Apple's iCloud security feature in OSX is bypassed in just 70 lines of code

If there is anything the tech world has learned about security, its that four-digit PINs are fundamentally unsafe. Align that against a poorly managed security foundation, and what you have is an open invitation for brute-force attacks. Unfortunately, this is what Apple has done with their iCloud implementation. If an Apple computer is remotely locked by an iOS device, the user would need to enter a 4-digit PIN on the Find My Mac app in order to unlock the machine.

A Github user by the name of knoy has uploaded iCloudHacker: its only about 70 or so lines of Arduino code that doesn't just make it ridiculously straightforward to brute-force your way through the Find My Mac lockout, but it also dances around the surprisingly lackluster security controls that Apple had tried to implement. The coder reports that it has been successfully tried and tested on 2010 & 2012 13" MacBooks.

The code in this program isn't doing anything fancy or special, nor is it exploiting something behind the scenes. It merely simulates a mouse and keyboard via USB and proceeds to enter passwords similar to how any normal user would. Don't get comfortable however-- this is worse than if it was utilizing some obscure exploit. What this means is that the same method can be repeated with anyone just entering passwords over and over again, and more importantly, it means they're being allowed to do so without the OS preventing them.

Rather than waiting for the 5 minute lock-out to expire before having another attempt, its quicker to just reboot

The first thing the program does upon boot is wait 5 seconds for the WiFi pop-up, and it would then move the mouse cursor over to the pop-up and close it. It then starts looping through the possible PIN combinations until it eventually hits a one minute security lockout, which makes the user wait before being able to guess again. At this point the program would, just like a normal user, wait for one minute before continuing the process. Again, it eventually hits another security lockout-- this time for five minutes. Rather than wasting time and waiting, the program simply moves the mouse cursor over to the restart button, restarts the computer, and does everything all over again. Rebooting results in the computer starting from a completely clean state as if the brute-forcing just a moment ago had never taken place.

The coder suggests that the maximum time it would take to brute-force any machine would be 60 hours. When its finally done, it starts flashing the LED's to tell the user that it has successfully brute-forced its way in.

This implementation however is fairly simple and doesn't account for the many years of research put into combination theory and analysis. For example, if we look to the research undertaken by Datagenetics, we learn some very startling facts about 4-digit pins:

  • 26.83% of all 4-digit PINs account for only 20 combinations. 
  • The most popular PIN number is 1234 which accounts for 10% of all combinations, which means that 10% of all machines could be cracked in a single guess
  • 20% of PINs are just 5 combinations, meaning that 20% of machines could be cracked in just 5 guesses. 
  • 50% can be cracked in 426 guesses.
  • Repeated-pair couplets of numbers in a format such as XYXY (ie 1212, 2323, 5454, 0808) account for 17.8% of all observed pin numbers.

The code can be easily modified to account for the above and more, and there are hundreds if not thousands of text files out in the wild which have already listed 4-digit PINs in order of likeliness.

When looking at this issue we have to keep in mind that what is happening here is in fact significant, no matter how insignificant or time consuming it might appear. The significance isn't in the type of attack itself, or what the attack does, but in that there is a false sense of security for users regarding their Apple MacBooks and desktop computers.

So how can this be fixed? Easy. Among others, the first improvements that come to mind are:

  • Increase the minimum number of digits to six. An increase to just five digits increases the number of possible combinations ten times, and an increase to six digits increases the number of possible combinations by 100 times.
  • Require the use of symbols and letters, with the ability for both lower and uppercase letters
  • Introduce persistent records of previous unsuccessful attempts
  • Require MacBook-initiated two factor validation

Although this method isn't new or revolutionary, it comes at a very bad time for Apple, as just over a week ago there was a disastrous vulnerability in iOS and OSX regarding SSL, which was followed with a discovery of an iOS vulnerability that allowed full background monitoring.

Source: Github

Report a problem with article
Previous Story

GCHQ considered using Microsoft's Kinect for surveillance: Snowden leaks

Next Story

Over five months after it was announced, Microsoft's Surface Power Cover is still MIA

41 Comments

Commenting is disabled on this article.

I have a 4 digit pin on my Windows 8 login so clearly it's a popular method

While it might be easy to bypass the iCloud lock if I am clever enough to require a username and password to get into my machine I'm still secure(ish).

And don't think that formatting the drive will help as I once had a visit from the police who had got my details from Apple when a laptop had been stolen and the id matching mine logged into iCloud. Turns out the id was a digit out but at least they were trying to find the stolen laptop which is more than would happen on other laptops.

