Apple has always been a bit of a fanatic when it comes to the security its devices provide. And this has cost them by attracting more attention from hackers and security experts than most other companies. And primary among these devices are the iPhones, because it is the most prevalent Apple product on the market.
Apple has been in a fix recently where a security researcher claimed to have found a method to guess iPhone passcodes using bruteforce method despite the hard limits of iOS. But it seems like this has been debunked by the company itself. The root of this situation involves Apple’s Secure Enclave feature that unlocks an iPhone when it receives a valid passcode or biometric input.
This feature limits the number of times an incorrect passcode can be given and gives a time delay after successive incorrect input. It also gives the user an option to wipe the data on the phone after 10 incorrect attempts.
Matthew Hickey, who is the co-founder of security firm Hacker House, recently claimed that he has devised a way to bypass this limitation by passing on the data to the device using a Lightning cable. He claimed that the method involves sending all the possible combination of passcodes to the device at once, which will then force Security Enclave to consider them as infinite number of tries.
Apple IOS <= 12 Erase Data bypass, tested heavily with iOS11, brute force 4/6digit PIN's without limits (complex passwords YMMV) https://t.co/1wBZOEsBJl – demo of the exploit in action.
— Hacker Fantastic (@hackerfantastic) June 22, 2018
When being queried by Apple Insider about the present hack, Apple replied that the report is based on erroneous testing, which makes it ineffective. The company seems to have reached out to Hickey as well who redacted his claim, and said that all 12 pins seems to have been used while only a few were in reality.
It seems @i0n1c maybe right, the pins don't always goto the SEP in some instances (due to pocket dialing / overly fast inputs) so although it "looks" like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible @Apple
— Hacker Fantastic (@hackerfantastic) June 23, 2018
With the upcoming iOS 12 Apple intends to clamp down on attempts of hacking its devices even more. The infamous GrayKey, which is a device designed to crack iPhone passcodes for security agencies will be useless after this update. Apple is introducing a new feature called USB Restricted Mode that will disable any data transfer from the device using a cable after an hour from the last passcode entry.