Apple Denies Possibility of Brute-Forcing iPhone Passcodes

On Friday, independent security researcher Matthew Hickey reported a potential brute-force attack method targeting passcodes on iPhone and iPad devices. Hickey shared his findings with Apple, and the company responded with an official statement refuting the researcher’s conclusions.

According to Hickey, an attacker could theoretically send all possible passcode combinations at once, entering each—from 0000 to 9999—in a single line without spaces. The researcher explained that this attack might work because the keyboard input process takes priority over the device’s data-erasure function.

Hickey noted that this attack would only be relevant after the device has been powered on, as more processes are running at that time.

From the beginning, other experts expressed doubts about the attack method described by Hickey. It’s not uncommon for researchers to attract attention by reporting so-called “fake” vulnerabilities.

The tech community awaited Apple’s official response, and the company released the following statement:

“The recently published report about bypassing iPhone passcode protections is incorrect. It is the result of improper testing.”