iPhone Cracking Methods Like GrayKey Box Can Guess a Six-Digit Password in 11 Hours on Average

[Fixey]

Box is pointless nothing is being realy cracked, just allows multiple attempts on very Week passwords based on digits, if using a recommended password alphanumerical based then perhaps in 100 years time the box will crack it

It is like these cheep bycicle 3 digit combination locks, who would use that type of security on a £5,000 bike, perhaps a £100 bike so if the data is important then the iPhone is not going to have a week code

 

[Phone Junky]

Also no easy way to use Face ID while driving. I could look straight ahead and drive while my thumb unlocked it and either use Siri or type by muscle memory. Face ID doesn’t recognize my 12 chins. And you have to stare at it for a second or so before it unlocks. Can’t do that when you need to stare ahead while driving

Or do the safe/right thing and ignore your phone until you’ve stopped.

 

[geta]

You guys criminals? Why so need to have super super very extra hard passcode? lol

Why do you all think law enforcement will be after the contents of your phone? Honest to god that’s something I never think about as I have zero plans to be involved in any criminal activity.

I don’t understand why people assuming you're doing something wrong or illegal if you want to protect your privacy. I love when people says "im not a criminal so i’ve got nothing to hide"…

People locking their phones for the same reason you’re locking your house - because you don’t want strangers snooping around your private stuff, or even worse stealing from you.

As for criminals, they using burn phones anyways unless they're dumb…

 

[gsurf123]

0 1 2 3 4 5 6 7 8 9

It will take them 13 years!

People mess up by not using the 0 first... much more secure

This won't take 13 years. Easy sequences are part of dictionary lookups and tools can blow through these and other common sequences first. You'll want to mix it up. After all of the simple sequences have been tested it would revert to a brute force attack.
[doublepost=1523966339][/doublepost]

I use 13 characters. So with the length of time it takes to crack a long pass code, its almost useless to invest in
that cracking tool if they have to wait to the next century for the results...

Those numbers are for today and not for eternity. 5 years from now those times will most likely be several orders of magnitude faster.
[doublepost=1523966526][/doublepost]

I don’t understand why people assuming you're doing something wrong or illegal if you want to protect your privacy. I love when people says "im not a criminal so i’ve got nothing to hide"…

People locking their phones for the same reason you’re locking your house - because you don’t want strangers snooping around your private stuff, or even worse stealing from you.

As for criminals, they using burn phones anyways unless they're dumb…

Location data can place you at or near a crime you did not commit.

 

[gnasher729]

Whoever posted these numbers is just stupid.

There is a theoretical minimum based on the time that it takes the iPhone to check a number. And the poster just multiplied these 80 milliseconds by the number of combinations. That's not the time it takes. That's a lower bound it takes. The speed of light is about 300,000 km/sec which means the minimum time to travel to the moon is about 1.3 seconds. That doesn't mean that anyone can actually go there in that time.
[doublepost=1523967186][/doublepost]

Those numbers are for today and not for eternity. 5 years from now those times will most likely be several orders of magnitude faster.

No, they won't. iPhones and iPads are getting faster. As the get faster, the number of encryption rounds is adjusted, so that checking a passcode will _always_ take 80 milliseconds.

 

[BlueCreek]

This won't take 13 years. Easy sequences are part of dictionary lookups and tools can blow through these and other common sequences first. You'll want to mix it up. After all of the simple sequences have been tested it would revert to a brute force attack.
[doublepost=1523966339][/doublepost]
Those numbers are for today and not for eternity. 5 years from now those times will most likely be several orders of magnitude faster.
[doublepost=1523966526][/doublepost]
Location data can place you at or near a crime you did not commit.

I think you missed the clear sarcasm in a couple of those posts...

 

[gnasher729]

My understanding of how it works is that it copies the contents of the phone into virtual machines that can then rapidly try different codes. Throttling never comes into play because they are effectively using thousands of different virtual phones and then discarding them. That means the real limitation is how fast the computer can enter the PIN then move on to the next VM.

Or I could be totally wrong.

Totally wrong. To verify the passcode, you need the exact CPU on that device, because that contains one hidden 256 bit key that is needed for encryption and decryption. No other CPU is able to verify that passcode.
[doublepost=1523967654][/doublepost]

They would probably thank you for telling them it's 13 characters.

Only insofar as they might not bother trying. Telling me that you are using a 13 bit key - if it is true - only saves 3 or 4 percent of the work (10 percent if you use digits only). But then you might be lying...
[doublepost=1523967930][/doublepost]

My old work had this kind of crap. I just used the same password over and over and changed one digit at the end each time they made me change it. I'd keep that extra digit written on a post-it on my monitor.

