It's not easy breaking into a locked iPhone. Try too many times and you can get locked out for years, even decades, or lose the device's data altogether. That's why law enforcement had to put pressure on Apple to unlock the San Bernardino shooter's iPhone, and why cops across the country are buying an affordable iPhone cracker called GrayKey. Hacker House cybersecurity firm co-founder Matthew Hickey, however, has discovered a way to bypass the device's security measures, even if it's running the latest version of Apple's mobile platform. Apparently, a hacker will only need "a turned on, locked phone and a Lightning cable."
Update: An Apple spokesperson has reached out and told us its devices have no vulnerability: "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing."
Hickey said that when an iPhone is plugged in and a hacker sends it passcode guesses using keyboard input (as opposed to typing on the screen), the action triggers an interrupt request that takes precedence over everything else. That means the iPhone would be too busy to erase the device if the attacker sends it one passcode guess after another. As a result, they can guess as many times as they want instead of being limited to 10 guesses.
Hickey said he already reported the vulnerability to Apple, noting that the bug isn't difficult to identify and that there are probably other people who'd already found it before he did. Companies like Cellebrite, which unlocked the San Bernardino shooter's phone for the feds, and GrayKey's maker might even be using a similar brute force technique and taking advantage of the same bug to break into iPhones.
Cupertino might also be already aware of the vulnerability, which is why iOS 12 will feature a Restricted mode that will cut off an iPhone's ability to connect to a USB accessory plugged into it after an hour. Since it takes much more than an hour to send a device every passcode combination possible, the new feature could prevent hackers and cracking devices from force unlocking iPhones.
Check out Hickey's method in action below:
Update: Here's a follow-up tweet from the researcher.
It seems @i0n1c maybe right, the pins don't always goto the SEP in some instances (due to pocket dialing / overly fast inputs) so although it "looks" like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible @Apple
— Hacker Fantastic (@hackerfantastic) June 23, 2018