Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
59,299
23,283



Law enforcement agencies have a new iPhone cracking tool that works with all modern iPhones and the newest versions of iOS 11, the GrayKey, designed by a company called Grayshift.

Previous reports have suggested the GrayKey can crack 4-digit passcodes in a matter of hours and 6-digit passcodes in days, but as highlighted by VICE's Motherboard, cracking times for the GrayKey and other similar iPhone unlocking methods can potentially be even faster and 6-digit passcodes no longer offer adequate protection.

graykey1.jpg

Matthew Green, assistant professor and cryptographer at John Hopkins Information Security Institute, said this morning on Twitter that with an exploit that disables Apple's passcode-guessing protections, a 4-digit passcode is crackable in 6.5 minutes on average, while a 6-digit passcode can be calculated in 11 hours.

Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):4 digits: ~13min worst (~6.5avg)6 digits: ~22.2hrs worst (~11.1avg)8 digits: ~92.5days worst (~46avg)10 digits: ~9259days worst (~4629avg) - Matthew Green (@matthew_d_green) April 16, 2018

Apple does have built-in options to erase an iPhone after 10 incorrect passcode guessing attempts and there are automatic delays after a wrong passcode has been entered more than five times, but GrayKey appears to bypass these protections.

It's not clear if the GrayKey can reach the fastest unlocking times outlined by Green, but even at slower unlocking speeds, it only takes days to get into an iPhone with a 6-digit passcode. Comparatively, it takes over a month to crack an iPhone with an 8-digit passcode, or more than 13 years to get into an iPhone with a 10-digit passcode.

With the release of iOS 9 in 2015, Apple switched from a four digit passcode to a 6-digit passcode as the default, making iOS devices more secure, but for those concerned about their iPhones being accessed either by law enforcement with the GrayKey or by a hacker with a similar cracking tool, a 6-digit passcode is no longer good enough.

Several security experts who spoke to Motherboard said people should use an alphanumeric passcode that's at least seven characters long and uses numbers, letters, and symbols.
"People should use an alphanumeric passcode that isn't susceptible to a dictionary attack and that is at least 7 characters long and has a mix of at least uppercase letters, lowercase letters, and numbers," Ryan Duff, a researcher who's studied iOS and the Director of Cyber Solutions for Point3 Security, told me in an online chat. "Adding symbols is recommended and the more complicated and longer the passcode, the better."
To change your iPhone's passcode from a simple numeric 6-digit passcode to something more secure, you'll need to use the Settings app. Go to "Face ID & Passcodes" in the Settings app, enter your current passcode, scroll down, and then choose "Change Passcode."

You'll be asked to enter your new passcode on this screen, but you'll actually want to tap on the blue "Passcode Options" text towards the middle of the display. Choose "Custom Alphanumeric Code" to enter a passcode that consists of letters, numbers, and symbols.

alphanumericpasscode.jpg

With an alphanumeric passcode in place, you'll no longer be presented with a numeric keyboard when unlocking your iPhone, and instead, you'll see a full keyboard available to type in your passcode.

There's a definite compromise between easy device accessibility and security when using a longer alphanumeric passcode like this. It's a lot easier to type six numbers than it is to type a mixed character alphanumeric passcode into an iOS device, but for complete security, longer and more complex is the way to go.

Article Link: iPhone Cracking Methods Like GrayKey Box Can Guess a Six-Digit Password in 11 Hours on Average
 

newellj

macrumors G3
Oct 15, 2014
8,097
3,006
East of Eden
HS. I am a math dunce but I am shocked by how steep the curve is for additional characters.

Also, I've been running an 8-digit numerical code. I guess I will go to alphanumeric and bump it up to ten.
 

newellj

macrumors G3
Oct 15, 2014
8,097
3,006
East of Eden
I'm not sure why I didn't think of this before. Both of my Macs are protected by a 16-character passcode that has upper and lower case alpha, numerics, and special characters. My iOS devices deserve more than just an eight digit numeric code.
 

OldSchoolMacGuy

Suspended
Jul 10, 2008
4,197
9,050
These devices have existed nearly as long as the iPhone has and you guys are just now becoming aware of them. You should see what's been done on other platforms. FileVault can be broken fairly quickly too and is. If you only knew the extent of the capabilities within the forensic community.
 

justperry

macrumors G5
Aug 10, 2007
12,387
9,553
I'm a rolling stone.
I use ten. They can have my data if takes approximately 13 years to extract my information, which I’m not to concerned with.

Exactly this, why use a difficult alphanumeric passcode while it takes 6 ½ years avg. to get into your phone, most likely the phone won't work anymore by the time the password is/would be guessed.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.