News surfaced over the weekend that you can bypass the iPhone’s passcode attempt limit by connecting the device to a computer and sending the passcodes from there instead of the device’s on-screen keyboard. Apple says you can’t, and odds are they’re right.
Hacker House co-founder Matthew Hickey posted to Twitter last Friday saying you can try to guess a passcode as many times as you like and even made a video showing the flaw in action.
Apple IOS <= 12 Erase Data bypass, tested heavily with iOS11, brute force 4/6digit PIN’s without limits (complex passwords YMMV) https://t.co/1wBZOEsBJl – demo of the exploit in action.
— Hacker Fantastic (@hackerfantastic) June 22, 2018
The video looks pretty damning, but Apple told Engadget that using a computer’s keyboard to send passcodes won’t bypass the built-in security measures. An Apple spokesperson said, The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing.
Turns out Hickey’s conclusion was based on faulty data. He said in a follow up tweet that the iPhone didn’t register all of the passcode input attempts.
It seems @i0n1c maybe right, the pins don’t always goto the SEP in some instances (due to pocket dialing / overly fast inputs) so although it “looks” like pins are being tested they aren’t always sent and so they don’t count, the devices register less counts than visible @Apple
— Hacker Fantastic (@hackerfantastic) June 23, 2018
In other words, he thought he was entering more passcode attempts than he really was. That means iOS’s feature that locks and wipes an iPhone’s data after 10 failed login attempts is still safe, at least for now.