Apple Refutes Hacker's Claim He Could Break iPhone Passcode Limit

A security researcher claimed he had figured out a way to bypass the passcode lock limit on an iPhone or iPad, ZDNet reported. But it turned out the passcodes he tested weren't always counted. From a report: "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," Apple said Saturday in an emailed statement. Since the 2014 release of iOS 8, all iPhones and iPads have come with device encryption protected by a four- or six-digit passcode. If the wrong passcode is entered too many times, the device gets wiped, explained ZDNet's Zack Whittaker. But Hacker House co-founder Matthew Hickey figured out a way "to bypass the 10-time limit and enter as many codes as he wants -- even on iOS 11.3," Whittaker wrote.

He was holding it wrong

[volodymyrbiryuk]

The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing

He was using/holding it wrong.

Re:

[radarskiy]

So what you're saying is that Android has the same problem.

Re:

[BronsCon]

I mean, version 1.0 didn't;, then again neither did iOS. Both do now, though.

Re:

[Anonymous Coward]

So I can wipe someone's phone without their consent? Is this a feature or a bug?

Well, yes. Of course after 5 attempts you have to wait an increasing time before another attempt - so all you have to do is type in 10 wrong passcodes spread unevenly over 3 hours.

Re:Wipe phone??

[jellomizer]

Hey, no trying to use reasonable facts to get us off our irrational hate Apple Rant. We need to feel good about our Android Phones, sure Android has its own problems, but gosh darn it! Apple is evil ... EVIL!

Re:

[Paul Ryan]

Rotten to the core you might say.

Re:

[BronsCon]

So you've never taken your eyes off your phone for more than 3 hours at a time? Say, while sleeping?

Re:

[F.Ultra]

I would assume that the people who enable it (yes you have to enable it) have made a decision that the risk of having the phone accidentally wiped is less than the risk of the information on it getting leaked. There is also this odd thing called backups that you can do which will severely lessen the problem of a deliberate wipe.

Re:

[BronsCon]

Now there's a reasonable argument. You see, the one I replied to was not.

Re:

[BronsCon]

I did? Where?

Re:

[Immerman]

>So I can wipe someone's phone without their consent? Is this a feature or a bug?
A feature, obviously. That's what lets you repair a hopelessly borked device.

Physical access to the device voids virtually all security on any electronic device - the best you can hope for is to keep the new owner from accessing existing data on the device (which Apple does fairly well). Guess what - anyone with physical access to your laptop, desktop, flash drive, phone, tablet, etc. can do the exact same thing, and do so

I had a similar problem

[aepervius]

When entered your pin to unlock the SIm, if you enter more than 5 time it is supposed to sim lock you and ask for the PUK, but I could enter it as many time as I want and i was never locked. That was iphone 3 though.

Re:

[Anonymous Coward]

This cannot have anything to do with the phone. The PIN is verified and eventually blocked by the SIM card itself, the phone only submits the PIN to the card as provided and has no way to know if it is correct or not until the card responds. That is unless it caches a succesful PIN entry and then verifies subsequent PIN entries autonomously without submitting them to the card. That would be a crazy thing to do and certainly not a bug but a deliberate backdoor (not to mention that you could have changed the

Re:

[mysidia]

caches a succesful PIN entry and then verifies subsequent PIN entries autonomously without submitting them to the card

They might do this to improve login performance due to the SIM card having a slow response time ---
cache the user's correct PIN and verify it locally before submitting to the card, but if a SIM card change is
detected then expunge the cache.

Re:

[BronsCon]

And if the sim card is removed, PIN changed on another phone, and SIM card is reinserted, all while the phone is off? SIM change not detected.

Re:

[BronsCon]

Phone requires a reboot if the SIM is removed and reinserted, before it will read the SIM; if we were talking about cache in RAM, this conversation wouldn't be happening.

Re:

[mysidia]

If the SIM was plugged into another phone and then modified and saved with a new PIN, then the result of the
SIM Status and READ commands which the phone can check prior to PIN authentication to retrieve the base files
on the SIM filesystem will no longer be matching files, if the cached data includes their checksum and/or
SIM status information, and the CCID and Update timestamps; they will reflect that some update has
been written to the card, and the phone could be designed to expunge the cache in th

Re:

[BronsCon]

Somehow, it just doesn't seem that secure to hint at your contents prior to authentications. You sure that's how it works?

Re:

[mysidia]

Somehow, it just doesn't seem that secure to hint at your contents prior to authentications. You sure that's how it works?

The PIN is used only to gain authorization required to perform management operations on the card's secure applications or to perform cryptographic operations using the secure keypair from write-only key storage in order to prove the user's identity to the network.

The SIM card's Status can be queried and the files and contents of the SIM filesystem, The names and Phone numbers of an

Re:

[BronsCon]

good information; so updating only the PIN leaves visible traces elsewhere on the card? still seems like bad design.

