of handling keyboard input holds a higher priority, not allowing to start the process of counting attempts and deleting data from the device. This means that the attack is possible only after loading of the device, says Hickey, because then you run more programs.

In the upcoming iOS update will be submitted to the 12 limit mode USB, which will make it impossible to use the port for anything except charging the device, if it has been over an hour since the last unlock. This will limit the possibility of exploitation of the found vulnerabilities, since during a brute force attack to check each password spent 3-5 seconds, allowing for hours only to find a four-digit password, but not six.

Hickey sent Apple an email with a description of the vulnerability, but has not yet received a response.

To find this bug was easy. I think other will do it, or already did it.

UPD 23.06.2018

Matthew wrote in his Tweeter that Apple launched an investigation on the basis of information in the course of which they might explain this behavior of the phone, and also called existing measures to protect against the demonstrated attack is not seen them.