Apple Refutes Hacker's Claim He Could Break iPhone Passcode Limit (cnet.com) 96
A security researcher claimed he had figured out a way to bypass the passcode lock limit on an iPhone or iPad, ZDNet reported. But it turned out the passcodes he tested weren't always counted. From a report: "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," Apple said Saturday in an emailed statement. Since the 2014 release of iOS 8, all iPhones and iPads have come with device encryption protected by a four- or six-digit passcode. If the wrong passcode is entered too many times, the device gets wiped, explained ZDNet's Zack Whittaker. But Hacker House co-founder Matthew Hickey figured out a way "to bypass the 10-time limit and enter as many codes as he wants -- even on iOS 11.3," Whittaker wrote.
He was holding it wrong (Score:4, Funny)
The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing
He was using/holding it wrong.
Re: (Score:2)
So what you're saying is that Android has the same problem.
Re: (Score:2)
Re: (Score:2, Informative)
So I can wipe someone's phone without their consent? Is this a feature or a bug?
Well, yes. Of course after 5 attempts you have to wait an increasing time before another attempt - so all you have to do is type in 10 wrong passcodes spread unevenly over 3 hours.
Re:Wipe phone?? (Score:4, Funny)
Hey, no trying to use reasonable facts to get us off our irrational hate Apple Rant. We need to feel good about our Android Phones, sure Android has its own problems, but gosh darn it! Apple is evil ... EVIL!
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
>So I can wipe someone's phone without their consent? Is this a feature or a bug?
A feature, obviously. That's what lets you repair a hopelessly borked device.
Physical access to the device voids virtually all security on any electronic device - the best you can hope for is to keep the new owner from accessing existing data on the device (which Apple does fairly well). Guess what - anyone with physical access to your laptop, desktop, flash drive, phone, tablet, etc. can do the exact same thing, and do so
I had a similar problem (Score:1)
Re: (Score:2, Informative)
This cannot have anything to do with the phone. The PIN is verified and eventually blocked by the SIM card itself, the phone only submits the PIN to the card as provided and has no way to know if it is correct or not until the card responds. That is unless it caches a succesful PIN entry and then verifies subsequent PIN entries autonomously without submitting them to the card. That would be a crazy thing to do and certainly not a bug but a deliberate backdoor (not to mention that you could have changed the
Re: (Score:2)
caches a succesful PIN entry and then verifies subsequent PIN entries autonomously without submitting them to the card
They might do this to improve login performance due to the SIM card having a slow response time ---
cache the user's correct PIN and verify it locally before submitting to the card, but if a SIM card change is
detected then expunge the cache.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If the SIM was plugged into another phone and then modified and saved with a new PIN, then the result of the
SIM Status and READ commands which the phone can check prior to PIN authentication to retrieve the base files
on the SIM filesystem will no longer be matching files, if the cached data includes their checksum and/or
SIM status information, and the CCID and Update timestamps; they will reflect that some update has
been written to the card, and the phone could be designed to expunge the cache in th
Re: (Score:2)
Re: (Score:2)
Somehow, it just doesn't seem that secure to hint at your contents prior to authentications. You sure that's how it works?
The PIN is used only to gain authorization required to perform management operations on the card's secure applications or to perform cryptographic operations using the secure keypair from write-only key storage in order to prove the user's identity to the network.
The SIM card's Status can be queried and the files and contents of the SIM filesystem, The names and Phone numbers of an
Re: (Score:2)
Re: (Score:2)
Did entering the correct PIN unlock the phone?
'cause I'd be unsurprised if upon entering the correct PIN you got the same 'wrong PIN', authors of the phone just being lazy and implementing 'SIM doesn't work without PIN, ask for PIN regardless of lockout status'.
yes it did (Score:2)
6 months - 2 years.. (Score:1, Troll)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I don't remmeber Apple "shouting to the high heavens" about "KeyboardGate" (I assume the current keyboard problem?) or "BatteryGate" (not sure what this is? The performance throttling to stop the phone from shutting off?). AntennaGate I'm assuming is the "you're holding it wrong" and I'm with you on that one, my recollection of that was a huge PR mess for Apple with lots of blaming the
Re: (Score:2)
Re: (Score:2)
The company found that the iPhone 6 is 3.3 times more likely to bend than the iPhone 5s, and the iPhone 6 Plus is 7.2 times more likely to bend than the iPhone 5s, according to the documents.
But being more likely to bend isn't necessarily a problem. The Macbook Air is more likely to bend than a Macbook Pro, but that doesn't make it a failure or poor engineering. Materials and engineering choices are made all the time. Every company chooses a particular level their device will bend or break at. In the iPhone 6 they choose to make a larger device, thinner, and were wlling to accept that it was more likely to break, assuming it is still within reasonable tolerances. Which is what Consumer Rep
Re: (Score:2)
Re: (Score:2)
Since o
Re: (Score:2)
Re: (Score:2)
urgk (Score:5, Interesting)
What an unclear story. At first read, it sounds like Apple is saying "well, it's just that some of them don't get counted, so neener neener", which is, er, exactly what the guy was alleging.