In summary not great but again not the earth shattering doom and gloom suggested in this article.

I don't understand why they opted for a PIN. Use a real password and this method is killed. Only allow an unlock if you do a full login to your iCloud account.

It's a pretty straightforward fix for Apple. The feature itself is a great idea, and the implementation is pretty good... but any security feature is only as secure as its weakest point, and a PIN with only 9999 possibilities is bound to be the weakest point in any security system.

This doesn't have to be an issue if Apple fixes it quickly.

Simon said,
I don't understand why they opted for a PIN. Use a real password and this method is killed. Only allow an unlock if you do a full login to your iCloud account.

The PIN is in addition to the password lock. You have to do a PIN unlock and a full login to Mac OS X. (The login for Mac OS X may or may not be tied to iCloud credentials, it's up to the user)

But once you have the PIN, there isn't really anything stopping you from reinstalling a different OS, as far as I know. The PIN itself locks down the hardware.

and why would you only use a 4 digit PIN? it's not any harder to remember a 6, 7, 8 digit PIN... 4 digit PINs have been known to be weak for a long time

iCloud lock is a pretty flawed system. This is not the only way to bypass it, and other methods are faster and less hassle than this. It also doesn't do anything to protect your data.

That said, as an anti-theft tool, it's still more valuable to have it there than not have it there.

Seems like they could improve it by disabling the USB ports while locked and/or having some kind of captcha that needed passing as well. Or allowing it to be locked with an actual password.

Or develop software with security in mind. This is exactly what UAC and secure desktop is designed to prevent in Windows, applications impersonating the user for security purposes.

I fail to see how disabling the USB ports would be helpful, when you need them so you can use the keyboard to actually type the pin in. Having a CAPTCHA is also somewhat unnecessary.

I will add a disclaimer: I've never seen this in action, nor do I use apple products, but this just seems like a completely ridiculous "security" method for a computer.

I disagree. Its better to have nothing than a flawed system, because then the user would be more proactive in managing their stuff, including enabling things like hard drive encryption.

Imagine being a bank owner and told that you have a giant lock on your safe, but not told that the door doesn't actually lock. It would be a million times more useful to know that it doesn't lock so you can take measures to counteract that.

Ideas Man said,
Or develop software with security in mind. This is exactly what UAC and secure desktop is designed to prevent in Windows, applications impersonating the user for security purposes.

I fail to see how disabling the USB ports would be helpful, when you need them so you can use the keyboard to actually type the pin in. Having a CAPTCHA is also somewhat unnecessary.

I will add a disclaimer: I've never seen this in action, nor do I use apple products, but this just seems like a completely ridiculous "security" method for a computer.

If someone steals your laptop you can lock it remotely so the computer can't be used. The lock is in the firmware so you can't do anything until it's unlocked. Replacing/formatting the HDD won't do anything. This feature, combined with FileVault (HDD encryption) turned on is actually quite effective. Disabling USB ports on a laptop isn't an issue and would prevent this kind of brute force attack.

virtorio said,
If someone steals your laptop you can lock it remotely so the computer can't be used. The lock is in the firmware so you can't do anything until it's unlocked. Replacing/formatting the HDD won't do anything. This feature, combined with FileVault (HDD encryption) turned on is actually quite effective. Disabling USB ports on a laptop isn't an issue and would prevent this kind of brute force attack.

What? This is exactly what this is breaking: the remote lock feature. They're brute forcing their way through it. The other level is to bruteforce your way through the EFI password which has also been achieved.

It could only allow previously recognized USB devices. Every device has a unique identifier. But the easier (and better) fix is just a real password.

As for the UAC name-drop above, couldn't that also be passed by an arduino that's imitating a mouse? Move mouse to button, click "allow", security bypassed. UAC does nothing if an attacker has physical access to your device, unless you have UAC set to require a password (which it doesn't by default, and to be honest I don't know how to turn it on). Also, OS X also has a similar feature that requires a username and password to do anything significant to the system, and has since its launch, which basically runs based on sudo (which has been around forever).

duoi said,
So how exactly is the user supposed to type in the code if they can't use a keyboard?
What Simon said, plus I mentioned Laptop how many times, which have keyboards.

virtorio said,
iCloud lock is a pretty flawed system. This is not the only way to bypass it, and other methods are faster and less hassle than this. It also doesn't do anything to protect your data.

That said, as an anti-theft tool, it's still more valuable to have it there than not have it there.

Seems like they could improve it by disabling the USB ports while locked and/or having some kind of captcha that needed passing as well. Or allowing it to be locked with an actual password.

