Notifications
Clear all

iOS Bruteforce

9 Posts
4 Users
0 Likes
1,547 Views
(@the_grinch)
Posts: 136
Estimable Member
Topic starter
 

https://www.zdnet.com/article/a-hacker-figured-out-how-to-brute-force-an-iphone-passcode/

I'm pretty sure this has been fixed in 11.4 as I wasn't able to reproduce his results, but it makes me believe 11.3 and below is fair game.

 
Posted : 23/06/2018 4:58 am
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

In my opinion, it is a joke.

 
Posted : 23/06/2018 7:20 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

It is not a joke, just the story doesn't reveal everything )

 
Posted : 23/06/2018 8:25 am
(@the_grinch)
Posts: 136
Estimable Member
Topic starter
 

Well I will disclose what hasn't work for me so far

I tested on iOS 11.4 and on 11.1.2 without success. I purchased a lightning to USB adapter that allows you to feed power and plug a usb device into an iPhone. I programmed a RubberDucky with a long string of numbers (with the last one being the one that would unlock the device) and got the 1 minute, then 5 minute delay. I will note that neither device had the wipe after 10 failed attempts enabled.

 
Posted : 23/06/2018 5:56 pm
(@the_grinch)
Posts: 136
Estimable Member
Topic starter
 

I noticed something very interesting when re-watching the video he posted. At 16 seconds, if you pause it, you'll notice the following HDBox-Keyboard. Now at this point he has plugged the phone in (to what he says is a computer, but shows us nothing) and then I see that. I happen to own an HDBox which is a device that allows for the brute forcing of Android Passcodes, Patterns and iOS passcodes. Currently my device is at work so I can't test it, but will definitely test it out on Monday.

 
Posted : 23/06/2018 9:24 pm
(@the_grinch)
Posts: 136
Estimable Member
Topic starter
 

Figured it out! It does definitely work on 11.4 and almost as described by the author. They've updated the article, but I think he was close to on the money.

 
Posted : 24/06/2018 2:01 am
(@the_grinch)
Posts: 136
Estimable Member
Topic starter
 

So my testing was flawed. Seems iOS ignores multiple entries of the same code. Thus if you enter 000000 30 times you won't get hit with any limits, but if you entered 000000..111111…222222 etc you'll hit the limit. Back to the drawing board.

 
Posted : 24/06/2018 7:30 pm
(@shahartal)
Posts: 27
Eminent Member
 

I think he made the same mistake during his original testing, he has now retracted his claims and the articles were updated.

 
Posted : 24/06/2018 7:51 pm
(@the_grinch)
Posts: 136
Estimable Member
Topic starter
 

Yeah I was reading the retractions yesterday. The piece I don't get is how he was able to send the full string without a timeout. Nothing I did could reproduce those results as both devices I tested timed out after 5 attempts. We shall see I suppose!

 
Posted : 24/06/2018 9:12 pm
Share: