iPhone Cracking Methods Like GrayKey Box Can Guess a Six-Digit Password in 11 Hours on Average

[ChrisCW11]

What I don't get is why anybody tolerates a system that allows numerous attempts to log in using brute force.

I mean if you get several bad login attempts then lock or wipe it out, period. Then the "legit" owner has to call or login to an Apple service from a different device to unlock and restore the phone again. At the very least force the user to wait 1 hour so that it makes brute force prohibitively too time consuming to be practical. And even then, if the user made several bad attempts over 3 hours then simply lock it out completely. I mean children get a time out when they don't "learn" to behave properly why shouldn't adults be punished if they can't learn the responsibility of using something properly.

I am so tired of the stupidity of the idea that these companies force me to have to pick increasingly mega long passwords full of complex patterns and rules just because they refuse to bring security into the 21st century and stop the naive idiotic implementation of allowing numerous password attempts to go unchallenged after thousands of times over a short period of time. It is not rocket science, it is painfully obvious to know the differences between a valid user entering the wrong password vs a system guessing at the password over a period of time making thousands of attempts. Perhaps Apple could have some of that "AI" they want to build into future iPhones figure out the difference between a customer typing in the password wrong a few times vs a system that just guesses for thousands of attempts.

So, iPhone can be hacked because of brute force password cracking, why do people tolerate paying $1000 for that phone again? Why do people believe Tim Cook for supporting customer privacy when they can't offer it in their phones?

Talk is cheap, innovation is expensive, time to spend some of that profit Apple. It's not even hard innovation, its just supporting a mechanism that might be painful for a small number of customers but far more secure for the majority of us.

 

[78Bandit]

The cost is so stupid its laughable. And still not one video of it doing its thing? Oh and for that money, you'd think it wouldn't look like something you built yourself. And do people really need to hack their way into 2 at once?
Call me a sceptic, but yes I am sceptical..

Speculation was the second lightning port was to hook up a jailbroken phone and use it as the cracking device. The GrayKey would copy the minimum needed OS information from the siezed device to the jailbroken device and run the decrypting program. If the 10 wrong password setting is turned on it just recopies the same files to the jailbroken device over and over until it finally stumbles on the right passcode.

No source, just random internet gossip that would make sense.

 

[kemal]

I'm reading through Apple's 2018 security doc. The actual passcode is coming-led with the unique ID, only available to the S ecure Enclave processor. And this SEP keeps track of passcode attempts. So it would seem the only way to gain the actual passcode is to work with the SEP. From Apple:

...On devices with Secure Enclave, the delays [between trying passcodes] are enforced by the Secure Enclave coprocessor. If the device is restarted during a timed delay, the delay is still enforced, with the timer starting over for the current period.
-----
So somehow the counter for the number of passcode attempts is compromised. Have they created a RAMdisk that blocks the SEP from being able to read this value correctly after rapidly rebooting just the SEP?

 

[gtg465x]

0 1 2 3 4 5 6 7 8 9

It will take them 13 years!

People mess up by not using the 0 first... much more secure

Actually, that would only take about 4 months at their current rate if their algorithm guesses numbers in order. It would only take 13 years if their algorithm guesses numbers randomly. If their algorithm is smart, though, it probably guesses the easiest passwords to remember first, and that one would get guessed almost immediately.

You would be far safer using a 6 character password with a combination of lower case, upper case, number, and special character than you would be using a 10 digit password with only numbers.

10 digit password with numbers only = 10 possible digits = 10^10 = 10,000,000,000 possible combinations to test

6 char password with lower case, upper case, numbers, and special characters = 97 (26 + 26 + 10 + 35) possible characters = 97^6 = 832,972,004,929 possible combinations to test

 

[Cloudsurfer]

So is Apple going to do something about it or what? Seems like grey key box is using one or multiple holes in iOS that need to be patched. If law enforcement can get their hands on a box like this, anyone can...

Just like those stupid TSA key locks you need when you travel to the USA.

 

[nt5672]

I thought about it for a second, and i'm not really worried about the FBI, but if the FBI can do it, i bet scammers can too.

Agree with the scammers part.

The problem with the FBI part is that we know that a lot of people in the FBI believes they are above the law. Heck, just read about a guy name J Edgar Hoover. Because of his abuse of power, FBI directors are limited to 10 years in office unless an exception is passed in Congress. The FBI does not have to have a legitimate reason to hack your phone. Heck you could just be the random person they picked to get a convection to further someones career.