Re:

[SharpFang]

Did entering the correct PIN unlock the phone?

'cause I'd be unsurprised if upon entering the correct PIN you got the same 'wrong PIN', authors of the phone just being lazy and implementing 'SIM doesn't work without PIN, ask for PIN regardless of lockout status'.

yes it did

[aepervius]

I had changed the pin and could not remember the order of the digits but could remember the digits, so I tried permutation of the numbers until it unlocked. I got it after 10 or so tried.

6 months - 2 years..

[Daemonik]

In 6 months to 2 years Apple will admit, quietly, that this was all completely true and will roll out a repair program to fix the problem.

Re:

[jon3k]

It's fascinating to see how Slashdot has changed. Not that I agree with parents post (I don't) but a low 6 digit UID slamming Apple used to get a +5 Insightful or at least a +5 Funny.

Re:

[Daemonik]

RIght? It's not even like Apple hasn't demonstrated exactly the behavior I pointed out before either. BendGate, KeyboardGate, AntennaeGate, BatteryGate. All instances where Apple shouted to high heaven the perfection of their devices then slowly had to walk it back after mass customer disillusionment and evidence they couldn't avoid.

Re:

[jon3k]

Didn't we already put "BendGate" [consumerreports.org] to bed? The iPhone 6 Plus wasn't even the least likely to bend of the tested phones.

I don't remmeber Apple "shouting to the high heavens" about "KeyboardGate" (I assume the current keyboard problem?) or "BatteryGate" (not sure what this is? The performance throttling to stop the phone from shutting off?). AntennaGate I'm assuming is the "you're holding it wrong" and I'm with you on that one, my recollection of that was a huge PR mess for Apple with lots of blaming the

Re:

[BronsCon]

We did, until Apple documents came to light showing that they knew the phones bent too easily. [vice.com]

Re:

[jon3k]

The company found that the iPhone 6 is 3.3 times more likely to bend than the iPhone 5s, and the iPhone 6 Plus is 7.2 times more likely to bend than the iPhone 5s, according to the documents.

But being more likely to bend isn't necessarily a problem. The Macbook Air is more likely to bend than a Macbook Pro, but that doesn't make it a failure or poor engineering. Materials and engineering choices are made all the time. Every company chooses a particular level their device will bend or break at. In the iPhone 6 they choose to make a larger device, thinner, and were wlling to accept that it was more likely to break, assuming it is still within reasonable tolerances. Which is what Consumer Rep

Re:

[BronsCon]

What Consumer Reports found is that it wasn't more likely to bend than other premium phones when pressure was applied in the specific way Consumer Reports tested the device. Where the two disagree (and they do), you can be fairly certain that Apple's testing was more thorough and correct than CR's, and should tend to favor that. I can pick out flaws in CR's testing, but I'll give you a big one right out of the gate: their results are the opposite of Apple's, with the 6 being more likely to bend than the 6 P

Re:

[BronsCon]

Having been hit by KeyboardGate, I implore you to apply that theory to me. Even if we say I'm 29, the upper end of your assertion for that to be true I would have to have been 12 when I joined Slashdot after lurking for 4 years, starting at age 8. If you go back to my early posts (I'm not sure it's even possible to go back that far, I can only seem to go as far back as the end of 2008 for post history; my UID dates my account, though), you'll note that they were likely not written by a 12 year old.

Since o

Re:

[shaitand]

Yup. Slashdot has obviously been taken over and since people who actually understand technology don't use Apple solutions... lets just say it may be time to move on.

Re:

[Daemonik]

Oh, and when they do come up with a fix, it will require an Apple Certified PIN Repair Pro certificate that doesn't exist, and parts they haven't ordered into their supply chain.

urgk

[cascadingstylesheet]

What an unclear story. At first read, it sounds like Apple is saying "well, it's just that some of them don't get counted, so neener neener", which is, er, exactly what the guy was alleging.

If I understand the clarifications, what Apple meant was that some of them don't get used at all (to try to unlock the device).

Re:

[Anonymous Coward]

What an unclear story. At first read, it sounds like Apple is saying "well, it's just that some of them don't get counted, so neener neener", which is, er, exactly what the guy was alleging.

If I understand the clarifications, what Apple meant was that some of them don't get used at all (to try to unlock the device).

Well, It's actually that Apple said pretty much nothing but "nope" - that "don't get counted" comes from the retraction from the hacker.

Re:

[Anonymous Coward]

They can claim that, but watch the video he tweeted

https://twitter.com/hackerfantastic/status/1010240042990596096

It looks pretty clearly to my like the iphone responded with 11 failed attempts. 11 times in a row, you can see the 6 dots (representing the digits) fill up and then the phone buzzed indicating a failed attempt and the dots all cleared. On the 12th time, it unlocked.

