iPhone Cracking Methods Like GrayKey Box Can Guess a Six-Digit Password in 11 Hours on Average

[manuelhadow]

Alphanumeric passwords in fact not make much sense as they are very hard to remember and slower to type in. Instead people should just increase the length of the passwords. Each digit more increase the number of possible combinations 900%. If you use twelve digits for example, there already 1,000,000,000,000 combinations and 12 digits are still quite easy to remember. It is just like a cellphone number. Alphanumeric password on the other hand are quite difficult to remember.

You can continue that table. If 10 digits need 13 years to be cracked, just add another digit and it will already take 130 years. So it will not be cracked in your lifetime.

Another thought: Normal users really might have a 6 digit passcode ore even just a 4 digit one that can be cracked in 6.5 minutes. However, somebody who has information on his cellphone that could put him into jail, will use a veeeery long passcode even if it is inconvenient to type in every time. That is the basic problem with many measures against data privacy: The victims are the normal people who are not super careful. Those who do not use a VPN, TOR, message encryption or use a new cellphone number every week.

 

[thisismyusername]

What are you all so worried about? A passcode only needs to be long enough so you can remotely wipe your device before a thief is able to get in... and they're not going to be using these devices. If you're worried about what the police/feds/etc will find on your phone via devices like this after getting arrested, you have much bigger problems in your life that you need to sort out... not to mention you deserve to get thrown in jail if you're dumb enough to keep incriminating evidence on a mobile device that's with you all the time.

6 digits is fine.

I completely understand using really long random passwords, managed via a password manager, for your online accounts but we're talking about a passcode designed to keep people who have physical access to the device out.

 

[vpndev]

The interesting challenge for Apple is how much do they do to make things like GreyKey unworkable.

If you make it really, really hard - but not impossible - then you can keep FBI and similar in other countries away. On the other hand, if you rapidly and aggressively close everything then you risk a worse outcome - Federal law that weakens security.

This is a really hard issue and I'm glad that Apple is deciding it, not me.

 

[jman240]

If I were Apple, I'd wait a little while longer for all of these law enforcement offices to buy these boxes, and then patch it so they have a bunch of $30K paper weights laying around. Then maybe next time they'll reconsider buying something expensive that can be made obsolete so easily.

That's assuming there isn't a way to software patch the boxes of course. From what it sounds like the "cheaper" does some sort of GPS check in and can only be used at a specific location makes me think they have probably thought of this scenario at least.

 

[25ghosts]

Exactly this. 4 digit on my phone and my account password on my Mac's is just "1" - there, you know it, now come and hack me. It's just a lot easier when you do a lot of terminal work, i'm not going to type in passwords all the time for Sudo.

on my mac the password is empty. I dont wanna type my password 10 times a day 365 a year for the rest of my life..
That would amount to days...

Anything digital can be hacked. ANYTHING. It is just a matter of time and money !

 

[charlituna]

I would have to assume that Apple is complicit in this. When such devices have popped up in the past, they either only worked on older versions of iOS or Apple issued a software update that prevented the method from working any longer.

In this instance, the silence from Apple is deafening.

They might be keeping silent because they don’t want to tip off that they are working on a fix and get sued. Just add it, for the purpose of added user security, and let the LEOs find out later. Just like they did with removing the previously trusted computer work around

 

[5105973]

Sigh. Fine. I’m going to pick a random Welsh street sign and add my high school gym locker combination to it.

 

[BaccaBossMC]

To 8-Digit I go! Devices like this should be illegal under the 4th Amendment, but here we are.

To the scumbag that invented this and decided to violate the privacy of the people, I think everyone on the planet would love to watch your arrest and execution. Privacy is no joke. If GreyKey can do it, that means some other BlackHat can do it too.

Personally, I would like to see Apple add a circuit within their devices that has a similar function to the USBKiller to immediately brick the GreyKey Box.

 

[macduke]

That's assuming there isn't a way to software patch the boxes of course. From what it sounds like the "cheaper" does some sort of GPS check in and can only be used at a specific location makes me think they have probably thought of this scenario at least.

Would be interesting to see if they have a backlog of exploits that they can continually roll out. That would actually be pretty crazy. Like the opposite of a patch Tuesday, lol.