If I understand the clarifications, what Apple meant was that some of them don't get used at all (to try to unlock the device).
Re: (Score:1)
What an unclear story. At first read, it sounds like Apple is saying "well, it's just that some of them don't get counted, so neener neener", which is, er, exactly what the guy was alleging.
If I understand the clarifications, what Apple meant was that some of them don't get used at all (to try to unlock the device).
Well, It's actually that Apple said pretty much nothing but "nope" - that "don't get counted" comes from the retraction from the hacker.
Re: (Score:2, Informative)
They can claim that, but watch the video he tweeted
https://twitter.com/hackerfantastic/status/1010240042990596096
It looks pretty clearly to my like the iphone responded with 11 failed attempts. 11 times in a row, you can see the 6 dots (representing the digits) fill up and then the phone buzzed indicating a failed attempt and the dots all cleared. On the 12th time, it unlocked.
So are they claiming the phone just pretended to try some of them without actually trying them, thus the user could have actually en
Re: urgk (Score:2)
Re:urgk (Score:5, Informative)
Basically he was cramming in a lot of digits into a keyboard buffer, but the phone didn't even think about most of them. Meaning that even if he guessed the correct pin, it's most likely it wouldn't have worked because it would be discarded without checking.
Re: (Score:2)
Basically he was cramming in a lot of digits into a keyboard buffer, but the phone didn't even think about most of them. Meaning that even if he guessed the correct pin, it's most likely it wouldn't have worked because it would be discarded without checking.
Yes. My point was, that wasn't super clear from how this was reported.
While I'm nitpicking ... Apple didn't "refute [dictionary.com]" this either ... they denied it. "Refuting" would involve presenting some sort of proof, not just saying "you're wrong; check your work".
(Though I notice that Google has now added [google.com] a second meaning of simply "deny or contradict" ... lovely.)
Re: (Score:2)
"Though I notice that Google has now added [google.com] a second meaning of simply "deny or contradict" ... lovely."
Looking at a copy of my 1980s Random House dictionary from my old elementary school, the second definition of "refute" includes "To deny or contradict a statement or suggestion."
Looks like both you and Google are well behind the times.
Re: (Score:2)
Looks like both you and Google are well behind the times.
I sincerely hope so. Following the times on every stupid change is kind of ... stupid.
"Refute" in its most common usage was very useful; it meant essentially "to publicly dispute something conclusively, with convincing evidence".
Now people use it to mean simply "dispute", which is not nearly as useful.
Re: (Score:3)
Re: (Score:2)
I think it's not that it's "supposed" drop anything, it's just that he was injecting the data faster than any human could, and it *looking* like it was being accepted, but in reality it just fell on the floor.
There may be some incorrect technical behavior or just an expected limitation of the input, but either way it doesn't matter for normal use because it's way faster than a human would ever input data.
Re: urgk (Score:5, Informative)
but they don't count, so no unlock (Score:1)
This is like saying I can pull the trigger on a gun and never run out of bullets because the doing in the magazine isn't there...so while both are true the intended outcome isn't possible...a bullet leaving through the barrel. Here, the phone will never unlock since the unlocking mechanism is disabled.
Re: pocket/butt erasing (Score:1)
It isnâ(TM)t enabled by default. So apparently you didnâ(TM)t.
Option in settings... (Score:5, Informative)
I can type ten bad passwords into my iPhone and not have it wiped. It's an option in settings that when turned off causes the phone to freeze and not accept a new attempt for a progressively longer time.
So there you have it, not all iPhones wipe after ten bad attempts.
Re: (Score:2)
Cool story. Not even remotely related to what is being done here, but cool none the less.
Not just 4-6 digits; Passphrase if you want (Score:1)
This is a badly written article. Users don't just have a 4 or 6 digit pin as an option; I use a whole passphrase to unlock my iPhone (in the situation where touch ID isn't allowed - when touch-id failed too many times, it's been too long since it was unlocked, the device was powered off, or I did the five button press to disable it)
Can someone wipe my phone? (Score:2)
Does this mean that some jackass can wipe my phone by grabbing it and entering the wrong password 10 times? That would be a nasty prank.
Re: (Score:2)
It is assumed that people who care enough about the data
... probably back it up someplace. And that backup should be accessible without the phone being connected (think broken phone, etc.) So you recover your phone, smack your jackass friend a couple of times, connect to the backup and pull your data back.
Re: (Score:2)
Some jackass can also grab your phone and toss it in the toilet, or smash it. How is this different?
If someone has physical access to your device, yes, they can destroy the data on it. In many different and exciting ways.
Apple better fix it (Score:2)
From the comments and stuff I'm reading, Apple needs to step up and fix their junk.
A non-story (Score:2)
Maybe it is a non-story, then; the voice of a man crying out in the wilderne--wait, he's got cable.