Researchers at the security firm MDSec have found a way to bypass the iPhone’s lockscreen using just a few hundred dollars in equipment. The lockscreen typically bricks a phone after 10 bad guesses and has proven difficult to bypass on non-jailbroken phones, but MDSec has found a way to power off the phone before it registers an incorrect guess, allowing effectively unlimited guesses.
Since the lockscreen is one of the iPhone’s major anti-theft protections (combined with Find my iPhone and the remote shutdown feature), it’s a hack that could have a real impact on users.
MDSec’s system works by watching for tiny changes in the iPhone screen, indicating a wrong-password notification a fraction of a second before the phone tallies a wrong guess. Once the system sees the screen change, it cuts off power, shutting down the phone before the wrong guess is counted. Done right, it allows attackers to cycle through all 10,000 possible passcodes without locking the phone, effectively bypassing the iPhone’s first line of security.
It requires a lot of skill to pull that off, particularly in securing the power supply. Turning the device off that quickly means cracking open the device and physically disconnecting the battery to put everything on USB power. The shutdown process also means every guess takes roughly 40 seconds, so cycling through all 10,000 would take the better part of a week, which would give users ample time to trigger the phone’s shutdown feature. Still, it’s plausible thieves might try the approach as a way to bypass the lockscreen, simply because of the substantial payoff when the system is successful.
More broadly, it’s a sign of how exacting security research can be. The only vulnerability here is in the order of processes, displaying that a passcode has failed a few steps before the internal system adds the wrong guess to its running tally. That split second pause was enough to give MDSec an opening, leading to an exceptionally elaborate way to bypass the lockscreen.