So are they claiming the phone just pretended to try some of them without actually trying them, thus the user could have actually en

Re: urgk

[UnknowingFool]

In the article the hacker admits that in reviewing his hack it appears that not all the attempts were received and processed by the phone. He says out of the 20 attempts, the phone may have actually got 5 or 6. This is not Apple saying it. This is the hacker.

Re:urgk

[Junta]

Basically he was cramming in a lot of digits into a keyboard buffer, but the phone didn't even think about most of them. Meaning that even if he guessed the correct pin, it's most likely it wouldn't have worked because it would be discarded without checking.

Re:

[cascadingstylesheet]

Basically he was cramming in a lot of digits into a keyboard buffer, but the phone didn't even think about most of them. Meaning that even if he guessed the correct pin, it's most likely it wouldn't have worked because it would be discarded without checking.

Yes. My point was, that wasn't super clear from how this was reported.

While I'm nitpicking ... Apple didn't "refute [dictionary.com]" this either ... they denied it. "Refuting" would involve presenting some sort of proof, not just saying "you're wrong; check your work".

(Though I notice that Google has now added [google.com] a second meaning of simply "deny or contradict" ... lovely.)

Re:

[Khyber]

"Though I notice that Google has now added [google.com] a second meaning of simply "deny or contradict" ... lovely."

Looking at a copy of my 1980s Random House dictionary from my old elementary school, the second definition of "refute" includes "To deny or contradict a statement or suggestion."

Looks like both you and Google are well behind the times.

Re:

[cascadingstylesheet]

Looks like both you and Google are well behind the times.

I sincerely hope so. Following the times on every stupid change is kind of ... stupid.

"Refute" in its most common usage was very useful; it meant essentially "to publicly dispute something conclusively, with convincing evidence".

Now people use it to mean simply "dispute", which is not nearly as useful.

Re:

[NoNonAlphaCharsHere]

Fucking Apple can't even handle a simple buffer overrun properly. If it were a Microsoft product it would have allowed remote arbitrary code execution with administrator privilege.

Re:

[Junta]

I think it's not that it's "supposed" drop anything, it's just that he was injecting the data faster than any human could, and it *looking* like it was being accepted, but in reality it just fell on the floor.

There may be some incorrect technical behavior or just an expected limitation of the input, but either way it doesn't matter for normal use because it's way faster than a human would ever input data.

Re: urgk

[UnknowingFool]

You mean it was an unclear summary. The story itself lays it out: the hacker said there is a way to send a stream of passcode attempts via cable to the iPhone which would override the 10 attempt limit. He later had to admit is that the method he used did not always send the attempt correctly to the phone and it was ignored thus not hitting the limit. He thought he sent 20 attempts when reality it was 5 or 6.

but they don't count, so no unlock

[Anonymous Coward]

This is like saying I can pull the trigger on a gun and never run out of bullets because the doing in the magazine isn't there...so while both are true the intended outcome isn't possible...a bullet leaving through the barrel. Here, the phone will never unlock since the unlocking mechanism is disabled.

Re: pocket/butt erasing

[Anonymous Coward]

It isnâ(TM)t enabled by default. So apparently you didnâ(TM)t.

Option in settings...

[The New Guy 2.0]

I can type ten bad passwords into my iPhone and not have it wiped. It's an option in settings that when turned off causes the phone to freeze and not accept a new attempt for a progressively longer time.

So there you have it, not all iPhones wipe after ten bad attempts.

Re:

[thegarbz]

Cool story. Not even remotely related to what is being done here, but cool none the less.

Not just 4-6 digits; Passphrase if you want

[Anonymous Coward]

This is a badly written article. Users don't just have a 4 or 6 digit pin as an option; I use a whole passphrase to unlock my iPhone (in the situation where touch ID isn't allowed - when touch-id failed too many times, it's been too long since it was unlocked, the device was powered off, or I did the five button press to disable it)

Can someone wipe my phone?

[Filter]

Does this mean that some jackass can wipe my phone by grabbing it and entering the wrong password 10 times? That would be a nasty prank.

Re:

[PPH]

It is assumed that people who care enough about the data

... probably back it up someplace. And that backup should be accessible without the phone being connected (think broken phone, etc.) So you recover your phone, smack your jackass friend a couple of times, connect to the backup and pull your data back.

Re:

[apoc.famine]

Some jackass can also grab your phone and toss it in the toilet, or smash it. How is this different?

If someone has physical access to your device, yes, they can destroy the data on it. In many different and exciting ways.

Apple better fix it

[omfglearntoplay]

From the comments and stuff I'm reading, Apple needs to step up and fix their junk.

A non-story

[Provocateur]

Maybe it is a non-story, then; the voice of a man crying out in the wilderne--wait, he's got cable.