A new attack discovered by a jailbreak developer can bypass passcode on iOS 12 and below. Here’s all you need to know about it.
Table of Contents
What is “Erase Data” bypass attack?
Matthew Hickey aka Hacker Fantastic, co-founder of Hacker House, has just made public a new passcode bypass method.
The attack relies on the “Erase Data” feature, which is accessible from the “Touch ID & Passcode” section in the Settings app. The “Erase Data” option, once enabled, erases all data on an iPhone after 10 failed passcode attempts.
The hacker posted a video demonstrating the attack on Vimeo.
This bypass can allow hackers to brute force 4-digit and 6-digit PINs without limits. However, the process still requires a lot of time to succeed.
Matthew confirmed that it works on iOS 12 and older firmware versions and has been tested extensively on iOS 11.
For those who don’t know, Matthew recently got involved in the jailbreak community. He also released an iOS 11 jailbreak toolkit called “Rebirth” for developers and security researchers.
Secure Enclave Coprocessor fails to detect passcode attempts
As you already know, the SEP (Secure Enclave Coprocessor) takes care of authentication and security features in iOS.
The SEP is also responsible for detecting incorrect passcode attempts and wiping all data from a device after ten such attempts.
Erase Data bypass attack circumvents this limitation by sending the brute-force attack in a long string of inputs.
The SEP fails to detect the various passcodes in the string, effectively bypassing the erase data feature.
When will Apple patch this exploit?
Matthew, just like other ethical hackers, sent the bug to Apple’s security team. Apple’s security team is currently investigating the exploit and has yet to reply to Matthew.
Apple are investigating the video and brute force claims, there maybe mitigations or limitations I haven't considered. Hopefully they can explain the behaviours I'm seeing.
— Hacker Fantastic (@hackerfantastic) June 23, 2018
If there’s no mitigation in place in iOS 11.4, Apple will definitely release a new version that patches this attack.
iOS 12, on the other hand, might stay vulnerable for the time being because it’s still in the beta development stage.
[Source – Matthew Hickey]