iPhone Cracking Methods Like GrayKey Box Can Guess a Six-Digit Password in 11 Hours on Average

[DeepIn2U]

No user should be using a numeric only passcode. It should be custom Alphanumeric. Period. Doesn't matter if you're doing something wrong or if you have nothing to hide.

Don't be ****ing lazy. Think of the children.

Unless you're device is managed by an MDM/EMM most likely yes the common smartphone user does have a very simple numerical passcode.

Funny enough iOS detects successive number as too simple;
example: 112233
BUT go longer and iOS thinks the passcode is fine;
example: 1122334455
LMAO!

I wonder how long it would take for it to guess this password:

Damn you beat me to this! Always loved this episode.

I figure if my iPhone is stolen, that means I'm dead, so what do I care?

 

[25ghosts]

Soon folks' passwords will be so long that they will stand there and type their password for 10 minutes before being able to unlock it

Nothing is secure it never will be and never has been.

People need to understand that !

 

[shplock]

These devices have existed nearly as long as the iPhone has and you guys are just now becoming aware of them. You should see what's been done on other platforms. FileVault can be broken fairly quickly too and is. If you only knew the extent of the capabilities within the forensic community.

Yes, however only to a certain degree. Forensic science with computers can only do so much and is not magic. it can not do whatever a person (such as law enforcement)would like. There are limits.
For example, if the law can get into my MacBook then I will give them a medal.
No amount of 'magic' will help them. I do not know much in life but I have a natural ability to see where parts of a system fall down etc. Where the holes are and such.
I will tell you about when I had a Windows laptop because I no longer use it.
I used bit locker, I had the laptop set up so that in order to boot the laptop up I had to boot up with a USB flash drive connected.
It gets harder...
You see I had a 2nd laptop that itself was also bit locker enabled...I had a USB drive for that laptop that had to be connected in order to boot. So I had to connect the 2nd USB drive, boot up the 2nd laptop, enter the password for bit locker and the computer password(in itself not uncrackable but will slow down anyone trying to hack me).
Then I had to wait for Windows to load, (boot straight to command prompt etc was disabled)then had to log into my account and then unlock the USB drive for the first laptop. Then eject it. Then connect it to the main laptop and then boot that laptop up, enter the password and the computer password and well you get the point.
I also kept both USB drives on me at all times. I even slept with them.
All my passwords were longer than 20 characters and alphanumeric with upper case and lower case etc.
I also made sure that all of my files that were even remotely of interest to anyone were also encrypted(for all of my encrypts - even the USB drive- I used a triple cascade AES-BLowfish-Twoswords key- so good luck with that!).Each file had extra protection enabled that for obvious reasons I won't divulge.
I also am aware that attempts could be made to extract the hard drive and use forensic capabilities to crack the encryption of bit locker(which I think has been done at some point),though I took steps to stop those. It was difficult to set up and a pain in the **** but worth it in the long run.
I used to work for a defence contractor making equipment for the UK Military and whilst I did not work on creating the equipment as such my skills were, let's say more in the testing side of things.
So I knew who to talk to about stopping any forensic attempts to crack my hard drive.

It was not however perfect and there were loopholes, it is just that those loopholes would have taken a very VERY long time for ANYONE to crack. No matter how good they are.

 

[morcutt11]

Soon folks' passwords will be so long that they will stand there and type their password for 10 minutes before being able to unlock it

Nothing is secure it never will be and never has been.

People need to understand that !

I use a roughly 40 character pass phrase. I've gotten pretty skilled at typing it quickly when needed.

 

[dannys1]

Exactly this. 4 digit on my phone and my account password on my Mac's is just "1" - there, you know it, now come and hack me. It's just a lot easier when you do a lot of terminal work, i'm not going to type in passwords all the time for Sudo.

Meh. I only am concerned about protecting the data from the average person who might pick my lost iPhone from the street or someone who mugs me for it. Those types aren't going to have a device like this.

If things change and I suddenly become a public figure or otherwise am doing something that requires extreme security then I'll turn off Face ID and change my code to something that will take me several minutes and a few failed attempts every time.

 

[Santiago]

I've seen 25 character mixed case with numbers of special characters cracked in under 20 hours. But keep telling yourself that kind of stuff is impossible if it makes you feel better.

Yeah, no. Mixed case with numbers and special characters is drawing from a set of about 70 characters and 70^25 is over 10^46. If you try a billion passwords a second, that still takes over 10^29 years for an exhaustive search, or about 10^19 times the age of the universe. No one is brute-forcing passwords of that length.