Certain crimes, because of political pressure, cannot go unsolved. So someone, no matter how innocent, has to be convicted. If you get caught in that net, no matter how much you know you were not involved, you get sent up. But no phone access, not as much to use against you.

With that said, I don't currently wear a tin foil hat and not everybody at the FBI is as crooked as the ones that rise to the top, but I have second hand knowledge through friends that getting to the top means your willing ignore the law to make your benefactors happy. That means that even though I do not break the law, I do not want the government, that is any part of the government, running around in my phone or other data looking for some reason to convict me.

Criminal law is not about finding right or wrong, its about getting convictions no matter what. Ask any criminal attorney.

 

[gtg465x]

I'm reading through Apple's 2018 security doc. The actual passcode is coming-led with the unique ID, only available to the S ecure Enclave processor. And this SEP keeps track of passcode attempts. So it would seem the only way to gain the actual passcode is to work with the SEP. From Apple:

...On devices with Secure Enclave, the delays [between trying passcodes] are enforced by the Secure Enclave coprocessor. If the device is restarted during a timed delay, the delay is still enforced, with the timer starting over for the current period.
-----
So somehow the counter for the number of passcode attempts is compromised. Have they created a RAMdisk that blocks the SEP from being able to read this value correctly after rapidly rebooting just the SEP?

They aren't trying passcodes by giving them to the phone, so the Secure Enclave coprocessor doesn't even come in to play or know about any passcode attempts. They are pulling a piece of encrypted data off the phone, and then attempting to decrypt it with passcodes until the decrypted data makes some sort of sense. This is why the iPhone only needs to be plugged in to start the cracking, and can be unplugged after that while the machine works. What Apple needs to do is figure out what encrypted data they are able to pull from the phone while it's locked, and prevent that data from being pulled.

 

[catportal]

These devices have existed nearly as long as the iPhone has and you guys are just now becoming aware of them. You should see what's been done on other platforms. FileVault can be broken fairly quickly too and is. If you only knew the extent of the capabilities within the forensic community.

This guy comes in every thread and pretends to know how everything is cracked in the "forensic community", please do tell how this "forensic community" can crack a 10 digit alphanumeric password? If they were sooo great, they would be cracking bitcoin wallets. Anyone with half a brain knows a simple NVIDIA gpu can crack 4-8 digit numeric password with ease. The only thing that this 'graybox' demonstrates is that someone found a way to bypass secure enclave restrictions, probably through some exploit that leaks the encrypted memory at which point the brute force decryption is like any other. And given the timing of spectre/meltdown, I wouldn't be surprised if the 'lightning' ioctl driver was being exploited with the same strategy. And filefault? Lol. They can't even touch an encrypted .7z archive.

 

[Solarioc]

These devices have existed nearly as long as the iPhone has and you guys are just now becoming aware of them. You should see what's been done on other platforms. FileVault can be broken fairly quickly too and is. If you only knew the extent of the capabilities within the forensic community.

Dude When I was doing my El capitan cert. I was scared out of my mind how easy file vault was to get into.

 

[Defthand]

What if you just want to do your banking on your phone? Can you have strong encryption then?

Sure, but this article isn't about web SSH or app passwords, both of which protect online banking. It's about the phone's passcode, which prevents access to unprotected files and unprotected apps like Mail or iMessages.

 

[nylonsteel]

Too many passwords to manage these days. Even worse in corporate world.
Saw web article last month of a group recommending years ago using complex password schemes and now they recommend going back to easily remembered passwords - go figure.
Personal security is important though
Do your due diligence

 

[kemal]

[doublepost=1523969349][/doublepost]
No. That's not how it works. Your face/fingerprint is actually used as a decryption key to decrypt your passcode that is stored encrypted in the Secure Enclave on the iPhone. When you use FaceID, you are decrypting your normal passcode which then gets entered like normal. It doesn't replace your passcode.
---------
Not exactly. The passcode is never stored encrypted or otherwise. Except in your brain.

A phone with TouchID or FaceID on never fully "locks"; a state where the high level keys are tossed. When *locking*, the phone encrypts these high level keys within the Secure Enclave. A successful fingerprint or face match will decrypt the high level keys, making the user data partition available again.

 

[0924487]

13 years to crack my information then. I will save you some time!

iMessage:
me: are you in later?
friend: yes

Photos:
photo of a car, a tree and something on my desk

Calendar:
Dentist appointment

Go for it!

What about your search history and password managers? What about your SIN and banking information? What about contacts?

