Correction: The original testing and report about the iPhone vulnerability was made in error. The security researcher amended his findings a day after the original report. An Apple spokesperson told CyberScoop: “The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing.”
The researcher’s comment explaining the error is below followed by our corrected story.
It seems @i0n1c maybe right, the pins don't always goto the SEP in some instances (due to pocket dialing / overly fast inputs) so although it "looks" like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible @Apple
— Hacker Fantastic (@hackerfantastic) June 23, 2018
While Apple strives to make iPhones harder and harder to breach, a security researcher published a brute-force vulnerability for iOS devices that he said cracked the security measures built into the system. However, Apple denied the researcher’s findings and the researcher acknowledged an error.
Researcher Matthew Hickey, co-founder of the cybersecurity firm Hacker House, published what at first appeared to be an exploit on Friday, allowing brute forcing of iOS device passcodes. The exploit bypassed the security that is intended to wipe a device clean if the passcode entry is wrong more than ten times in a row.
By Saturday, after a slew of security experts inside and outside of Apple got involved, Hickey corrected the record. His full explanation of the error is below:
“It’s basically a feature of the devices,” he explained. “If you send pin codes too quickly or send lots of duplicate entries, the devices don’t actually test the pin codes – they appear to on the user interface but under the hood it never uses the pin. So it appears you send 20 or more pins to a device for instance, but in reality, it has only processed 3 or 4 of those pins.”
“I still believe that the advice should be to all consumers to use a seven-digit or more pin code or complex password, as there is still unknown attacks from GrayKey which function in a similar manner. I was able to double check my work after speaking with Stefan Esser and Apple, it seems even though I was sending lots of PINs to the device, it only ever processed a small number of them due to this feature. It’s intended to stop people pocket dialing and wiping their phones.”
The issue comes at a time when the debate over law enforcement unlocking iPhones is once again at a fever pitch. As a result of iOS 12’s new security, companies like Cellebrite and Grayshift are working to make sure their core business — cracking open phones for law enforcement — stays intact.