Brute force attack on iPhone passcode lock: Simple bug or major security vulnerability?

During the weekend a report about another vulnerability in iOS was circulating. A security researcher allegedly discovered a new way to work around passcode locking on any iOS device up to iOS 11.3. According to researcher Matthew Hickey, this is supposed to be possible via USB cable and brute-force attack. However, in order to achieve the goal, a setting should be activated in the system.

In the settings on the iPhone and iPad, an option can be activated that completely erases the device after ten incorrect entries. According to a ZDNet report, researcher Matthew Hickey has found a way around the security feature. Instead of sending one request after the other as usual, it is possible that several requests are sent simultaneously via USB and these are then prioritized by the system via all other functions. This can also be used to avoid device deletion.

Potential hackers could thus send different possible passwords in one attempt without affecting the system since the request is prioritized via USB over the deletion. Even if the method is not fast, it will soon be a thing of the past. With iOS 12, Apple will introduce a new mode that deactivates the lighting port one hour after the last unlock and only allows the charging function.

Apple also spoke to iMore about the topic. The company stated that this was “an error and the result of an incorrect test”. The site also reports that the attack could not be reproduced by Apple or any third party at this time. It, therefore, remains to be seen whether the vulnerability was caused only by a system error or whether it actually exists. In any case, Apple will significantly reduce the potential risk with iOS 12 and the USB lock.