Apple comments on erroneous reports of iPhone brute force passcode hack
Rene Ritchie reports:
Update: Apple has provided me with the following statement, which should close the door on speculation surrounding this purported exploit:
“The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing”
Yesterday, a security researcher reported on a possible brute-force passcode attack that affected iPhone and iPad. The researcher seems to have disclosed the discovery to Apple, though it’s unclear whether he waited for Apple to confirm and fix it — or refute it — before going public.
ZDNet summed it up this way:
An attacker can send all the passcodes in one go by enumerating each code from 0000 to 9999 in one string with no spaces. Because this doesn’t give the software any breaks, the keyboard input routine takes priority over the device’s data-erasing feature, he explained. That means the attack works only after the device is booted up, said Hickey, because there are more routines running.
When stories come out about “hackers” and Apple getting “black eyes”, it should give us all pause. Security is seldom simple and sensationalism is ultimately a attention-exploit, even and especially when it’s used to report on vulnerabilities.
In this specific case, it looks like the pause was well warranted. Turns out, the “hack” might not have been what it first seemed.
Read more on iMore.