There is no perfect protection - there are only different degrees of reliability. This also applies to iPhones.
We recently explained how important it is to have an alphanumeric lock password rather than the standard 6-digit one in iOS. But this is just the tip of the iceberg, and underneath is real hardcore.
We'll tell you how to bypass iPhone blocking methods and whether you can protect yourself from this.
Disclaimer: This article is not intended to help unlock stolen iPhones. You can test all the methods described below at your own risk.
How the password protection system works in iOS, briefly
If you enter the wrong password 10 times, the device will be locked. After the first 5 attempts you will have to wait 1 minute, then the time until the next entry attempt will increase.
If you realize that you can no longer remember the password, Apple suggests erasing all data from the device. This is quite OK if you have a backup. Read about three simple ways to save data here.
You can only remove a password from an iPhone or iPad using a computer. Instructions on the Apple website. If you don’t have a PC, you can contact an authorized service center or retail store, they will provide it.
What should I do if I turned on Find My Phone on my iPhone and now it's locked?
This situation is the most dangerous. Suppose you bought an iPhone secondhand, and the previous owner did not delete his connection to the Apple ID. When you tried to restore the phone, everything was blocked. In this case, it is better to contact the owner so that he can remove the blocking. If this is not possible, you need to contact the Apple service center with a receipt or send documents by email to the company's American office through the official website.
In order not to find yourself in an uncomfortable situation, when purchasing an iPhone, we advise you to check whether it is linked to iCloud; this can be done on the cloud system website in the activationlock section. The check is carried out using IMEI.
You can bypass the blocking using Voice Over only on devices with a firmware version older than iOS 7.1 (ten already have iOS 12). But the phone will then not work with mobile networks.
But this function perfectly protects owners from thieves. With one click of a button, you can make the gadget completely useless for a burglar.
show more
iOS password protection works worse in DFU mode
DFU (device firmware update) is a special mode that gives access to the engineering menu, allows you to restore the firmware, etc. The trick is that DFU has no restrictions on the number of password attempts.
Thus, if you set a goal, you can pick up the code and unlock your smartphone. If you are too lazy to enter numbers manually, you can buy a gadget for auto-search for $500 (already cheaper). But there are also more professional systems, they are much more expensive.
Let's see how the professionals do it. For educational purposes, of course.
Installing new firmware via DFU - mode on iPhone if you forgot your password
If a soft restore does not help, then you can only use a hard reset to install new firmware. This problem can be solved in DFU mode. To get there on iPhone 6 and 6s, simultaneously press the Home and Power buttons and hold for 10 seconds.
For iPhone 7 and 7 Plus, the procedure is different:
- Connect your phone to iTunes.
- Press and hold the volume down and power buttons until the phone turns off. Release only the Power button.
- In DFU mode, the screen should be black, without the iTunes icon.
- On the computer screen, the program will offer to check for updates; after clicking the “Check” button, it will inform you that the phone is in recovery mode. Click OK and reinstall the firmware (it’s better to download it in advance).
How to bypass Face ID
When Face ID first arrived on the iPhone X, it was full of holes. Apple claimed that even twins could not bypass the facial recognition system.
But something went wrong. Face ID sometimes mistook children for their parents. And one customer returned her smartphone to the store twice - he persistently confused her with a colleague. In general, the system was inconvenient and unsafe.
Vietnamese company Bkav spent only $150 to create a decoy mask for Face ID. The base was printed on a 3D printer, the nose was made of silicone, the eyes and mouth were printed and glued onto the model.
Face ID mistook the mask for the owner:
This was soon fixed. But in August 2022, they found an even more fun way to unlock it. Tencent researchers have shown how to fool Face ID using regular glasses and duct tape .
When attention detection is enabled on your iPhone, your iPhone regularly checks to see if you're looking at the screen. But if you are wearing glasses, Face ID will not read 3D information in the eye area. The system believes that there are black areas with white dots.
So, if you are sleeping or unconscious, then your smartphone will be easy to unlock. The specialists simply pasted squares of electrical tape with dots-slits in the middle onto the glasses and put them on the “sleeping” colleague. And his iPhone was successfully unlocked.
The hole has already been closed. But the sediment remained.
Try again in 15 minutes
The first thing to do if your iPhone is locked when you enter the wrong code less than 10 times is to wait for the time indicated on the screen. The message on the screen “iPhone is disabled, try again in 15 minutes” counts down the time every minute, so you can see how many minutes you have left to wait.
Even though the iPhone is disabled, it allows you to make calls to emergency numbers. To do this, press the SOS button at the bottom of the screen.
