The attack allows attackers to make any number of attempts to enter a password on a locked Apple device without risk, which will trigger a protective mechanism that erases all data.
Since iOS 8 was released in 2014, all iPhones and iPads use encryption. Often protected by a 4- or 6-digit password, these devices become practically invulnerable to hacking, thanks to a combination of software and hardware security. If the number of attempts to enter a password is exceeded, all data from the device is deleted.
But Matthew Hickey, a security researcher and co-founder of Hacker House, found a
way to get around the limit of 10 attempts and enter as many passwords as he wants - even on iOS 11.3.
The attacker needs only the locked smartphone and Lightning-cable included.
Under normal conditions on iPhones and iPads, the number of attempts to enter a password per minute is limited. The latest Apple devices contain a separate chip for protection against brute force attacks, which counts how many password attempts were made and slows down the response with each new error.
Hickey managed to circumvent this defense. He explained that when an iPhone or iPad is connected, and the attacker sends keystrokes, this triggers the interrupt, which has the highest priority on the device.
Instead of sending passwords one at a time and waiting for a response, send them all at once. If you launch a brute force attack in one long line, it will be processed entirely as one attempt to enter a password, thus avoiding detection of picking and deleting data.
The attacker can send all the passwords at once, listing them on one line without spaces. Due to the fact that this does not give the software breaks, the processing of keyboard input holds a higher priority, preventing the counting process of attempts to enter and delete data from the device to start. This means that the attack is possible only after loading the device, says Hickey, since then more programs are running.
In the upcoming iOS 12 update, the USB restriction mode will be introduced, which will make it impossible to use the port for anything other than charging the device if more than an hour has passed since the last unlock. This will limit the exploitation of the found vulnerability, since during a brute-force attack it takes 3-5 seconds to check each password, which will allow finding only a four-digit password in an hour, but not a six-digit one.
Hickey sent Apple a letter describing the vulnerability, but has not yet received a response.
Find this bug was easy. I think others will cope, or have already done so.
UPD 06.23.2018Matthew
wrote on his Twitter feed that Apple launched an investigation based on the information provided to them, during which they might explain this behavior of the smartphone, and also call the existing measures of protection against the demonstrated attack that they did not notice.
UPD 24.06.2018Apple spokeswoman Michelle Wyman said the recent report on how to bypass the protection on the iPhone is a mistake and the result of incorrect testing.
Hickey later
wrote on his Twitter account that, it seems, not all passwords were transferred to the device:
Passwords do not in all cases fall into the security module. That is, although it looked as if they had been entered, in fact they were not checked by the device for correctness and did not increase the counter of entry attempts.
Hickey thanks
Stefan Esser for his help.
I am back to re-checking the code and testing process. When I sent the passwords to the smartphone, it seemed that 20 or more of them were entered, but in fact only 4-5 passwords were sent to the device for checking.