Bypassing Passcodes in iOS

Last week, a story was going around explaining how to brute-force an iOS password. Basically, the trick was to plug the phone into an external keyboard and trying every PIN at once:

We reported Friday on Hickey's findings, which claimed to be able to send all combinations of a user's possible passcode in one go, by enumerating each code from 0000 to 9999, and concatenating the results in one string with no spaces. He explained that because this doesn't give the software any breaks, the keyboard input routine takes priority over the device's data-erasing feature.

I didn't write about it, because it seemed too good to be true. A few days later, Apple pushed back on the findings -- and it seems that it doesn't work.

This isn't to say that no one can break into an iPhone. We know that companies like Cellebrite and Grayshift are renting/selling iPhone unlock tools to law enforcement -- which means governments and criminals can do the same thing -- and that Apple is releasing a new feature called "restricted mode" that may make those hacks obsolete.

Grayshift is claiming that its technology will still work.

Former Apple security engineer Braden Thomas, who now works for a company called Grayshift, warned customers who had bought his GrayKey iPhone unlocking tool that iOS 11.3 would make it a bit harder for cops to get evidence and data out of seized iPhones. A change in the beta didn't break GrayKey, but would require cops to use GrayKey on phones within a week of them being last unlocked.

"Starting with iOS 11.3, iOS saves the last time a device has been unlocked (either with biometrics or passcode) or was connected to an accessory or computer. If a full seven days (168 hours) elapse [sic] since the last time iOS saved one of these events, the Lightning port is entirely disabled," Thomas wrote in a blog post published in a customer-only portal, which Motherboard obtained. "You cannot use it to sync or to connect to accessories. It is basically just a charging port at this point. This is termed USB Restricted Mode and it affects all devices that support iOS 11.3."

Whether that's real or marketing, we don't know.

Posted on June 26, 2018 at 9:38 AM • 32 Comments

Comments

HermannJune 26, 2018 9:50 AM

Seven days is an incredible high number. Why Apple is doing such useless "security" measure?

C.S. LewisJune 26, 2018 9:57 AM

This cat-and-mouse theater has been marketing since Apple began to secretly cooperate with campaigns like PRISM and the SIGINT Enabling Project.

Back doors in software have given way to hardware back doors, which are relatively easy to implement and damn near impossible to detect.

Ever wonder why DIRNSA and DIRCIA never whine about "going dark"? Or why congress is flipping out about ZTE and Huawei?

Yet the security celebrities dutifully keep up the technical kayfabe. Depicting CEOs as good guys and government officials as bad guys, despite all the lobbying cash, dark money pits, and revolving doors.

641AJune 26, 2018 10:07 AM

As an iPhone user (albeit sometimes reluctantly) this "restricted mode" seems like a non-change made to make it look like Apple is doing something when they're really not. I would prefer my Lightning port to default to a charge-only mode whenever it's plugged in unless the phone is already unlocked or until the phone is subsequently unlocked.

But then again, Apple needs to be able to recover devices that are non-responsive or have been locked out or wiped. Does this mean, for instance, that if you forget your password and wait longer than a week to go to an Apple store, they won't be able to restore or reset your device? And if not, what's to stop Grayshift from finding a vulnerability in that functionality that they can exploit to unlock phones?

Rick LobrechtJune 26, 2018 10:15 AM

Restricted Mode was originally activated after a week, but in iOS 12 betas and iOS 11.4 beta it is activated after an hour. ref

Auricchio RickJune 26, 2018 10:30 AM

Isn't this situation going to be changed in IOS 12?

Other stories say that IOS 12 will shorten the lockout-time to one hour, which will make it more imperative for someone to quickly try Grayshift or another device to access the phone via the connector. The machinery of law enforcement probably doesn't move quickly enough. (Only on TV!)

Apple should also consider allowing the user to designate one or more "lockout fingers." A lockout fingerprint would immediately cause the phone to erase itself.

Would law enforcement consider this an attempt to destroy evidence? This would seem to be a weak legal argument,, since it would be difficult to claim any evidentiary value of phone contents that law enforcement has never seen.

TimHJune 26, 2018 10:45 AM

@Auricchio: "lockout fingers" will lead to inadvertently erased phones, unless it is so difficult to do that the feature is worthless

@641A: phone should not even negotiate with USB unless unlocked first. If that means 100mA charge rate in some circumstances, so be it.

