A security researcher claimed that he was able to discover an iOS vulnerability that allowed a brute force hack to bypass an iPhone's passcode, prompting Apple to respond to the report.
The iPhone has long been viewed as a more secure device compared to its Android-powered counterparts. Will that no longer hold true due to the alleged iOS flaw?
Brute Force iPhone Passcode Hack
One of the most prominent iPhone security features is the ability to set a limited number of passcode entry attempts to unlock the device. If the owner enables the feature, after 10 wrong attempts at guessing the iPhone passcode, all the data on the device will be erased as a safety precaution.
Security researcher Matthew Hickey, the cofounder of cybersecurity firm Hacker House, claimed that he found an iOS vulnerability that will allow hackers to guess an iPhone's passcode through brute force, which is basically trying all the possible four-digit or six-digit combinations.
Wouldn't a brute force attack erase the iPhone's data after the 10th wrong attempt? Not so, according to Hickey, if all the passcodes are sent in one go through keyboard inputs. All that is needed is for the iPhone to be plugged in with a Lightning cable.
"If you send your brute-force attack in one long string of inputs, it'll process all of them, and bypass the erase data feature," Hickey said. This is because each keyboard input triggers an interrupt request, preventing the iPhone to erase its information, as one passcode guess is sent in one after another.
Apple Dismisses iPhone Brute Force Hack
Apple, however, dismissed the results of Hickey's research, stating that the alleged vulnerability was nothing more than "a result of incorrect testing."
Apple did not provide further explanation on its statement. Meanwhile, it was Hickey himself who later admitted that there was something wrong with this research.
Hickey said that while it appeared that the passcode attempts were registering, they were not being recognized by the iPhone. As such, they were not being considered as actual attempts, so they are not counting toward the limit of 10 guesses and will not unlock an iPhone through brute force.
Going back to his research, Hickey found that while it appeared that 20 or more passcodes were being entered in his brute force attempts, the iPhone was only recognizing four of five passcodes.
Is the iPhone secure? Hickey's discovery of a supposed iOS vulnerability turned out to be false, so the smartphone apparently retains its image of security for now.