CVE-2014-4451 – Apple iOS bug allowing unlimited incorrect pin attempts

A bug that would allow unlimited incorrect pin attempts on any iOS device is enough to make a lot of people’s toes curl. Unfortunately that is what I found when I recently stumbled upon an iPhone lockscreen bug allowing me to do just that.

On the 28th September 2014 I raised a bug with Apple which later was assigned the ID CVE-2014-4451. Now that this has been patched in the latest iOS 8.1.1 I am able to release the details of how the bug was exploited. At this stage I do not have any devices running any iOS earlier than 8.0 therefore am unable to test if this affects earlier releases of the operating system.

The steps to reproduce are demonstrated in the following video I placed on YouTube:

 

I have yet to discover if this affects devices running iOS 7 or earlier, therefore if you have one of these devices and are able to demonstrate that the issue occurs on that release of iOS also please leave a comment here and let me know.

I hope that this information helps users become aware that they should stay up to date with the latest release of software wherever possible to protect themselves against such bugs.

I thank Apple for working diligently to resolve the bug as quickly as possible.

Stuart

[[Update]]

Thanks to @DarthNull on twitter, we now know this goes back at least as far as iOS 6

  • Do u

    Did this work on iPad mini first generation with iOS updated version 8.0? Please help.

  • As far as I remember, I believe this was patched in 8.0.1 so it should work on 8.0.

  • Do u

    Thanks StuartCRyan! I have tried login unsuccessfully for like 9 times, my iPad mini showed it disabled for 60 minutes. Then I shut down my iPad mini and it came out like the restarting screen you have mentioned in your video. I would like to try to put the pin and try to login . Before that I want to know will the iPad mini memorize all nine times failed attempt after I restart the iPad?Please advise. Thank you

  • It will remember that it is on the 9th failure. Therefore the next time you put the pin in, it will likely erase (unless you are able to successfully use the exploit).

    I apologise, but I do not support the use of the exploit as it gets around what was properly intended, hence why I went through the formal processes to have it patched ASAP.

  • Do u

    Thanks StuartCRyan! So all the data in iPad mini will be totally erased if I put a wrong password for the 10th attempt even it is running an updated iOS 8.0 version? I do not want to lose the data in the iPad mini but I have never synced it to my computer and never doing any back up ( never install apps for findmyiphone or using iCloud) . Please advise the way to do… Many Thanks!!

  • That is correct. If it is updated to a patched version, then on the 10th attempt it will erase.

  • Do u

    My iPad mini has showed after the 9th attempt,”the iPad is disabled, Try again in 60 minutes”. Then I have tried but I failed on the 10th attempt. I thought I was totally locked out but the iPad mini showed the same message as try again in 60 minutes. I unlocked the iPad mini on my 11th attempt with a correct password. I checked my iPad mini is on version ios8.4. Thanks for all advice in here! Thanks Stuartcryan!

  • Hi Everyone,
    I am receiving the occasional request for me to assist with using this exploit. I do not condone the use of this, and for that reason disclosed the issue confidentially to Apple until such time as they could create a patch.

    Therefore, I will not be providing assistance with utilising this exploit on older phones/hardware.

    Kind Regards,
    Stuart