Now, people are generally crap at picking passwords, so that 25-character password isn't random, and is probably made of a few words with predictable case patterns and character substitutions, substantially reducing that space. However, it's far more likely there's a bug in the code that implements all that, and any crack is taking advantage of that exploit instead of searching for the actual password.

 

[indychris]

Now I'm admittedly neither a programmer nor developer, with with all the tech available these days, wouldn't it be pretty easy for Apple to build something into iOS that recognizes an attempt to enter a phone using neither the biometrics of a thumb/face scan or the physical entry of touch keystrokes from the keyboard, and then immediately either shut down or erase the phone?

Seems simple in my mind, but then again, I can be rather simple-minded.

 

[swarmster]

When Apple introduced Touch ID a lot of people said they were just fine with a passcode... Now there will be an even bigger convenience reason to use that or FaceID vs a potentially complex password.

Yeah, given that we've had the technology to supplant passcodes built into our phones for years (TouchID/FaceID), I'm a bit puzzled by why the passcode remains such a strict requirement (even to access the TouchID/FaceID menu). Surely my face represents a longer "password string" than a handful of characters and would be harder to brute force in this way?

I know there are some arguments about what-you-have vs what-you-know, or the possibility of technical issues, but why shouldn't disabling passcodes for phone access be an option?

 

[mejsric]

You guys criminals? Why so need to have super super very extra hard passcode? lol

 

[steve62388]

I didn't say I personally have the capabilities. Those I work with certainly do and I've been part of cases in multiple instances where such tech was used to access a suspect device.

Still bull. Unless somebody is exploiting a weakness in the device itself or there is an inherent weakness in the password (eg not truly random).

Time to crack: CT}v3ZaqiQvhLNeNB#m7Vffyu (not one of my passwords, one that has been randomly generated).
Assuming one hundred trillion guesses per second: 89 trillion trillion centuries.

Source: https://www.grc.com/haystack.htm

You're not even in the ballpark with 20 hours! lol

 

[shplock]

Do you think somebody with any real inside knowledge would be posting on a widely read public forum?

I offer that he/she knows diddley squat about hacking etc. I used to work for a UK defence contractor. I was not involved in the creation side of things but I was more involved in the testing side. The reason being that I have a natural ability to see where the system falls down and the loopholes. Kind of like Heath Ledger's Joker, only without the insanity lol
I have Aspergers syndrome and I am good at seeing patterns, or in my case where the pattern don't meet up. kInd of like 1,2,3,4,6 repeated is a pattern and whilst I can see that, I am much better at seeing what is NOT there, the 5!.
This helps me to see vulnerabilities and flaws.
Whilst forensic techniques for computers are always evolving and can achieve quite a lot nowadays it is not the magic he/she seems to KEEP saying it is. There are limits. I used to use to Windows and when I did I employed the hardest and best way I knew to keep anyone out and although it would not have been impossible to get in to that laptop it certainly would have taken them longer than it was worth for nothing of any value to anyone.
So when it comes to security we have to remember that if it is a pain in the rear for us to have to enter a long password etc every time we use our phone etc then it will be a pain for the hacker as well. We should therefore make life as hard as possible for them, because it can be done, trust me.

 

[Altis]

Exactly this. 4 digit on my phone and my account password on my Mac's is just "1" - there, you know it, now come and hack me. It's just a lot easier when you do a lot of terminal work, i'm not going to type in passwords all the time for Sudo.

My laptop has a very short but easy to type password -- it's just a deterrent more than anything. I only use the laptop for school stuff, so if someone wants to brute force their way in to use my copy of Office or take my course notes, so be it.

 

[outskirtsofinfinity]

This is quite shocking. When will Apple patch this vulnerability? Is there a class action lawsuit I can join? No more iPhones for me until this is patched. Apple needs to start focussing on privacy, instead of teaching Siri more jokes. Outrageous.

 

[Altis]

No user should be using a numeric only passcode. It should be custom Alphanumeric. Period. Doesn't matter if you're doing something wrong or if you have nothing to hide.

Don't be ****ing lazy. Think of the children.

It'd be more easy to justify IF:

a) The keyboard input wasn't so laggy as to make long complicated passwords utterly unbearable, especially when you're in a hurry
b) You could disable the lock temporarily, for example while your headphones are connected. There's no reason I have to type my passcode or use TouchID while I'm at the gym connected to my phone on a 1m cable. Yet TouchID fails all the time due to any amount of moisture on my finger tips. Since I can't disable it for an hour or until I unplug my headphones, it wants my passcode constantly.

