iOS Hack Lets Attackers Brute Force iPhone, iPad Passcodes
A vulnerability in Apple's iOS lets anyone with a Lightning cable bypass the passcode entry restriction designed to protect the company's devices.
Any hacker equipped with the right knowledge and a Lightning cable can bypass iOS's passcode entry restriction and break into an iPhone or iPad, researcher Matthew Hickey has discovered.
Hickey, co-founder of Hacker House, found a means of bypassing systemwide encryption and secure enclaves that Apple introduced to block brute-force attacks. Secure enclaves, a hardware security measure built for cryptographic processes and biometric data protection, work with the newest iOS software to delay incorrect passcode attempts. The more times someone enters an incorrect passcode, the longer the iOS blocks future attempts to enter the device.
In a report on ZDNet, Hickey explains how an attacker can bypass this security restriction by connecting the device to a Lightning cable and entering one long string of passcodes via keyboard input. He later reported this works because not all tested passcodes are sent to the secure enclave. Even when 20 or more passcodes are entered, only four or five might be sent to the enclave for testing.
This type of attack may not be usable in iOS 12 when Apple rolls out USB Restricted Mode, a new security measure designed to prevent break-ins by turning the Lightning cable into a charge-only port if the device hasn't recently been unlocked. The update is a source of frustration for digital forensics firms like Grayshift, which claims to have defeated it.
Read more details here.
Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024