 

[Foxglove9]

4 digits is fine with me

 

[NoBoMac]

One problem might be that Apple can't get ahold of one of these boxes to figure out exactly what is going on.

Or, Apple does know and currently can't do anything about it. There has been speculation for a while now that the Secure Enclave is an Apple-ized version of ARM's secure processor that is in their designs (can't recall what the trademark name for it is). What might be happening is this box loads a program on the secure processor to access the hashed passcode and then run the native encryption algorithm on all the numeric combinations until they get a matching hash value. This program probably is also resetting the memory location keeping track of how many attempts have been done.

Or, Apple will let it go, for now, as then they don't have to put in backdoors to make the 3-letter agencies happy, which are scarier, imo (ie. backdoor leaks and anybody can exploit).

Now again, pass phrases would be harder to use social engineering to figure out, as they could use various misspellings, capitalization and numbers to further confuse things.

This. I am doing something along these lines (12 on iOS, 16 for non-admin Mac account, 20 for admin account).

A couple of years ago, recall reading an article where some of the security experts are now advocating to drop the "use 4 random words" passwords and instead go with coming up with a random paragraph of text, meaningful only to you, and use some combination of first/first-two letters of each word to make a password. For example: "I have a dog. My dog's name is Fifi. My dog has fleas" turns into something like "IhAdMdNiFmDhF" and you can then add in any numbers, special characters that are needed.

Believe "Ars Technica" did an article a few years ago re: password crackers and how good their dictionaries are, and how smart they are with doing the "password" > "p@ssw0rd" substitutions. The best one was able to get 95% of the passwords including "motherof3gr8kids" (combined "motherof3g" and "8kids" from their dictionaries).

 

[newellj]

These devices have existed nearly as long as the iPhone has and you guys are just now becoming aware of them. You should see what's been done on other platforms. FileVault can be broken fairly quickly too and is. If you only knew the extent of the capabilities within the forensic community.

OSMG: Question: presumably FileVault becomes more secure rapidly as the passcode length and complexity goes up?

 

[nwcs]

I think the takeaway from all these posts about breaking the iPhone code is pretty simple: if you’re going to use your phone for something that the government might want then don’t use any of the standard tools and use only tools that employ strong encryption for all files at rest. That way you aren’t relying on the default encryption at all and it wouldn’t matter if they broke in.

Let’s see how they would handle it if all the data is hybrid encrypted with a 4096 byte RSA key of an AES 256 encrypted packet that’s also signed. And if it is really nefarious, use a different encryption of the data within the AES file...

 

[AppleScruff1]

It’s great to let the criminals and terrorists know this.

 

[newellj]

0 1 2 3 4 5 6 7 8 9

It will take them 13 years!

People mess up by not using the 0 first... much more secure

Disclaimer: math dunce here. Question: why does the zero increase security?

 

[ignatius345]

It's true enough. What's frustrating is that a lot places that require passwords enforce the silly rules about using numbers and so-on and therefore continue to encourage people to use weak passwords, when you would be more secure with phrases.

My old work had this kind of crap. I just used the same password over and over and changed one digit at the end each time they made me change it. I'd keep that extra digit written on a post-it on my monitor.

And plenty of people just do the good old "note under the keyboard" method to remember whatever stupid hard-to-remember password their IT dep't makes them apply.

 

[Kekinash]

I used to work in another country in systems locking and protecting, so I know what I talking about: Don’t overreact, it’s no so easy to hack a well constructed password, if you don’t have any other information about the subject using it (social and such).
There’s not magic or like on TV shows, like IA analisys or cracking. IA is still a dumb fast idiot and needs several years to be useful for beating the human creativity.
Today I get around 6000 force brute attacks daily on the public servers part of my domain, so far after 10 years NONE has been successful. This gives you an idea how dificult is to be able to hack a well constructed password and policy. Look Google for how to build a good password, don’t reuse them (most important), don’t share them (very common, unfortunately).

 

[Mr. Heckles]

What are you all so worried about? A passcode only needs to be long enough so you can remotely wipe your device before a thief is able to get in... and they're not going to be using these devices. If you're worried about what the police/feds/etc will find on your phone via devices like this after getting arrested, you have much bigger problems in your life that you need to sort out... not to mention you deserve to get thrown in jail if you're dumb enough to keep incriminating evidence on a mobile device that's with you all the time.