There surely is a 'clear everything' hardware input inside to clear a working phone. Failing that, the factory has to be able to flash a newly built product, which is a wipe too.

echoJune 26, 2018 11:22 AM

How many times have we seen "Product A is amazing" followed by the release of product B which changes the chant to "Product B is amazing" and product A is instantly forgotten about let alone if Product A was so amazing wasn't it perhaps rubbish before and Product B is really just another iteration on the treadmill? No, no. I forget. (Slaps head like a silly person.) Product C will be AMAZING. Promise. Honest. truly. Really mean it this time.

justinacolmenaJune 26, 2018 12:07 PM

Err, excuse my French, but these fellows are already playing dirty.

Cellebrite?

An "Israeli" company? Like we're so smart, and we have to "celebrate diversity" and all that? Good grief. That's the PLO abstaining from pork and circumcising themselves, and all of a sudden they're good Jews.

Grayshift?

Do you recognize that? The old anti-Semitic "wise man" canard. Some guy's wiser than Solomon and has >1,000 wives, so he has to have part of his dick cut off.

M WelinderJune 26, 2018 12:34 PM

If the cut-off becomes 1h, expect to see mobile unlocking devices soon. 1h is not enough to reliably make it to the lab.

HumdeeJune 26, 2018 12:39 PM

@bruce writes,

"Whether that's real or marketing, we don't know."

We do know. It's marketing. The only question is who is doing the marketing. If Grayscale is telling the truth, it is Apple. If Grayscale is wrong, it is Grayscale.

Given Apple's history in this area I'm likely to finger them as marketing. I mean it would be an extreme outlier of a case where the cops could not get a phone and plug it in within seven days.

If Apple really wants to stop Grayscale they will let the end user determine the time period at which point the Lightening Port won't work.

Mike D.June 26, 2018 1:44 PM

Most users don't plug keyboards into their phones. Or a lot of other classes of USB peripherals, even. And even the ones who use keyboards, half the time the keyboards are Bluetooth, not USB.

So where are the USB firewalls? Most of these USB port exploits seem to hinge on the host accepting any keyboard, storage device, or firmware updater plugged into it without question. There are plenty of points in the enumeration process where a device can be refused by the host.

Why not just leave things untrusted until paired, and pairing can only happen with explicit approval when the device is already unlocked? It's not perfect (neither are firewalls), but it seems like a tool that should be there.

Also, "One-Time Programmable" memory is a thing, and is frequently used for secure enclave configuration. We just accept that sometimes we have to throw the logic board away. So there doesn't have to be a way for the manufacturer to re-flash the entire device.

PeaceHeadJune 26, 2018 2:05 PM

My guess is that at some point in the future,
it will be possible to scan electronics and other items not by their active inputs modulation inputs, and not necessarily by outputs but by viewing the entire gestalt like via an MRI (magnetic resonance imaging) scanner. And at other times, maybe more like an electron microscope. So eventually there will just be like an "x-ray" (but not x-rays, of course) of the whole thing revealing individual logic states which could then be mapped by a computer and run as a simulation at any point of choice by the forensics user.

I am actually hoping that this type of technology is already in use somewhere. I think it's plausible somewhere that money, minds, and technology have united to solve important problems, SUCH AS FIGHTING TERRORISM.

So yeah, I hope the FBI's Counterterrorism has access to stuff like that someday if not already or some of their allies.

Giving the total mass public the world's most powerful data locks without any proper discourse for the parts of law enforcement who are not corrupt and who routinely save lives seems ridiculous to me.

The average person does not need the world's most powerful data locks (yet).
A lot of people are ashamed of their bedroom habits, web history, political hypocrisy, or extra-marrital affairs. But none of those are big enough reasons to give terrorists and black market criminals and human traffickers the upper hand.

It's not a "backdoor" thing either. There are other techniques. I think Apple needs to do some soul-searching and try to rediscover which they care more about. But again, those whose motivations are money are routinely incompatible with those whose motivations are safety, survival, and ethics.

Even people like us who are intellectuals, we are not necessarily all into this stuff for money.

So getting back to the social psychology of the bigger picture is really important.
Do we really want to make the next crime catastrophe more likely to happen and not be prevented nor prevented from recurring? Do we really want to make it easier for some of the worst and meanest criminals to escape non-touched every time? I say, hell no, not me.

And you can't compensate for lack of security traversal with more militant brute force attack first types. It's not an effective counterbalance. They aren't equivalent resources nor techniques. Sometimes people needing access to fight crimes means exactly that and only that, nothing more, nothing less.

