Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
IOS Iphone Security Apple

Apple Refutes Hacker's Claim He Could Break iPhone Passcode Limit (cnet.com) 96

A security researcher claimed he had figured out a way to bypass the passcode lock limit on an iPhone or iPad, ZDNet reported. But it turned out the passcodes he tested weren't always counted. From a report: "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing," Apple said Saturday in an emailed statement. Since the 2014 release of iOS 8, all iPhones and iPads have come with device encryption protected by a four- or six-digit passcode. If the wrong passcode is entered too many times, the device gets wiped, explained ZDNet's Zack Whittaker. But Hacker House co-founder Matthew Hickey figured out a way "to bypass the 10-time limit and enter as many codes as he wants -- even on iOS 11.3," Whittaker wrote.
This discussion has been archived. No new comments can be posted.

Apple Refutes Hacker's Claim He Could Break iPhone Passcode Limit

Comments Filter:
  • by volodymyrbiryuk ( 4780959 ) on Monday June 25, 2018 @06:03AM (#56841242)

    The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing

    He was using/holding it wrong.

  • When entered your pin to unlock the SIm, if you enter more than 5 time it is supposed to sim lock you and ask for the PUK, but I could enter it as many time as I want and i was never locked. That was iphone 3 though.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      This cannot have anything to do with the phone. The PIN is verified and eventually blocked by the SIM card itself, the phone only submits the PIN to the card as provided and has no way to know if it is correct or not until the card responds. That is unless it caches a succesful PIN entry and then verifies subsequent PIN entries autonomously without submitting them to the card. That would be a crazy thing to do and certainly not a bug but a deliberate backdoor (not to mention that you could have changed the

      • by mysidia ( 191772 )

        caches a succesful PIN entry and then verifies subsequent PIN entries autonomously without submitting them to the card

        They might do this to improve login performance due to the SIM card having a slow response time ---
        cache the user's correct PIN and verify it locally before submitting to the card, but if a SIM card change is
        detected then expunge the cache.

        • And if the sim card is removed, PIN changed on another phone, and SIM card is reinserted, all while the phone is off? SIM change not detected.
          • by mysidia ( 191772 )

            If the SIM was plugged into another phone and then modified and saved with a new PIN, then the result of the
            SIM Status and READ commands which the phone can check prior to PIN authentication to retrieve the base files
            on the SIM filesystem will no longer be matching files, if the cached data includes their checksum and/or
            SIM status information, and the CCID and Update timestamps; they will reflect that some update has
            been written to the card, and the phone could be designed to expunge the cache in th

            • Somehow, it just doesn't seem that secure to hint at your contents prior to authentications. You sure that's how it works?
              • by mysidia ( 191772 )

                Somehow, it just doesn't seem that secure to hint at your contents prior to authentications. You sure that's how it works?

                The PIN is used only to gain authorization required to perform management operations on the card's secure applications or to perform cryptographic operations using the secure keypair from write-only key storage in order to prove the user's identity to the network.

                The SIM card's Status can be queried and the files and contents of the SIM filesystem, The names and Phone numbers of an

                • good information; so updating only the PIN leaves visible traces elsewhere on the card? still seems like bad design.
    • Did entering the correct PIN unlock the phone?

      'cause I'd be unsurprised if upon entering the correct PIN you got the same 'wrong PIN', authors of the phone just being lazy and implementing 'SIM doesn't work without PIN, ask for PIN regardless of lockout status'.

      • I had changed the pin and could not remember the order of the digits but could remember the digits, so I tried permutation of the numbers until it unlocked. I got it after 10 or so tried.
  • In 6 months to 2 years Apple will admit, quietly, that this was all completely true and will roll out a repair program to fix the problem.
    • by jon3k ( 691256 )
      It's fascinating to see how Slashdot has changed. Not that I agree with parents post (I don't) but a low 6 digit UID slamming Apple used to get a +5 Insightful or at least a +5 Funny.
      • RIght? It's not even like Apple hasn't demonstrated exactly the behavior I pointed out before either. BendGate, KeyboardGate, AntennaeGate, BatteryGate. All instances where Apple shouted to high heaven the perfection of their devices then slowly had to walk it back after mass customer disillusionment and evidence they couldn't avoid.
      • Yup. Slashdot has obviously been taken over and since people who actually understand technology don't use Apple solutions... lets just say it may be time to move on.
    • Oh, and when they do come up with a fix, it will require an Apple Certified PIN Repair Pro certificate that doesn't exist, and parts they haven't ordered into their supply chain.
  • urgk (Score:5, Interesting)

    by cascadingstylesheet ( 140919 ) on Monday June 25, 2018 @07:04AM (#56841400) Journal

    What an unclear story. At first read, it sounds like Apple is saying "well, it's just that some of them don't get counted, so neener neener", which is, er, exactly what the guy was alleging.