The code cannot be entered until the time indicated on the screen has expired. Wait until the countdown ends: the phone updates the message on the screen every minute, then enter the correct password.
After the waiting period, the screen will change to the normal numeric keypad and you can try to enter again. Be careful: if you make a mistake again, you will go back to the waiting period.
In the future, try to enter the correct code on the first try to avoid blocking the device.
How are fingerprints faked?
The Touch ID system hashes digital fingerprint scans and stores the hashes in a secure Secure Enclave area that is separate from the main storage.
When you try to lock your iPhone with your fingerprint, Touch ID checks the new code against data from Secure Enclave. And the fingerprint decoding is stored in RAM and only immediately after scanning.
Of course, this is much cooler than scanned pictures in certain folders (some Chinese devices were guilty of this). But... the first generation Touch ID could be deceived using a sheet of paper with a fingerprint printed at 2400 dpi. If you have an iPhone 5s, try it, it might work.
Moreover: the fingerprint can be taken directly from the screen. And not only unlock an iPhone with an old scanner, but also prohibit the current owner from erasing data from it.
It's more difficult with newer models. You need a 3D printer and a material that a smartphone will mistake for human skin. And a fairly accurate 3D finger model. And a limited number of attempts.
Biometric identification expert Anil Jain and his colleagues at Michigan State University have developed a technology for producing these “fake fingers” from electrically conductive silicone and pigments. The fakes had the same mechanical, optical and electrical properties as real people's fingers.
Formally, the technology was supposed to improve the reliability of scanners. But it all depends on in whose hands it would end up.
Other researchers, having only a good photo of the finger of German Defense Minister Ursula von der Leyen, made a 3D model of it. They didn’t take the finger separately—the fingerprint was cropped from a high-resolution photograph.
The minister agreed to participate in the experiment. The result is that she herself proved that the method really works.
Removing Activation Lock
The old owner of the gadget did not log out of iCloud and your iPhone 7 is blocked? With the help of VoiceOver, the problem becomes solvable.
- During the initial setup of the device, enter the emergency call mode and enter the combination 112. Use the Power key to reset the call.
- Create a new contact, then press the Home button three times to bring up VoiceOver.
- Transfer the created contact to the blacklist twice.
A friend found an iPhone 7 Plus and was interested in how to unlock it, but he was not satisfied with the answer: it is impossible to bypass Activation Lock in this case, since Apple’s protection will not allow a stranger to enter the device.
How to gain access through a single message
Cyber experts Natalie Silvanovich and Samuel Gross from Google Project Zero showed how the CVE-2019-8641 provides access to passwords, messages and e-mail. It also allows you to turn on the camera and microphone on your iPhone.
Project Zero searches for vulnerabilities in the products of Google and its competitors. Experts said that if you know the victim's Apple ID, it is enough to send the victim a message configured in a special way.
iOS has built-in ASLR technology, which makes it more difficult to exploit some vulnerabilities. It changes the location of important data structures in the system address space: for example, the stack, heap, loadable libraries, executable file images.
Silvanovich and Gross found a way to bypass ASLR. Using this and five other vulnerabilities found, experts achieved arbitrary code execution on the iPhone. On the black market, information about these bugs would cost about $10 million.
Good news: the main and most complex vulnerability CVE-2019-8641 was fixed in iOS 12.4.2 in September 2022. The bad news: no one knows how many more similar holes there will be. But the statistics are not encouraging.
Unlocking your account
If a user repeatedly enters their password incorrectly, answers security questions incorrectly, or behaves suspiciously, Apple reserves the right to terminate the account. This happens everywhere if the owner of the device has forgotten the username or password of the account. To recover, go to the password reset page. You will have to confirm the identity of the owner, the easiest way to do this is using two-factor authentication - an email or a code request to a personal phone number. The user will also be able to recover the password by requesting identification using answers to security questions. To do this, you also need to go to the password recovery page - in the authorization form, click the link “Forgot your Apple ID or password?”. Select “Password Reset” and check the appropriate box.
How to bypass blocking using voice commands
If you still haven't updated to iOS 12, we have bad news. Siri will “help” unlock your iPhone.
Just call the voice assistant from the lock screen and ask it to activate the VoiceOver . After this, the scammer will be able to call your iPhone, at the time of the call, select a response with a message on its screen and press the “+” key.
The next stage is sending a special message to the victim’s smartphone. When VoiceOver is active, it triggers a system error and gives access to the messaging interface and a list of recently dialed contacts, including their full details.
To protect against this, prevent Siri from being called from the locked screen: this is done in the “Settings” menu - “Touch ID and passcode” - “Access with screen lock”.