While dissidents and whistleblowers need to be protected, hard cryptostego really shouldn't be handed out to everybody and their iOS-toting toddler while the mega corporations who don't really give a damn about ethics make tons of money off of everyone's mental and emotional insecurity.

Nobody cares who you slept with. Nobody cares what porn you look at. Only your wife cares that you're cheating on her (if she knows). People need to stop being hypocrits. And if they feel guilty about their self-contradictory behavior, they don't need a high-tech veil nor high-tech lawyers. They need to stop forcing the whole society of modern urban culture down the tubes just because they didn't think these details through.

The average iOS user probably doesn't really give a damn about security when it comes to trying to comprehend the theory or methodology or textures of complexity.

I'm not an expert either, but I prefer to not be in the dark 100%. I'd prefer the honesty of acknowledging vulnerabilities we have to reduce them rather than giving up all of our best assets and delivering them to the worst types of sociopaths in the world who are guaranteed to reduce lives and livelihoods.

I read Liars and Outliers because it's the bigger picture which really matters, but so do the details that nobody is talking about on TV or in a lot of homes or in the papers or even in many colleges. Except for security websites and in workplaces of those who give a damn, the only ones who seem to take notice of the details are the ones who use them to cause others angst (while they possibly make money off other people's loss).

So yeah, this is clearly an ethical type of thing. I try to understand this world no matter how powerless any of us are. And if a terrorist gets access to a HANE device, then people's greed and arrogance and selfishness and pigheadedness will not save them nor their families nor their communites nor me nor you.

Like I always say, MAY PEACE PREVAIL WITHIN ALL REALMS OF EXISTENCE.
This is a very real concern. Risk can't be controlled. Some risks are best avoided entirely.

One last thing:

In terms of security, blaming Russia for every U.S. domestic flaw and idiosyncrisy is a geopolitical security risk that affects 7+ Billion lives adversely. The COLD WAR IS DONE, QUIT, ENDED. Keep it that way. Please, if we have the opportunities to share life-saving truths and insights instead of spreading more unfair xenophobia, we should do that instead.

Everybody, have a good next month.
I read "the PDF" so now I will try and back off this site a little.
I will be sure not to confuse an CNFM with a CFNM or an CMNF or whatever the other possibilities are.
Urg binary code.

Y'all take care.
Bruce, I will be buying your book "Click Here to..." so I'll stop back from time to time to check up on this site. Thanks for all the intellectualism when it's a good cause. I am risk-averse, so I appreciate the slant towards safety. Peacefulness and Safety go hand in hand quite often.

Matt from CTJune 26, 2018 3:13 PM

>Would law enforcement consider this an
>attempt to destroy evidence? This would
>seem to be a weak legal argument,,

Yes, they would and it would be a slam dunk legal case.

It is very difficult to prove someone can't remember their password.

Performing a never-otherwise-performed action under stressful conditions to wipe a phone while standing in front of a cop asking for it?

You just destroyed evidence.

There doesn't even have to be an underlying crime, just an investigation.

Its not that they may decide there is no longer enough evidence of a crime to proceed, they may have decided there is evidence of criminal wrong doing whatsoever in what they were investigating (Oh look, the missing person we were handling as a homicide investigation just walked in explained they were walking the Appalachian Trail without telling anyone!) ...and if you pissed off the cops enough by your behavior you can still be charged with destruction of evidence because you deliberately interfered with the investigation and the evidence related to it.

VickyJune 26, 2018 3:36 PM

I know this is far from the main feature of the story, but I'm really curious as to why you put the (sic) in the quote near the end:

"If a full seven days (168 hours) elapse [sic] since the last time iOS saved one of these events, the Lightning port is entirely disabled,"

That seems like perfectly good English to me and I can't work out what you think they should have said instead!

SquirrelJune 26, 2018 4:13 PM

What happens if the time is less than 168 hours, then greater than 168 hours, and then less than 168 hours again? How does the phone tell time? NTP? Cell towers? Can the time be changed backwards?

dssdgdsgdsgJune 26, 2018 4:20 PM

The only way to be sure is third party verification of the technique or if courts get involved in a class action lawsuit.

Apple has had few really bad and careless bugs (hint = password, password in log, empty password) in OS X last year and they are known for denying hardware failures or blaming them on the user as pretty much their MO, until it gets to a lawsuit at which point they suddenly acknowledge it and offer but often limited free help (this just happened with keyboards).

