iPhone pwned? Researcher says he can unlock iOS without running out of tries

Many, if not most, iPhone users set up numeric lock codes on their iOS devices, for the simple reason that all-digit PINs are a lot easier to type on a mobile phone keypad.

Apple’s default setting demands that you choose at least six digits, although you can go for more if you want – but you can also go down to as few as four digits. (Don’t.)

With just 10,000 different 4-digit possibilities (0000-9999), and 1 million choices with a 6-digit PIN, you’d think that short lock codes would be way too easy to guess, except for two neat features built into iDevices:

  • PIN codes take a few seconds each to be processed at best, so even if a crook could guess forever and type infinitely fast, trying out 1,000,000 codes would take them days or even weeks.
  • You can set up your iPhone to wipe its data automatically after 10 mistakes, in the same way that your mobile phone SIM card will deactivate itself after you’ve entered 10 incorrect unlock codes.

The “10 strikes and you’re out” counter can’t easily be reset, because the data about how many tries you’ve already used up is managed and stored in Apple’s secure enclave, a special, tamper-proof circuit board that also contains the fingerprint scanner.

In theory, the secure enclave forms what’s called an HSM, or Hardware Security Module, designed so that you can’t tweak its contents even if you open up the phone and try to remove the chip to connect it up to hardware of your own and access it directly.

Start typing and press Enter to search