Unlock your smartphone using a charger
How to restart an iPhone without the top button? If you don't have a sensor, this is quite easy to do and doesn't take much time. It's a little more difficult to force restart your iPhone. So, you can turn off your iPhone without a key using a USB cable.
The procedure is as follows:
- You need to connect the device to a USB cable. This must be the original cable that came with the phone when sold. If it is not preserved, then you need to purchase the original cord. As a last resort, you can use an expensive high-quality cable with normal cores. After this, we connect the cable to the personal computer.
- After that, wait until the screen turns on. If the battery is dead, you will have to wait a bit until it charges. It will take no more than ten minutes.
- After the screen lights up, you just need to move the slider to unlock it.
How smartphones are hacked using ultrasound
Experts from Washington University in St. Louis, the University of Michigan and the Chinese Academy of Sciences have proven that assistants can be activated even with ultrasound.
The scientists used a piezoelectric transducer that transmitted voice commands using ultrasonic waves. The signal was sent through hard surfaces - for example, through a table on which a smartphone was lying.
The human ear cannot hear ultrasound, but a smartphone reacts to such frequencies. A hard case is not a hindrance: on the contrary, the thicker and denser it is, the better it transmits the signal.
Using ultrasound, scientists were able to send SMS, make calls and access basic functions. The method worked not only for the iPhone - Xiaomi, Samsung, and Huawei models were also attacked.
But if you put the smartphone on something soft, the method will not work. And it does not provide full unlocking. In addition, Siri and other assistants can be forced to identify the owner so that they do not react to other people's voices.
How to reset the remaining minutes counter
If you have a trusted computer at hand that you previously linked with a disconnected iPhone, you can connect them via a wire and synchronize. Thereby resetting the minute counter in the “try again when X minutes have passed” message.
After pressing the button, the minute counter will be reset and you can enter the correct password code. In this case, it is not necessary to wait for the end of synchronization; you can interrupt it immediately after it starts.
Unfortunately, this will not revive a locked phone.
How to use Cellebrite technology
Motherboard journalists collected materials on 516 orders for obtaining data from iPhones in 2022. In 295 cases, information was retrieved.
The point here is less about technical difficulties, and more about budgets for hacking and the seriousness of the situation. Those who have access to Cellebrite and GrayKey are much closer to success.
Experts from the Israeli company Cellebrite are ready to crack the iPhone password within 24 hours . But only if they directly receive the smartphone itself. What they will do with it and how they will extract the information, experts do not say.
In addition, they sell UFED (Universal Forensic Extraction Device - a universal device for extracting data by court decision) and other similar products, equipment, software, cloud solutions, cyber kiosks.
The technique only works with a direct connection to the manufacturer’s server. Formally, this is necessary to verify the license and control the legality of using the hacking solution.
Cellebrite devices are sold relatively freely. The price tag for the “hard + soft” set starts from 15 thousand dollars . But on eBay and other auctions you can buy an outdated model for ridiculous money - of course, it won’t cope with new iPhones, and the license may be expired.
For information: in 2016, Cellebrite received $1 million for hacking the iPhone 5c of a shooter from San Bernardino. Back then, iOS didn’t even use encryption, and the smartphone didn’t come with a fingerprint scanner.
And no matter how Apple protects devices, soon after the release of new firmware Cellebrite selects master keys for it. This takes from several days to a couple of months.
Data is merged from the smartphone’s memory, SIM cards, and memory cards.
How does Cellebrite find holes in iPhone security? Company employees, like hackers, are constantly hunting for dev-fused versions - working prototypes of smartphones.
In dev-fused, as a rule, there is no OS installed, there is only the Switchboard engineering menu and individual components. Or manufacturers left various loopholes in the software for testing. This makes it easier to reverse engineer and find day 0 vulnerabilities that developers are unaware of.
It is impossible to remove prototypes from Apple laboratories. It's easier to get them from contract assembly plants like Foxconn.
Employees sell components, often without knowing their actual price. They can be understood - at best, assemblers earn a couple of tens of dollars for irregular working hours.
Via iCloud
This method is relevant if the user has previously configured the “Find iPhone” function. To unlock your device, follow the instructions:
- Go to https://www.icloud.com/#find. You can use any available device with Internet access - smartphone, tablet, laptop.
- Enter your Apple ID.
- After authorization, at the top of the screen, click on “All devices”. A list of available devices appears. Choose the one you want to unlock.
- Click "Erase" to delete all data from your phone. A password that the user does not remember will also be erased.
- If everything is done correctly and you managed to unlock your account, access to your phone will resume. To restore data, use a backup copy.