Of course, having a keyboard that actually responds instantly in 2018 is too much to ask for, as are clever implementations to make life easier while having no effect on security.

 

[Mad Mac Maniac]

All I want is the option for an indefinitely long numeric pin (completed with some "Enter" option). Perhaps with a minimum length of 6. I would think this would be harder to crack because of the uncertainty in length? (If I'm being honest actually all I really want is a 7 char. numeric pin, because I already have a 7 digit pin)

 

[jman240]

Time to master this guys method I guess.

 

[BigMcGuire]

You guys criminals? Why so need to have super super very extra hard passcode? lol

Do you lock your doors at night to your house? Do you have something to hide?

I just changed my 6 digit pin to a 10 digit alphanumeric. I had to make sure to write it down in 1pass because I almost never use it because of touch id. I've always been a sucker for security even though my bank account proves no one would ever want to hack me and I don't have a security clearance.

 

[cmwade77]

Why do we still insist on using insecure passwords and passcodes. No one can remember them, so they often end up writing them down, making them even less secure. Instead, we should be using pass phrases, for example: "This is my password, it is more than 10 characters long! This is actually a fairly secure password!"

And the exact example I used would obviously not be super secure or easy to remember, but you get the idea, it would be a full on sentence that you could remember and would actually be very difficult for any system to guess.

 

[BigMcGuire]

Why do we still insist on using insecure passwords and passcodes. No one can remember them, so they often end up writing them down, making them even less secure. Instead, we should be using pass phrases, for example: "This is my password, it is more than 10 characters long! This is actually a fairly secure password!"

And the exact example I used would obviously not be super secure or easy to remember, but you get the idea, it would be a full on sentence that you could remember and would actually be very difficult for any system to guess.

I can't count how many times I see people's passwords on a post-it note on their keyboard/desk/monitor. Good question.

 

[The Barron]

With an alphanumeric passcode in place, you'll no longer be presented with a numeric keyboard when unlocking your iPhone, and instead, you'll see a full keyboard available to type in your passcode.

There's a definite compromise between easy device accessibility and security when using a longer alphanumeric passcode like this. It's a lot easier to type six numbers than it is to type a mixed character alphanumeric passcode into an iOS device, but for complete security, longer and more complex is the way to go.

A rare, very useful article. Thanks for the tip on the more secure locking of the Apple devices.

 

[Surrix]

If I still had a TouchID device, I'd definitely crank up my password character count. But FaceID is too fallible and forces me to enter my password way too often to be worth it.

 

[cmwade77]

Total and utter bull that can be brute forced.

And do you know why I know that (other than the mathematical impossibility)? Because anybody with that capability wouldn't be posting here.

Oh, it is possible for a 25 character password to be brute force done in that amount of time, assuming the password is relatively week like: 1234567890123456789012345

That passcode could easily be handled in minutes, the reality though is that it is far easier to figure out passcodes and passwords through social engineering than by hacking. You just need to know a few key pieces of information about a person and you can usually guess at their common passwords. This would eliminate the need for boxes such as these. Now again, pass phrases would be harder to use social engineering to figure out, as they could use various misspellings, capitalization and numbers to further confuse things.
[doublepost=1523911251][/doublepost]

I didn't say I personally have the capabilities. Those I work with certainly do and I've been part of cases in multiple instances where such tech was used to access a suspect device.

As I said, the only way that is going to happen is if the password is already insecure and/or they are using some social engineering techniques to get a jump start.

 

[HarryWild]

Apple needs to expand the digital password to alphanumeric password including greek symbols, upper keyboard symbols but still retain the 6 characters. It would take the box around 23 years to guess the password if that is done.

 

[apolloa]

That’s an impressive piece of kit. If Apple offered to unlock those devices to begin with though this box wouldn’t exist.

 

[macduke]

If I were Apple, I'd wait a little while longer for all of these law enforcement offices to buy these boxes, and then patch it so they have a bunch of $30K paper weights laying around. Then maybe next time they'll reconsider buying something expensive that can be made obsolete so easily.

One problem might be that Apple can't get ahold of one of these boxes to figure out exactly what is going on. This company should be doing a lot of background checks on these devices to make sure they don't fall into the wrong hands. Who is making sure this company isn't selling to nefarious buyers? And if they're only selling to law enforcement, how will Apple get a copy? Pay off some small town cop to get their hands on it? Makes me wonder if Apple has security agents undercover working for the police just like the government likely has agents inside Apple. This spirals into conspiracy territory real quick but I wouldn't doubt it. We're talking about a company with nearly as many resources as the government, lol.