iOS Passcode Bypass Vulnerability

A security researcher has disclosed details of a vulnerability in iOS that allows a user to input more passcodes than the device should normally allow before locking.

Threat ID:: CC-2516
Category:: Exploit
Threat Severity:: Low
Threat Vector:
Published:: 28 June 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A security researcher has disclosed details of a vulnerability in iOS that allows a user to input more passcodes than the device should normally allow before locking.

Affected platforms

The following platforms are known to be affected:

iOS

Apple iOS - All versions up to 11.3

Threat details

Typically, iOS will lock a device if 10 incorrect passcodes are entered and can be configured to erase the device's contents. When passcodes were entered as one concatenated string on a physical keyboard connected through the Lightning port; not all passcodes would be passed to the device's secure enclave for validation. This happens as the keyboard input routine is prioritised over the data erasure routine.

This can result in a local attacker being able to brute-force attack a targeted device to gain access, whilst bypassing the data erasure feature.

Remediation steps

Type	Step
	Apple have confirmed that the latest version of iOS (11.4) will address this vulnerability. Users are advised to update their affected devices as soon as this update becomes available.

Last edited: 17 February 2020 12:45 pm