Join Us!

Notifications
Clear all

iOS Bruteforce  

  RSS
the_Grinch
(@the_grinch)
Active Member

https://www.zdnet.com/article/a-hacker-figured-out-how-to-brute-force-an-iphone-passcode/

I'm pretty sure this has been fixed in 11.4 as I wasn't able to reproduce his results, but it makes me believe 11.3 and below is fair game.

Quote
Posted : 23/06/2018 5:58 am
Igor_Michailov
(@igor_michailov)
Senior Member

In my opinion, it is a joke.

ReplyQuote
Posted : 23/06/2018 8:20 am
passcodeunlock
(@passcodeunlock)
Senior Member

It is not a joke, just the story doesn't reveal everything )

ReplyQuote
Posted : 23/06/2018 9:25 am
the_Grinch
(@the_grinch)
Active Member

Well I will disclose what hasn't work for me so far

I tested on iOS 11.4 and on 11.1.2 without success. I purchased a lightning to USB adapter that allows you to feed power and plug a usb device into an iPhone. I programmed a RubberDucky with a long string of numbers (with the last one being the one that would unlock the device) and got the 1 minute, then 5 minute delay. I will note that neither device had the wipe after 10 failed attempts enabled.

ReplyQuote
Posted : 23/06/2018 6:56 pm
the_Grinch
(@the_grinch)
Active Member

I noticed something very interesting when re-watching the video he posted. At 16 seconds, if you pause it, you'll notice the following HDBox-Keyboard. Now at this point he has plugged the phone in (to what he says is a computer, but shows us nothing) and then I see that. I happen to own an HDBox which is a device that allows for the brute forcing of Android Passcodes, Patterns and iOS passcodes. Currently my device is at work so I can't test it, but will definitely test it out on Monday.

ReplyQuote
Posted : 23/06/2018 10:24 pm
the_Grinch
(@the_grinch)
Active Member

Figured it out! It does definitely work on 11.4 and almost as described by the author. They've updated the article, but I think he was close to on the money.

ReplyQuote
Posted : 24/06/2018 3:01 am
the_Grinch
(@the_grinch)
Active Member

So my testing was flawed. Seems iOS ignores multiple entries of the same code. Thus if you enter 000000 30 times you won't get hit with any limits, but if you entered 000000..111111…222222 etc you'll hit the limit. Back to the drawing board.

ReplyQuote
Posted : 24/06/2018 8:30 pm
shahartal
(@shahartal)
Junior Member

I think he made the same mistake during his original testing, he has now retracted his claims and the articles were updated.

ReplyQuote
Posted : 24/06/2018 8:51 pm
the_Grinch
(@the_grinch)
Active Member

Yeah I was reading the retractions yesterday. The piece I don't get is how he was able to send the full string without a timeout. Nothing I did could reproduce those results as both devices I tested timed out after 5 attempts. We shall see I suppose!

ReplyQuote
Posted : 24/06/2018 10:12 pm
Share: