Update: In a statement, Apple has refuted this vulnerability and said it was not tested correctly by the security researcher:
According to a new report from ZDNet, security researcher Matthew Hickey has discovered a new way to bypass the passcode lock on any iOS device. Hickey claims that his brute force tactic works at least until iOS 11.3…
Ecobee HomeKit Thermostat
iOS offers a setting that, if enabled, wipes the device after 10 failed passcode attempts. Hickey’s tool, however, is able to bypass that requirement by sending the passcodes all at once, as opposed to one at a time.
Hickey found a way around that. He explained that when an iPhone or iPad is plugged in and a would-be-hacker sends keyboard inputs, it triggers an interrupt request, which takes priority over anything else on the device.
“Instead of sending passcodes one at a time and waiting, send them all in one go,” he said. “If you send your brute-force attack in one long string of inputs, it’ll process all of them, and bypass the erase data feature,” he explained.
Essentially, an attacker would send all possible passcodes in one single attempt, which doesn’t give the software any breaks. Thus, the keyboard input takes priority over the wiping feature. Hickey’s method isn’t necessarily fast, with each passcode taking between three and five seconds to run.
His brute force method will also likely be affected by Apple’s upcoming USB Restricted Mode, which locks the Lightning port on an iOS device if it hasn’t been unlocked within the last hour.
Hickey emailed Apple details of the bug, but he said it was “not a difficult bug to identify.” A spokesperson for Apple did not immediately respond to a request for comment.
“I suspect others will find it — or have already found it,” he said.
What similarities Hickey’s method carries to tools like GrayKey is unclear, but GrayKey requires a standalone box and generally costs around $15,000. Grayshift, however, claims to have already defeated Apple’s new USB Restricted Mode in iOS 12.