CVE-2015-1107

Vulnerability

CVE-2015-1107 affects the Lock Screen component in Apple iOS versions prior to 8.3. The software does not correctly implement the erasure feature that should trigger after a configurable number of incorrect passcode-authentication attempts. This allows the passcode attempt count to be reset or bypassed, enabling continued guessing beyond the intended limit. Affected devices include iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later running iOS before 8.3 [1].

Exploitation

An attacker with physical proximity to a locked device can exploit this vulnerability by repeatedly entering incorrect passcodes. The erasure mechanism, designed to wipe the device after a specified number of failures (e.g., 10 attempts), does not activate as intended. The attacker can therefore make many passcode guesses without triggering the data-erasure safeguard, increasing the chance of guessing the correct passcode via brute force [1].

Impact

A successful brute-force attack yields full access to the device, including all user data protected by the passcode. This constitutes a breach of confidentiality (disclosure of sensitive data on the device) and a compromise of integrity and availability (the device's security policy is circumvented). The attacker gains the privileges of the device owner, with no additional authentication required after guessing the correct passcode [1].

Mitigation

Apple addressed this issue in iOS 8.3, released on April 8, 2015. Users are advised to update their devices to iOS 8.3 or later via Settings > General > Software Update. No workaround is available for earlier versions; devices not receiving the update remain vulnerable. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].