Important! For the method to work, Wi-Fi or mobile Internet must be turned on on the phone.
How GrayKey works
GrayKey is developed by Greyshift from Atlanta, USA. It was founded by a former Apple security engineer.
Greyshift supplies its solutions only to law enforcement agencies in the United States and Canada. Without any exceptions.
The device can pick up the unlock code on the iPhone. With its help, for example, the iPhone 11 Pro Max was hacked in January.
The speed of GrayKey is approximately the same as that of Cellebrite. A 4-digit code can be cracked in 11 minutes, a 6-digit code in 11 hours, a 10-digit code in decades (but who uses it?!).
By the way, at the end of 2022 GrayKey went up in price. The price increase was explained by the emergence of new technologies for protecting iOS from hacking and, accordingly, a new revision of the device – GrayKey RevC.
For a license for the online version of the tool they ask for 18 thousand US dollars for 300 hacks per year, previously it cost 15 thousand. And the offline version still costs 30 thousand dollars , there are no restrictions on the period of use.
Unknown error connecting to iTunes
Some users are faced with the fact that the iPhone does not connect to iTunes and displays error 0xe8000015 when the phone is locked. There may be several reasons for its appearance:
- The problem is with the cable you connect your iPhone to your computer - try using a different port or cable.
- Old version of iTunes - update the program to the latest version, restart your smartphone.
- On Windows, open Device Manager -> USB Controllers, right-click Apple Mobile Devices USB Driver, update it, restart your computer.
- Please use another computer as this error is due to a software conflict.
Usually, updating iTunes or drivers helps complete iPhone recovery through iTunes. If this is not your case, restore your phone through Find My iPhone in iCloud.
How does MagiCube, which was purchased by the Investigative Committee, work?
Two years ago, the BBC wrote about mysterious MagiCube gadgets from China. Experts said: if GrayKey and Cellebrite take a day to hack an iPhone, then Chinese magic will do it in just 9 minutes .
The iDC-8811 Forensic MagiCube “suitcases” were developed by Xiamen Meiya Pico Information in July 2022. It was also reported that MagiCube is “tailored” to receiving data from instant messengers. They say that the most valuable information is there.
For the analysis, we purchased additional software - the iDC-4501 system for analyzing data from mobile devices and IFM-2008 Forensics Master for data from a PC.
5 million rubles on hacking tools . These are two government purchases: for 2 million rubles - for the Military Investigation Department of the RF IC for the Central Federal District, for another 3 million - for the Military Investigative Department for the Eastern Federal District.
Xiamen Meiya Pico Information is not just another no-name. The company is truly one of the leaders in the electronics forensics device segment in China, with more than 20 years in the local market and about 10 years in the international market.
But there are inconsistencies. Firstly, the iDC-8811 Forensic MagiCube is simply a hard drive duplicator that runs Windows 7 . It can copy data and examine it. And only if the media is physically connected to the “cube”. The solution will not be able to get into your smartphone remotely.
At the time of purchase (July 2018), iDC-4501 could only work with iPhones running iOS 10.0–11.1.2. That is, without the latest updates (iOS 11.1.2 was released in November 2017).
And most importantly: this system does not pick up the iPhone password. This means that it will still have to be obtained using the GrayKey or Cellebrite tools.
Actually, I also had to buy UFED 4PC Ultimate from Cellebrite. It includes everything you need, including UFED Physical Analyzer for deep decoding of information from mobile devices.
Restoring without saving information - flashing
The whole process is complicated, but if you carefully follow the instructions, unlocking your iPhone 7, 7 plus will not take much effort. Choose the site from which you will download more carefully, since introducing a virus into your phone and breaking it is a much simpler task than updating the firmware.
- Download the firmware to your PC that matches your gadget with .IPSW resolution.
- Open File Explorer and the downloaded .IPSW document, then move it to the iPhone Software Updates folder.
- Turn on iTunes, press ctrl + “Restore iPhone”. Click on the downloaded file in the window that appears and wait for the firmware to finish. Unlocking your iPhone 7 will happen along with clearing all information from the device.
Advice
If you do not have a password for your Apple ID account, all attempts to gain access to the gadget will be ineffective. To restore, follow the instructions:
- Go to https://appleid.apple.com/#!&page=signin.
- At the bottom of the page, click “Forgot...”.
- Enter your ID followed by “Continue”.
There are several ways to update your password. When you select a security question, enter the answer and reset your password. A link to restore access can be sent to the email associated with your account. This procedure can also be performed using another Apple device. If the user has enabled two-step verification, he must additionally enter the code that will be sent to his phone.