 

[apolloa]

Let's say Apple had made and signed software for the FBI to allow easy access to iPhones. At what point do you think it would start being able to predict when someone is going to go on a shooting spree or ram their car into pedestrians?

It'd only be good for after such an even when the 'sometimes lone' terrorist is normally dead. Apple refused because it would get into the wrong hands and then every non criminal's data is at risk, too! Apple have no obligation to create flaws in their security features. If they did, they might as well not bother putting the features there in the first place.

Well now your suggesting Apple is the Police or FBI and predicts terrorist or other acts, that’s not there job, there job is to assist law enforcement protecting the people, who are paranoid about their government literally having nothing better to do then spy of every citizen with an iPhone, apparently.

Apple were given the opportunity to control all access themselves, keep all equipment at their offices and they gave an utterly bogus refusal. Even though any access gained by criminals would be entirely Apples fault as they would be controlling the access entirely.
Thankfully other governments are not so lenient and will force them to give access.

 

[dannys1]

Wish I could set 1 as my server password lol.

Haha yeah, now that's a different thing - unfortunately my macOS server that is open to the public does have a long password on it and it's a pain to login and run terminal commands.
[doublepost=1523986430][/doublepost]

on my mac the password is empty. I dont wanna type my password 10 times a day 365 a year for the rest of my life..
That would amount to days...

Anything digital can be hacked. ANYTHING. It is just a matter of time and money !

Unfortunately you can't have an empty password for many terminal things it has to be "something" hence 1.

 

[chucker23n1]

I've seen 25 character mixed case with numbers of special characters cracked in under 20 hours. But keep telling yourself that kind of stuff is impossible if it makes you feel better.

You have?

Was it an online or offline attack? If offline, what hash was this? Was it salted, or was there a rainbow table? Was it bcrypt? How many rounds?

But if it's iPhone-related, it most likely wasn't offline, but online. In which case, you haven't. The very fastest possible guess still takes 80ms, so you can only guess 12.5 times a second. Even with just 11 characters, that's gonna take you centuries.

 

[rp2011]

Agree with the scammers part.

The problem with the FBI part is that we know that a lot of people in the FBI believes they are above the law. Heck, just read about a guy name J Edgar Hoover. Because of his abuse of power, FBI directors are limited to 10 years in office unless an exception is passed in Congress. The FBI does not have to have a legitimate reason to hack your phone. Heck you could just be the random person they picked to get a convection to further someones career.

Certain crimes, because of political pressure, cannot go unsolved. So someone, no matter how innocent, has to be convicted. If you get caught in that net, no matter how much you know you were not involved, you get sent up. But no phone access, not as much to use against you.

With that said, I don't currently wear a tin foil hat and not everybody at the FBI is as crooked as the ones that rise to the top, but I have second hand knowledge through friends that getting to the top means your willing ignore the law to make your benefactors happy. That means that even though I do not break the law, I do not want the government, that is any part of the government, running around in my phone or other data looking for some reason to convict me.

Criminal law is not about finding right or wrong, its about getting convictions no matter what. Ask any criminal attorney.

I just meant for me personally on that. I am not a public figure or have any sensitive info to be interesting to anyone but scammers. But I am with everyone seeking better privacy protections. It's not one or the other. It's always both. If one can get it, so can the other.

 

[fourthtunz]

No user should be using a numeric only passcode. It should be custom Alphanumeric. Period. Doesn't matter if you're doing something wrong or if you have nothing to hide.

Don't be ****ing lazy. Think of the children.

Who? The starving children in Africa? I try not to waste food

 

[dewski]

I don't use a passcode. Nothing on there that could do any damage to me.

 

[PastaPrimav]

What I don't get is why anybody tolerates a system that allows numerous attempts to log in using brute force.

I mean if you get several bad login attempts then lock or wipe it out, period. Then the "legit" owner has to call or login to an Apple service from a different device to unlock and restore the phone again. At the very least force the user to wait 1 hour so that it makes brute force prohibitively too time consuming to be practical. And even then, if the user made several bad attempts over 3 hours then simply lock it out completely. I mean children get a time out when they don't "learn" to behave properly why shouldn't adults be punished if they can't learn the responsibility of using something properly.

I am so tired of the stupidity of the idea that these companies force me to have to pick increasingly mega long passwords full of complex patterns and rules just because they refuse to bring security into the 21st century and stop the naive idiotic implementation of allowing numerous password attempts to go unchallenged after thousands of times over a short period of time. It is not rocket science, it is painfully obvious to know the differences between a valid user entering the wrong password vs a system guessing at the password over a period of time making thousands of attempts. Perhaps Apple could have some of that "AI" they want to build into future iPhones figure out the difference between a customer typing in the password wrong a few times vs a system that just guesses for thousands of attempts.

