Last week, computer security researcher Matthew Hickey revealed that a glitch in iOS — the operating system found on iPhones and iPads — enables an attacker to quickly brute-force their way through all possible passcodes. According to Hickey, the hack allows anyone with access to a computer and a Lightning cable to unlock an iOS device. Even iOS 11.3, the current version of the operating system, is vulnerable to the glitch. The news presents a serious security threat to anyone using an iOS cryptocurrency wallet app, potentially even encouraging the theft of such devices from known bitcoin or Ethereum users.
Normally, an iOS device will lock out users who fail to correctly input a four-digit passcode (from 0000 to 9999) within ten tries. (In fact, many devices are set up to erase all the phone’s contents after the tenth failed try.) By plugging in a Lightning cable, however, Hickey claims that the device’s brute-force prevention chip (known as the secure enclave processor) can be interrupted by sending a continuous string of keypad inputs. This allows the hacker to submit all possible codes through the cable without setting off the device’s built-in protections.
“If you send your brute-force attack in one long string of inputs, it’ll process all of them, and bypass the erase data feature,” Hickey told ZDNet. Hickey also posted video proof of the exploit in action, seemingly validating his claims.
Apple has since denied that such an attack is possible, claiming that “The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing.” In response, Hickey conducted even more tests of the glitch, determining that Apple device PINs sent using the Lightning cable method “aren’t always sent” and “don’t count” in some instances, but that multiple passwords are still being checked by the device.
It’s not clear just how big of a threat this glitch is for average users, but it’s definitely not good news for users of iOS cryptocurrency wallets. Bypassing the iOS passcode protection makes it one step easier for tech-savvy thief to access a wallet app, putting the owner’s BTC, ETH, and other cryptocurrencies at risk. Virtually all cybersecurity experts recommend using a tethered, air-gapped hardware wallet to keep your crypto tokens safe.