And between all the idiocy (the whole 'AMD flaws' FUD fiasco, stuff like Equifax, claiming every little script kiddie is China, Korea and Russia, gungho approach to security, passwords in plaintext because "we know what we are doing", etc.) that went unpunished both legally, financially and from consumer opinion it's hard to trust anything by default.

And security is a niche feature in itself, and anyone complaining about it misbehaving will surely face not only usual Apple fanboyism (the story you've linked already has "Android phones are easy to hack, why don't they write about it!?" style comments) but also the usual "lol, you're paranoid, gov doesn't care about ur nude selfies" approach to security and privacy, as if thieves didn't exist. I encrypt my devices (for the case of theft mainly) and it still gets me funny looks (as if I were a terrorist or CIA or KGB or something) in 2018, I wonder if the reaction were worse if I weren't a tech person professionally with a relevant master degree (which basically gives everyone a "he knows what he's doing and has a good reason for it" thought, even if just subconsciously) but just some random dude who does it.

6_7nbbbb73d~June 26, 2018 4:28 PM

Is it that the device has to have been recently unlocked by password ? Because biometric could presumably be spoofed whenever and as many as needed, as has been demonstrated.

Jon (fD)June 26, 2018 4:40 PM

@PeaceHead

"So yeah, I hope the FBI's Counterterrorism has access to stuff like that someday"

That's great. Until they define you as one of those 'terrorists'.

Jon (fD)

dragonfrogJune 26, 2018 4:52 PM

@641A

"I would prefer my Lightning port to default to a charge-only mode whenever it's plugged in unless the phone is already unlocked or until the phone is subsequently unlocked."

That's how my (doubtless very insecure on any number of other fronts) Android phone appears to behave by default - the data connection isn't enabled unless you click the option to do so on the phone screen, which is only available to click after you unlock the screen.

641AJune 26, 2018 5:47 PM

@dragonfrog

That's how I thought my iPhone worked, setting aside Apple-specific tools that can reset or restore a phone. I get prompted to unlock it whenever I plug it in to my computer to use iTunes.

Which is why I sort of assumed that Grayshift had managed to suborn that process somehow, and makes me wonder what Apple is actually planning to change, since I can't imagine they'll want to get rid of the ability to reset or restore phones.

EstebanJune 26, 2018 9:18 PM

@dssdgdsgdsg

"security is a niche feature in itself, and anyone complaining about it misbehaving will surely face not only usual Apple fanboyism"

Despite the arrogance of using the slur "fanboy", the point about security as a niche feature is fairly ignorant. Don't dismiss the fact that Google's product Android is weak on security and Google itself doesn't care about your privacy. Apple at least makes an attempt, flawed as it may be.

And why bring up an OS X security failure, when the subject is iOS? That is pure misdirection.

Sancho_PJune 27, 2018 3:41 AM

@PeaceHead

„ ... to solve important problems, SUCH AS FIGHTING TERRORISM.“

This must be a joke, isn‘t it?
Or do you mean to fight terrorism we have to break security?
Passcodes prevent fighting terrorism?
Would it mean security is essential for the nature of terrorism?

Breaking into phones (this topic) is always after the fact, probably to find clues, cause, comrades, to identify, localize, finally to solve crime.
That‘s perfect, but too late. People are already dead.

If the owner of the phone is alive LE don‘t have to break the passcode.

To fight terrorism is a separate topic, but not part of a security discussion.
Security means to be secure from abuse, even be it by gov.
Good guys and bad guys, both are everywhere, that‘s nature.

It‘s not against LE, it is for security.

Bauke Jan DoumaJune 27, 2018 4:51 AM

@PeaceHead
Sorry to read you have drank the Kool-aid via-a-vis the war on terror and all that the surveillance state deems is necessary to wage it.

JohnnySJune 27, 2018 8:57 AM

If the iDevice is in the hands of the Authorities, why can't they just disassemble it and take an image of the flash memory right off the chips? Sure, it's encrypted but loading the flash image into an emulator should allow infinite password tries.

Physical access to a system or device has always been "game over" for security.

Sok PuppetteJune 27, 2018 9:08 AM

Apple tolerates its ex-employees abusing their knowledge of its trade secrets to subvert the security of its products?

Where's the massive lawsuit against this guy?

PeaceHeadJune 27, 2018 11:48 AM

quote: "So yeah, I hope the FBI's Counterterrorism has access to stuff like that someday"
That's great. Until they define you as one of those 'terrorists'.
Jon (fD)
endquote.

