We’ve seen devices for brute-forcing phone passcodes before. This $500 box, demonstrated on video by YouTuber “EverythingApplePro”, uses an exploit in iOS 10.3.3 and iOS 11 beta to brute-force hack and bypass the Lock screen passcode of up to three iPhone 7/Plus handsets at a time—but it could take days to work, depending on the complexity of the passcode.

Normally, attacks like this are impractical due to a user-selectable setting that tells your iPhone or iPad to wipe all your data clean after ten unsuccessful passcode entries.

Plus, the Secure Enclave cryptographic coprocessor found in the main A-series processor enforces escalating time delays after an invalid passcode is entered at the Lock screen to prevent such boxes from trying out many different passcode combinations per second.

But due to a previously unknown loophole in iOS 10.3.3 and iOS 11 beta, an attacker can use as many passcode attempts as needed on the white “Press home to recover” screen displayed after a new iOS install. In the video embedded below, “EverythingApplePro” uses a simple passcode of “0016” to allow the hack to work more quickly.

The hack takes advantage of iOS’s update process.

“They found a loophole in the data recovery state that allows you to use as many passcode attempts as you want,” the posted explained.

An attacker would still need to own the $500 device and have your phone in physically possession for days before exposing your passcode. Although older devices/iOS editions are not affected, we fully expect that Apple will soon release a fix to patch the vulnerability.

This vulnerability is limited to the latest iPhone 7 and iPhone 7 Plus phones and specific to iOS 10.3.3 and the latest iOS 11 beta. The best way to protect yourself from those kinds of brute-force attacks involves setting up a six-digit or alphanumeric passcode, which could take many weeks or even months to try out all the possible passcode combinations.

TUTORIAL: How to set up a six-digit passcode on your iPhone

Earlier this week, iOS hacker “xerub” has managed to extract the decryption key protecting the firmware running on Apple’s Secure Enclave cryptographic coprocessor that’s embedded into the iPhone 5s’s A7 chip, and posted it on GitHub.

The key’s exposure allows security researchers to examine the inner workings of Apple’s secret software powering the functions that the Secure Enclave provides to the system.

User data, encryption keys and other sensitive information securely stored in the Secure Enclave’s encrypted memory are not at risk of being decrypted, an Apple source said today.

Also relevant, iOS 11 includes a handy shortcut that lets you quickly disable Touch ID and require a passcode to unlock the device.

This could be an important feature should you ever find yourself in a dangerous situation or at risk of arrest because it ensures the phone cannot be forcefully unlocked with a fingerprint.

For those wondering, the police can force you to unlock your phone using your fingerprint, but they legally can’t force you to do that when using a passcode.

  • burge

    So another words the only people who might want to purchase this are thieving scum,

    • Mr_Coldharbour

      Or a security researcher who’s primary objective is to find exploits and report them as part of their job.

      • burge

        How about the way this device get hacks the phone. You don’t heed to hack passcode to find exploits on a phone just to report them, You can use any device that you have access too to find exploits on them.

    • Rowan09

      Even after someone gets in they still need to deactivate iCloud to use the device.

  • Jim Hart

    “This could be an important feature should you ever find yourself in a dangerous situation or at risk of arrest..” So we’re helping lawbreakers now?

    • Donovan

      Not everyone being arrested is guilty, and also you are entitled to your privacy. Law-enforcers use holes in the law to compromise your privacy and Apple just kinda fixed one of them.

  • Dude where did you get the cool smashed ios11 lock screen wallpaper?

  • Cerberus The Wise

    So glad I use a complex alphanumerical passcode

    • electriceyes

      Good job. Just make damn sure you keep that device in sight at all times – make sure you also turn off everything but the “bare minimum” – that means Siri and all. I used to send commands back in the day to random people walking around with headphones (Apple pods are actually easier) and send a resonant radio frequency with an inaudible list of commands to Siri. Because this uses your phone headset and chances are you are listening to music or other, you wouldn’t likely notice that I would be sending remote rf messages to your device, harnessed by your headset or exploited by your Apple pods which permit me to essentially “put voices in Siri’s head to do as my bidding”.

  • tariq

    people who buy apple over android bc of security reasons will be disappointed to hear this.

    • Antonakis Kipouros Nikopolidis

      Just wondering, did you read the article before you post this or just the title?

      • tariq

        I watched the YouTube video and after bypassing the code he had access to someone else’s phone. Which makes it easy to sell online.

      • Jay

        accessing the phone allows you to remove the Apple ID? no, so no still can’t sell to easy online. Also this method only works if you just recently changed the passcode with 10min to be exact so its not useful. iPhones are still pretty secure. On android you just reset the phone and get a user account bypass usb, much easier than this.

  • Jerry

    Even after someone gets in they still need to deactivate iCloud to use the device.

    • BlackPantherK

      That’s true, but they are able to extract all information from your phone (photos, messages, notes, etc)

      • electriceyes

        We can already do that with Encase/FTK and SIFT. Those who do forensics for corporate, federal and county/state law enforcement already have this means. iCloud on any device is asking for issues, EXIF data all over your images – social media accounts/posts, map and browser search data. I find mobile devices are a treasure trove during a forensics analysis on an identity and their assigned (or unassigned) assets.