6 digits is fine.

I completely understand using really long random passwords, managed via a password manager, for your online accounts but we're talking about a passcode designed to keep people who have physical access to the device out.

Flip up control center and turn on airplane mode, now how do you remote wipe a phone when it’s in airplane mode?

 

[NoBoMac]

OSMG: Question: presumably FileVault becomes more secure rapidly as the passcode length and complexity goes up?

Yes, but, most people pick something easy or short to remember and type in (eg. "letmein", "password", dog's name).

If I recall correctly, when FileVault gets turned on, a random encryption key is generated to do the disk encryption. The encryption key gets encrypted with a different random key. This second encryption key then gets encrypted to the user's passcode. All this, including the hashed values for the passcodes are stored in an encrypted keychain-like file (it's on the recovery partition, if I recall, and has a file extension of ".wipekey"). The encryption key for the keychain is written to the drive's header information at some specific bytes.

So, where FileVault gets easy to crack is you can "easily" get the keychain key, scrape off the keychain file, then run whatever password cracker you have against the hashed passwords found in the file. If you got a weak passcode, should be found easily.

 

[MR-LIZARD]

These devices have existed nearly as long as the iPhone has and you guys are just now becoming aware of them. You should see what's been done on other platforms. FileVault can be broken fairly quickly too and is. If you only knew the extent of the capabilities within the forensic community.

There have been exploits available at certain times for some revisions of hardware and iOS versions but not for the life of the iPhone. iPhones have typically been very difficult (since the 4S) to crack within the forensics community.

iPhone 3GS - 4 - PIN bypass via boot loader attack
iPhone 4S - iOS 5 - No exploits during life cycle
iPhone 5 - iOS 6 - No exploits during life cycle
iPhone 5S - Devices (all prior hardware) running iOS 7.x - 8.0.x - IP Box/MFC/etc
iPhone 6 - iOS 8.1 - No exploits during life cycle- Release of iOS 8 also secures previous devices that can be upgraded
iPhone 6S - iOS 9 - No exploits during life cycle
iPhone 7 - iOS 10 - No exploits initially, but Cellebrite offers capabilities
iPhone 8 & X - iOS 11 - No exploits initially, but services offered by Cellebrite and GrayKey

Cellebrite's service does also offer backwards compatibility to iOS 5, but this hasn't been available since the launch of iOS 5 - https://www.cellebrite.com/en/cas-sales-inquiry/

 

[mejsric]

Do you lock your doors at night to your house? Do you have something to hide?

I just changed my 6 digit pin to a 10 digit alphanumeric. I had to make sure to write it down in 1pass because I almost never use it because of touch id. I've always been a sucker for security even though my bank account proves no one would ever want to hack me and I don't have a security clearance.

We do lock doors in the house but having a 10pad locks, 4 story walls, man eating dogs, security guards, cams, rifles, rockets, to secure the house is different... add self destruct house.

 

[NoBoMac]

Flip up control center and turn on airplane mode, now how do you remote wipe a phone when it’s in airplane mode?

This came up when Apple first rolled out Control Center. And general consensus was to not have Control Center on the lock screen. Which devolved into odd scenarios coming up where it's possible that a thief will watch you, to make sure you are off the lock screen, will grab from you hands, work the control center while running, and then put it into a Faraday bag, just to be safe.

 

[Kekinash]

We do lock doors in the house but having a 10pad locks, 4 story walls, man eating dogs, security guards, cams, rifles, rockets, to secure the house is different.

The more paranoid you become the easier to make a big mistake and do not realize it. If you add to much complexity to your security, the easier it gets to find something for hacking you. You are leaving to many traces.

 

[BigMcGuire]

We do lock doors in the house but having a 10pad locks, 4 story walls, man eating dogs, security guards, cams, rifles, rockets, to secure the house is different.

Alrighty, point taken. On that note, increasing passcode from 6 characters to 10 is hardly 10 pad locks, 4 story walls, man eating dogs, security guards, cams, rifles, rockets, etc... lol

 

[PastaPrimav]

They shouldn't be able to crack the throttling. This is the crux of brute force protection.