@Jon (fD): Naw, I am so square and lawful I don't have anything to worry about. I've been abused and poisoned and bothered by a lot of different people, but I'm not vengeful. I make it my credo to not be problem-causer for societies or anybody anywhere. I've been wronged alot in my life. It's ALWAYS been by other Americans, usually right where I live, supposedly where freedom rings. I don't mess with drugs, contraband, weaponry (but I know some self-defense), I don't mess with kid porn, I don't steal, I don't assault people (but I've been falsely accused by a librarian of it).

I'm on the side of people who live by facts and discernment via science. Forensic science is very much a part of that. There have been some excellent articles about good law enforcement techniques in National Geographic, Scientific American, American Scientist, New Scientist, Utne, Intelligence Report, sometimes even WIRED magazine.

I take seriously what they do. I read the FBI website from time to time. I've been a victim of civic corruption, and maybe of some other stuff. The FBI fights against that and other stuff. If people would just read the FBI website it would dispel some of the myths. I know they were horrible during the COINTELPRO days, but that was a long time ago. They are very different in most places now.

It's not true that evidence formerly owned OR CURRENTLY OWNED OR USED by terrorists or other criminals is not of value to law enforcement to PREVENT FUTURE CRIMES. Just because somebody did something already, doesn't mean that they won't do it again, especially if they aren't caught. Also, they might not be working alone. So please, let's skip the obvious stuff.

I think the IEEE is making a mistake. I wonder what the Union of Concerned Scientists would think. However, just because somebody is a scientist doesn't mean that they know much about security. People are usually only most knowledgeable about their own area of expertise. Outside of that, they are just as ignorant as anybody else, often even more ignorant, because they spend so much time with their heads in their myopic studies. And that's coming from a guy who thought about joining the IEEE.

What has the IEEE done for anybody lately to reduce security incursions?
What has the IEEE done lately for anybody to clarify the terms?

People's logic is flawed when they imply that Law Enforcement such as FBI Counter-Terrorism only needs/wants/would use "back doors". And the FBI is not the same as the White House. Very different branches of so-called government.

FBI investigates government abuses too. They are more neutral than most people give them credit for. If people gut and castrate the FBI then it won't just be criminals moving into the void, it will be the real government tyrants as well as the corporate theives who are already very busy as well as the terrorists and the typical abducters and serial murders and stuff.

I don't know why people have difficulty with the basic logic of this stuff. I guess not everyone has taken the time to try and comprehend what the FBI does as opposed to other forms of Law Enforcement or so-called government.

Meanwhile: IT WAS NOT THE RUSSIANS, IT WAS EX-NSA

https://www.rt.com/usa/372219-larry-king-mcafee-cybersecurity/

PeterJune 28, 2018 11:11 AM

Of course I will trust my privacy to the company that holds a patent on a adjustable backdoor.. And if the US wants to fight terrorism, maybe you should just stop funding and arming them ?? White Helmets my foot !!

GuestJune 28, 2018 6:53 PM

>Would law enforcement consider this an >attempt to destroy evidence? This would >seem to be a weak legal argument,,

Yes, they would and it would be a slam dunk legal case.

It is very difficult to prove someone can't remember their password.

Performing a never-otherwise-performed action under stressful conditions to wipe a phone while standing in front of a cop asking for it?

You just destroyed evidence.

Never-otherwise-performed?

"U R doing it wrong"

Use two of your fingers in rotation to unlock it. Same finger twice in a row? Brick it.

Document your frequent disgruntlement with having accidentally deprived yourself of a phone until you can return home and restore from backup. (Now they're after the backup's passwords, though possibly with less 4th Amendment circumventions, and certainly with no ability to gain immediate access as they hold you there at the border.) Actions you never otherwise perform? You are in the habit of doing this all the time.

Sancho_PJune 29, 2018 3:32 AM

@Guest

“... until you can return home and restore from backup ... as they hold you there at the border ...“

You good boy you, listen, I can tell you:
They won‘t hold you at the border, they simply send you back.
But without your phone.
You will then have to buy a new one before back up :-(
Make sure to have a new name when trying to visit again ;-)))

JoeDontKnowJune 29, 2018 12:30 PM

What we're getting here is an unsolicited thespian generated mirage. The whole thing is done with quantum computing, which joe doesn't know is in full bloom, on and off the stage.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.