So, iPhone can be hacked because of brute force password cracking, why do people tolerate paying $1000 for that phone again? Why do people believe Tim Cook for supporting customer privacy when they can't offer it in their phones?

Talk is cheap, innovation is expensive, time to spend some of that profit Apple. It's not even hard innovation, its just supporting a mechanism that might be painful for a small number of customers but far more secure for the majority of us.

You're obviously not reading anything before commenting. Of course iOS has brute force protection via time injection. THis is getting around it somehow and then being able to perform a standard brute force attack.

 

[mossback]

These sort of known compromises are not troubling. What is troubling are the unknown compromises.

 

[gwaizai]

Why is it necessary to use numbers in a passcode? Wouldn't a simple nonsensical sentence significant only to you work just as well?
Like "my hamster's buckteeth are blue" or something like that.

 

[Neepman]

If I'm at a random DWI stop, and the police ask for my phone, I know my rights and know I can say 'No'. I also know they can then say they smell something, handcuff me on the side of the road while they take their time bringing in a dog, and then give the dog their secret trigger signal that something may be in the car. If they're not 100% out to get me, they tear my car apart and then send me on my way, costing me valuable time and some of my dignity.

If they are out to get me, hopefully all they do is plant a bag of crack in my car, but I fully acknowledge they can scream, "Look out! He's coming right at us!", shoot me 100 times in the back, then use the fact that I had asthma medicine in my system to disparage my good name and get folks on social media to agree I deserved it.

What they don't get is easy access to everything I've done, every place I've visited, a list of everyone I know, every idea I've never pursued, and every unfulfilled dream I've ever listed in Notes. They'll need to go to a third party to obtain permission to, maybe, access that information. Information, as innocent as it may be, I may feel is too personal to want to share with any government.

A minor victory, to be sure, but no way I go gently into that good night.

No matter what race you are, The Police in the USA have a 100 percent license to kill you a their discretion in the US with no consequence other than a show trial.

 

[B2B941]

Glad I don’t live in your country.

This mentality of being fine with relinquishing more and more privacy and rights because of “terror” is ridiculous. I understand it since the mainstream media foments this fear whether it’s valid or not. History shows us that quite a bit of this “terror” is either propaganda, a product of government action, etc. But those truths usually don’t make it to the front page or the leading story, if at all. And that’s not even getting into the long term ramifications of this potential dystopia in which a single entity could enslave thousands of devices, drain bank accounts, gather the most personal of data, etc. Heck, that’s already happening to an extent with things like EquaFax, Facebook, Cambridge Analytica, etc. And that’s BEFORE these people get their wish of universal back doors (which will not be for the reasons these people think they are there for) and/or surely evolve into something awful (like the Patriot Act). Finally, is it lost on these people that by adopting this mentality you are essentially handing success to any “terrorists.” Their purpose is to sow terror, along with all the ramifications that has. But for the sake of argument, lets say that all of it is on the up-and-up and there are terrorists under your bed or whatever, and that may result in some people suffering because of that. First, there was more terrorist activity in the 1970’s than today. Second, giving up more and more rights to the state will not stop that from happening. Only changes in foreign policy, priorities, etc. will stop that, and even then not completely. Putting universal back doors in everyone’s devices to “fight terror/crime” is like arming teachers to stop shootings at schools. It’s a weird band-aid solution that exists only because policy makers are unwilling to address the root cause of the problem. All these backdoors will do is provide a path to exploit and harm an infinite amount of people in the future, and likely in a way that you or I aren’t thinking of today. Once these things are put in place, it is not a question of “if” that will happen, only a question of “when.” IMO, don’t buy into the fear narrative, start replacing corporate media with sources that are not funded by arms manufacturers, fossil fuel and pharmaceuticals companies, etc. (look at the commercials they show, that’s who owns them). You won’t miss any news covered in the mainstream, likely will be better informed, less afraid all the time however you’ll probably replace that with being frustrated at the corp. oligarchy. Sorry for the rant, I just had a moment and needed to vent. That’s my long-winded way of saying, “agreed. Glad I don’t (I hope) live in that country. I’m living in the giant dumpster fire that is currently the US. And even so I still say “F fear.” (Unless it is for real things like bears. They’re marauding killing machines and must be stopped.)

 

[Black Belt]

Why is Tim Cook still CEO?