Yesterday, we reported something that troubled Apple users. However, we now have good news for them. The supposed iPhone passcode hack demonstrated by a researcher was nothing but ‘wrong testing’ claimed by Apple. It means your iPhone passcodes are still safe.
Apple Claims The Alleged iPhone Passcode Hack Was Wrong Testing
The news about iPhone passcode hack discovered by a security researcher Matthew Hickey recently flooded the Internet. He demonstrated in a video that Apple has an ‘erase data’ UI glitch due to which anyone can crack the iPhone passcode. According to him, sending in a long string of passcodes without breaks will confuse the iOS software as a single attempt. Thus, it will override the erase data feature that wipes the device after multiple attempts of inputting wrong passcodes.
However, right after his video surfaced online, Apple, as well as many other researchers were taking notice. People were skeptical about his conclusions and the testing method. Will Strafach, CEO Sudo Security Group, said in his tweet,
I would be very wary of this story until it is independently verified that it works, and after a fresh reboot.
PoC video is not conclusive if the device was already unlocked, since it is initial post-reboot unlock that actually matters.
— Will Strafach (@chronic) June 22, 2018
Stefan Esser, a German security researcher and the CEO of Antid0te, also expressed his observation in his tweet.
Is there a video where this actually works? I mean: you send the real passcode in one go and it ends up unlocking. I believe i tried something like this and it turned out that all those subsequent fails are because the device doesn’t actually try those passcodes until you pause https://t.co/AIFUT30amL
— Stefan Esser (@i0n1c) June 22, 2018
Eventually, Apple confirmed in a statement to Apple Insider, that the so-called hack was nothing but ‘incorrect testing’.
“The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing.”
It was revealed that the software simply ‘shows’ as if the passcodes are being tested after receiving a long string input. But, as explained by Stefan Esser, the device simply ignores all other codes after a testing a few initially. And, it will continue to do so until the string is broken. And, as we know, after the break, the input will be the second attempt. Thus, there seems to be no erase-data glitch as reported by Hickey.
Researcher Confesses an Incorrect Observation
Matthew Hickey accepts incorrect findings. After discussion with other security researchers (as evident from his Twitter account), he eventually reached a conclusion, about which he tweeted later on.
It seems @i0n1c maybe right, the pins don't always goto the SEP in some instances (due to pocket dialing / overly fast inputs) so although it "looks" like pins are being tested they aren't always sent and so they don't count, the devices register less counts than visible @Apple
— Hacker Fantastic (@hackerfantastic) June 23, 2018
He also said ‘sorry’ to the people in another tweet.
— Hacker Fantastic (@hackerfantastic) June 24, 2018
Although Hickey’s findings didn’t prove fruitful (for hackers), he succeeded in alerting the security team at Apple who did take serious notice of the potential flaw and responded accordingly.