A security researcher recently discovered a flaw in Apple’s iOS that allows anyone with a Lightning cable the ability to bypass an iPhone or iPad’s passcode attempt limit, opening the door to brute force attacks.
GrayKey forensic tool. | Source: MalwareBytes
Apple introduced system-wide encryption with iOS 8 in 2014, a security measure that was later backed by a special hardware safeguard called the secure enclave processor. First deployed in iPhone 5s to perform cryptographic operations and store encrypted Touch ID biometric data, secure enclaves now appear in all modern iOS devices to protect against unwarranted intrusions, silo financial data associated with Apple Pay, conduct biometric matching and more.
Combined with the latest iOS software, the secure enclave is able to shut down brute force attacks by delaying multiple incorrect passcode attempts. Specifically, the operating system pauses input after four consecutive attempts, the first starting at one minute and running to one hour for the ninth error. Users can further protect onboard data by enabling a feature that performs a system wipe after ten consecutive failed attempts.
Hickey, however, says the security protocol can be bypassed by sending passcode entries en masse over Lightning. Transmitting a string of passcodes via keyboard input triggers an interrupt request that takes precedent over all other device operations, including the data erase feature.
“Instead of sending passcodes one at a time and waiting, send them all in one go,” Hickey said. “If you send your brute-force attack in one long string of inputs, it’ll process all of them, and bypass the erase data feature,” he explained.
The attack is slow going, with a tethered device taking about three to five seconds to ingest each code, but it has been proven to work on both four- and six-digit passcodes. A six-digit code, however, could take weeks to crack.
Hickey’s method might be rendered obsolete when iOS 12 debuts. The upcoming iOS version includes a “USB Restricted Mode” that effectively disables hardwired USB data connections after a predetermined time period. A catchall response to USB attack vectors employed by hackers and digital forensics firms, the feature requires users enter a passcode when attempting to transfer data to or from a USB accessory connected to an iPhone that has not been unlocked within the last hour.
The new security feature also frustrates efforts from digital forensics firms like GrayShift, which markets a relatively inexpensive iPhone unlocking solution called GrayKey to law enforcement agencies. Reports suggest GrayShift has already defeated the feature, though how it has managed to do so is unclear.
Apple earlier this month confirmed USB Restricted Mode will disrupt unwarranted iPhone access attempts by hackers and governments that do not afford their citizens the same protections as U.S. laws.