iPhone pwned? Researcher says he can unlock iOS without running out of tries

Many, if not most, iPhone users set up numeric lock codes on their iOS devices, for the simple reason that all-digit PINs are a lot easier to type on a mobile phone keypad.

Apple’s default setting demands that you choose at least six digits, although you can go for more if you want – but you can also go down to as few as four digits. (Don’t.)

With just 10,000 different 4-digit possibilities (0000-9999), and 1 million choices with a 6-digit PIN, you’d think that short lock codes would be way too easy to guess, except for two neat features built into iDevices:

  • PIN codes take a few seconds each to be processed at best, so even if a crook could guess forever and type infinitely fast, trying out 1,000,000 codes would take them days or even weeks.
  • You can set up your iPhone to wipe its data automatically after 10 mistakes, in the same way that your mobile phone SIM card will deactivate itself after you’ve entered 10 incorrect unlock codes.

The “10 strikes and you’re out” counter can’t easily be reset, because the data about how many tries you’ve already used up is managed and stored in Apple’s secure enclave, a special, tamper-proof circuit board that also contains the fingerprint scanner.

In theory, the secure enclave forms what’s called an HSM, or Hardware Security Module, designed so that you can’t tweak its contents even if you open up the phone and try to remove the chip to connect it up to hardware of your own and access it directly.

However, a security researcher known as Hacker Fantastic just published a video purporting to show a way that you can get more than 10 guesses at a locked iPhone’s PIN – without opening up the device or trying a physical bypass of the security hardware.

According to a report compiled by ZDNet, the attack is straightforward because it requires nothing more than a laptop and a USB cable – plus a locked iPhone, of course.

Apple has been informed and the precise details of the trick don’t seem to be publicly known – which is good news – but as far as we can see, it all boils down to how you enter the sequence of PINs you want to try.

If you enter each PIN and wait to see if it worked, the HSM correctly keeps track of the number of times you’ve tried, and after 10 goes it’s “game over”.

But if you send all the PINs end-to-end in a giant batch without waiting between each one (we suspect there’s a bit more to it than that, but that’s all we’ve got for now), it seems that the HSM falls behind in tracking your mistakes because the device is tied up programmatically in processing the flood of incoming keystrokes.

Simply put, the trick appears to be that iOS spends so much time accepting the incoming flow of typed digits and trying the passwords one-by-one that you can plough through all 4-digit combinations (and perhaps even more combinations than that) before the lockout counter gets as far as 10 and triggers a device wipe.

Apparently, however, because it would take hours just to try all 4-digit codes, you’re looking at weeks to try all 6-digit codes, assuming your luck lasts that long, and then 10 times longer again for each extra digit you add to your passcode

Update. Seems as though Hacker Fantastic has changed his mind, following some sceptical feedback from Apple. It looks as though his technique for blasting PIN after PIN at the iPhone (by sending a continuous stream of characters such as 0000000100020003...) doesn’t actually cause every PIN in the list to be tried. Therefore the count of wrong PINs maintined by the iPhone is indeed correct, and the chance of guessing correctly before the device gets wiped is not improved – your chance remains no better than choosing 10 PINs up front and typing them in one after the other. As Hacker Fantastic himself puts it, “the inputs [are] not actually being recognised on the device. Sorry to get your hopes up.” [2018-06-25T12:52Z]

What to do?

Moving to a 7-digit or an 8-digit code instead of six or four ought to protect you: if a 6-digit code can withstand weeks of this attack, then a 7-digit code would presumably stand up for months, and an 8-digit code for years, assuming the attack could be sustained for that long.

If you’ve already updated to iOS 11.4, your device ought to be safe even against default 6-digit PIN codes because the 11.4 version purportedly shuts off USB access if it hasn’t been unlocked for a week.

And when iOS 12 comes out, this USB auto-lockout feature will apparently go down to just one hour, at which point we imagine that anything longer than a 4-digit code would leave a crook with a close-to-zero chance of succeeding with this trick.