It's actually pretty good. Not only does it enforce a separate PIN code lock (The PIN code is chosen at the time of the lockdown It's not a saved PIN. It's based on what the user chooses and must be entered (and confirmed) before each lock.

Entering the correct PIN code does not give you access to the Mac; you still need to enter the user's credentials to log into the machine. That means if you use FileValut2 (FDE), no data is decrypted when you enter the PIN correctly.

Huh, I must've missed laptop, it said computer and I was just thinking desktops. Pardon my ignorance.

Simon said,
As for the UAC name-drop above, couldn't that also be passed by an arduino that's imitating a mouse? Move mouse to button, click "allow", security bypassed. UAC does nothing if an attacker has physical access to your device...

If you have physical access to the device, then you have no security.

However, you scenario is flawed in a number of ways:
* The user has already logged in and is operating under their credentials
* Malicious software on the computer cannot override UAC
* (From what I can tell without knowing what you're talking about) For this method to work, the user has to plug said device into the computer to move and click the mouse; there's much easier ways around it than that

This scenario appeared to have a program running that was simulating mouse and keyboard inputs to trick the computer into thinking a user was doing it. On Windows with UAC, a program doing the same thing wouldn't be able to do this, because they're not actually sending the inputs to the secure desktop; the inputs remain in their user session, therefore, they can't simply click "Yes".

You'd probably have to install the program with a much higher privilege level than that of the user to achieve the goal (Simulating mouse and keyboard inputs in UAC), but if this is necessary in the first place, overriding UAC is now a pointless goal because you already have more rights than UAC would give you.

The article said Arduino code, which suggests it's an Arduino plugged into the USB port that's simulating a keyboard.

I hate when idiots tell me Mac's are better because they can't get viruses and that they're more secure. Yeah we'll see how that goes over the next few years.

Entering the pin doesn't bypass the usual login you need to do to get into the system, so I still don't get your point (with regards to how a PC with a user password is more secure).

scorpian007 said,
I hate when idiots tell me Mac's are better because they can't get viruses and that they're more secure. Yeah we'll see how that goes over the next few years.

What do you mean, "over the next few years"? There's plenty of stories floating around these days to prove that point right now.

virtorio said,
So, is a PC laptop that doesn't have any kind of remote locking more secure when someone steals it?

If it's bitlocked, yes. The hard drive is encrypted and cannot be read by another machine or a hacking boot disk.

_dandy_ said,

What do you mean, "over the next few years"? There's plenty of stories floating around these days to prove that point right now.

Plenty floating around now but it's becoming more and more common. I think it'll become a bigger issue over the next few years as Mac's gain more traction and their users think they're invincible from attacks.

I want to meet Apple's HR person who interviewed the people that implemented the security features of iCloud.

This actually has nothing to do with iCloud other than the lock is activated via Find My Mac. The lock itself is local.

Apple is trying to secure their Macs even when people have physical access to the machine. Something which Microsoft says is impossible.

There's an easy fix for this issue too. Just do what the iPhone does and persist the timeout value between reboots. Problem solved.

Rosyna said,
This actually has nothing to do with iCloud other than the lock is activated via Find My Mac. The lock itself is local.

Apple is trying to secure their Macs even when people have physical access to the machine. Something which Microsoft says is impossible.

There's an easy fix for this issue too. Just do what the iPhone does and persist the timeout value between reboots. Problem solved.

When did Microsoft say it's impossible? It's very possible -- depending on who's trying to get in. A bitlocked hard drive and a strong password is nearly impossible to crack.

0nyX said,
I want to meet Apple's HR person who interviewed the people that implemented the security features of iCloud.
HR people scan for keywords on resumes to create a pool of "qualified" candidates. That part is easy to get through, then the pool is passed to the manager who is hiring and he should be able to pick some qualified people form there. So I would put the blame on the managers not the HR people

Yes they are called HR Managers (or hiring managers under HR Dept) unless you think a manager is not a person.

Not a strong start for Apple this year.
What will Apple users excuse be for this security issues?
"I dont use keyboards or passwords, so this wont work!"

ZipZapRap said,
It was always, always, always a case of security through obscurity, for OSX at least.

With market share picking up though...


Yep. Security has just never been solid, just ignored by hackers...

After that Mac malware a few years ago they re worded the ridiculous claim on their site "Macs don't get PC Viruses"

I think the biggest problem with macs and their users is that apple has built this entire empire of "you are secure because its a mac" as a result OSX users are incredibly naive about security concerns. I'd actually be really interested in doing a security research paper on social engineering with OSX vs Win and other OSes