    If I understand the clarifications, what Apple meant was that some of them don't get used at all (to try to unlock the device).

    • by Anonymous Coward

      What an unclear story. At first read, it sounds like Apple is saying "well, it's just that some of them don't get counted, so neener neener", which is, er, exactly what the guy was alleging.

      If I understand the clarifications, what Apple meant was that some of them don't get used at all (to try to unlock the device).

      Well, It's actually that Apple said pretty much nothing but "nope" - that "don't get counted" comes from the retraction from the hacker.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      They can claim that, but watch the video he tweeted

      https://twitter.com/hackerfantastic/status/1010240042990596096

      It looks pretty clearly to my like the iphone responded with 11 failed attempts. 11 times in a row, you can see the 6 dots (representing the digits) fill up and then the phone buzzed indicating a failed attempt and the dots all cleared. On the 12th time, it unlocked.

      So are they claiming the phone just pretended to try some of them without actually trying them, thus the user could have actually en

      • In the article the hacker admits that in reviewing his hack it appears that not all the attempts were received and processed by the phone. He says out of the 20 attempts, the phone may have actually got 5 or 6. This is not Apple saying it. This is the hacker.
    • Re:urgk (Score:5, Informative)

      by Junta ( 36770 ) on Monday June 25, 2018 @07:52AM (#56841586)

      Basically he was cramming in a lot of digits into a keyboard buffer, but the phone didn't even think about most of them. Meaning that even if he guessed the correct pin, it's most likely it wouldn't have worked because it would be discarded without checking.

      • Basically he was cramming in a lot of digits into a keyboard buffer, but the phone didn't even think about most of them. Meaning that even if he guessed the correct pin, it's most likely it wouldn't have worked because it would be discarded without checking.

        Yes. My point was, that wasn't super clear from how this was reported.

        While I'm nitpicking ... Apple didn't "refute [dictionary.com]" this either ... they denied it. "Refuting" would involve presenting some sort of proof, not just saying "you're wrong; check your work".

        (Though I notice that Google has now added [google.com] a second meaning of simply "deny or contradict" ... lovely.)

        • by Khyber ( 864651 )

          "Though I notice that Google has now added [google.com] a second meaning of simply "deny or contradict" ... lovely."

          Looking at a copy of my 1980s Random House dictionary from my old elementary school, the second definition of "refute" includes "To deny or contradict a statement or suggestion."

          Looks like both you and Google are well behind the times.

          • Looks like both you and Google are well behind the times.

            I sincerely hope so. Following the times on every stupid change is kind of ... stupid.

            "Refute" in its most common usage was very useful; it meant essentially "to publicly dispute something conclusively, with convincing evidence".

            Now people use it to mean simply "dispute", which is not nearly as useful.

      • Fucking Apple can't even handle a simple buffer overrun properly. If it were a Microsoft product it would have allowed remote arbitrary code execution with administrator privilege.
    • Re: urgk (Score:5, Informative)

      by UnknowingFool ( 672806 ) on Monday June 25, 2018 @08:58AM (#56841886)
      You mean it was an unclear summary. The story itself lays it out: the hacker said there is a way to send a stream of passcode attempts via cable to the iPhone which would override the 10 attempt limit. He later had to admit is that the method he used did not always send the attempt correctly to the phone and it was ignored thus not hitting the limit. He thought he sent 20 attempts when reality it was 5 or 6.
  • by Anonymous Coward

    This is like saying I can pull the trigger on a gun and never run out of bullets because the doing in the magazine isn't there...so while both are true the intended outcome isn't possible...a bullet leaving through the barrel. Here, the phone will never unlock since the unlocking mechanism is disabled.

  • by The New Guy 2.0 ( 3497907 ) on Monday June 25, 2018 @09:19AM (#56842004)

    I can type ten bad passwords into my iPhone and not have it wiped. It's an option in settings that when turned off causes the phone to freeze and not accept a new attempt for a progressively longer time.

    So there you have it, not all iPhones wipe after ten bad attempts.

  • This is a badly written article. Users don't just have a 4 or 6 digit pin as an option; I use a whole passphrase to unlock my iPhone (in the situation where touch ID isn't allowed - when touch-id failed too many times, it's been too long since it was unlocked, the device was powered off, or I did the five button press to disable it)

  • Does this mean that some jackass can wipe my phone by grabbing it and entering the wrong password 10 times? That would be a nasty prank.

    • Some jackass can also grab your phone and toss it in the toilet, or smash it. How is this different?

      If someone has physical access to your device, yes, they can destroy the data on it. In many different and exciting ways.

  • From the comments and stuff I'm reading, Apple needs to step up and fix their junk.

  • Maybe it is a non-story, then; the voice of a man crying out in the wilderne--wait, he's got cable.

Those who do things in a noble spirit of self-sacrifice are to be avoided at all costs. -- N. Alexander.

Working...