(Image: file photo)

A security researcher has figured out how to brute force a passcode on any up-to-date iPhone or iPad[1], bypassing the software's security mechanisms.

Since iOS 8 rolled out in 2014[2], all iPhones and iPads have come with device encryption. Often protected by a four- or six-digit passcode, a hardware and software combination has made it nearly impossible to break into an iPhone or iPad without cooperation from the device owner.

And if the wrong passcode is entered too many times, the device gets wiped.

But Matthew Hickey[3], a security researcher and co-founder of cybersecurity firm Hacker House[4], found a way to bypass the 10-time limit and enter as many codes as he wants -- even on iOS 11.3[5].

"An attacker just needs a turned on, locked phone and a Lightning cable," Hickey told ZDNet.

Normally, iPhones and iPads are limited in how many times a passcode can be entered each minute. Newer Apple devices contain a "secure enclave,"[6] a part of the hardware that can't be modified, which protects the device from brute-force attacks, like entering as many passcodes as possible. The secure enclave keeps count[7] of how many incorrect passcode attempts have been entered and gets slower at responding with each failed attempt.

Hickey found a way around that. He explained that when an iPhone or iPad is plugged in and a would-be-hacker sends keyboard inputs, it triggers an interrupt request, which takes priority over anything else on the device.

"Instead of sending passcodes one at a time and waiting, send them all in one go,"

Read more from our friends at ZDNet