A bug that would allow unlimited incorrect pin attempts on any iOS device is enough to make a lot of people’s toes curl. Unfortunately that is what I found when I recently stumbled upon an iPhone lockscreen bug allowing me to do just that.

On the 28th September 2014 I raised a bug with Apple which later was assigned the ID CVE-2014-4451. Now that this has been patched in the latest iOS 8.1.1 I am able to release the details of how the bug was exploited. At this stage I do not have any devices running any iOS earlier than 8.0 therefore am unable to test if this affects earlier releases of the operating system.

The steps to reproduce are demonstrated in the following video I placed on YouTube:

 

I have yet to discover if this affects devices running iOS 7 or earlier, therefore if you have one of these devices and are able to demonstrate that the issue occurs on that release of iOS also please leave a comment here and let me know.

I hope that this information helps users become aware that they should stay up to date with the latest release of software wherever possible to protect themselves against such bugs.

I thank Apple for working diligently to resolve the bug as quickly as possible.

Stuart

[[Update]]

Thanks to @DarthNull on twitter, we now know this goes back at least as far as iOS 6