It was believed for a short time this week that iOS would allow hackers to brute force past lock screen passcode if they were able to manipulate a series of continuous input attempts — in most cases, this could be done through a computer connection.
Hacker House researcher Matthew Hickey tested continuous input brute forcing and had seemingly shorted out iOS’s data erasure protection measure that would activate after ten wrong attempts.
Apple spokeswoman Michele Wyman told multiple media outlets that the “recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing.” The statement did not go into any detail about the error.
Hickey went back to the drawing board and, as was suggested at some point by Antid0te CEO Stefan Esser, looked into the secure enclave processor’s readings.
“When I sent codes to the phone, it appears that 20 or more are entered but in reality its only ever sending four or five pins to be checked,” Hickey told ZDNet.
Rene Ritchie of iMore suggests that perhaps the SEP was checking for potential unintentional entries from pocket dialing or moisture on the display, but it could be one of many possibilities.
All said, Apple was right to stand its ground on a bug that turned out to be nothing (for now, as the research goes on), though its attempts at assuaging any lingering concerns its consumers may have could use work.