When I left one company my password ended in 39. Mind you, there were lots of numbers and digits before the 39 that were quite impossible to crack.
[doublepost=1523968264][/doublepost]

I don't have to enter my passcode that often so I may move to a diceware passphrase:
https://www.rempe.us/diceware/#eff

It's perfect for computers with good keyboards, where typing a six word password is very easy, especially if you do it again and again.

 

[Lounge vibes 05]

Yes, however only to a certain degree. Forensic science with computers can only do so much and is not magic. it can not do whatever a person (such as law enforcement)would like. There are limits.
For example, if the law can get into my MacBook then I will give them a medal.
No amount of 'magic' will help them. I do not know much in life but I have a natural ability to see where parts of a system fall down etc. Where the holes are and such.
I will tell you about when I had a Windows laptop because I no longer use it.
I used bit locker, I had the laptop set up so that in order to boot the laptop up I had to boot up with a USB flash drive connected.
It gets harder...
You see I had a 2nd laptop that itself was also bit locker enabled...I had a USB drive for that laptop that had to be connected in order to boot. So I had to connect the 2nd USB drive, boot up the 2nd laptop, enter the password for bit locker and the computer password(in itself not uncrackable but will slow down anyone trying to hack me).
Then I had to wait for Windows to load, (boot straight to command prompt etc was disabled)then had to log into my account and then unlock the USB drive for the first laptop. Then eject it. Then connect it to the main laptop and then boot that laptop up, enter the password and the computer password and well you get the point.
I also kept both USB drives on me at all times. I even slept with them.
All my passwords were longer than 20 characters and alphanumeric with upper case and lower case etc.
I also made sure that all of my files that were even remotely of interest to anyone were also encrypted(for all of my encrypts - even the USB drive- I used a triple cascade AES-BLowfish-Twoswords key- so good luck with that!).Each file had extra protection enabled that for obvious reasons I won't divulge.
I also am aware that attempts could be made to extract the hard drive and use forensic capabilities to crack the encryption of bit locker(which I think has been done at some point),though I took steps to stop those. It was difficult to set up and a pain in the **** but worth it in the long run.
I used to work for a defence contractor making equipment for the UK Military and whilst I did not work on creating the equipment as such my skills were, let's say more in the testing side of things.
So I knew who to talk to about stopping any forensic attempts to crack my hard drive.

It was not however perfect and there were loopholes, it is just that those loopholes would have taken a very VERY long time for ANYONE to crack. No matter how good they are.

Heres the problem: The average consumer doesn't know what boot locker is, they just want to push the on button, and thats it. And, most people don't have anything very important to hide. Yes, I also believe people should be more secure with there passwords, but I think your method is a little extreme. Thats only if your working on top secret government type stuff like you were, but the average person just uses there laptops to watch youtube, type some documents, edit a few videos maybe here and there, store there pictures, and buy on amazon. So theres no need for boot locker, or anything like that.

 

[apolloa]

Apple would have lost all credibility (at least with a majority of people that value their security) had they been seen to be hacking into their own backdoor for the government.

There isn't much point in a secure enclave if whenever the government asks, Apple just unlocks it.

You know people also value not being blown up or run over or shot, or their children being so, things that terrorists do... so would they rather their phones with useless information no one cares about unless your being watched can be accessed with a judges approval, or would they rather suspected terrorises walk free because the government services are incapable of collecting the evidence they need?

I don’t particularly care about Americans and their crazy values, but in my country I want it to be law that electronics firms MUST assist security sources in accessing data on suspects devices. And I believe it will be made so eventually too.

 

[Ryan.D.Duff]

I've seen 25 character mixed case with numbers of special characters cracked in under 20 hours. But keep telling yourself that kind of stuff is impossible if it makes you feel better.

No you haven't. Especially on an iPhone. The iPhone has a hardware limitation on the speed a passcode can be attempted. Apple specifically chose an algorithm that takes 80ms to process when the device is operating at peak performance. That's why I said a 7 character passcode is enough with just upper/lower/numbers on an iPhone. Off an iPhone, that password wouldn't be nearly strong enough.
[doublepost=1523969349][/doublepost]

Yeah, given that we've had the technology to supplant passcodes built into our phones for years (TouchID/FaceID), I'm a bit puzzled by why the passcode remains such a strict requirement (even to access the TouchID/FaceID menu). Surely my face represents a longer "password string" than a handful of characters and would be harder to brute force in this way?

I know there are some arguments about what-you-have vs what-you-know, or the possibility of technical issues, but why shouldn't disabling passcodes for phone access be an option?

No. That's not how it works. Your face/fingerprint is actually used as a decryption key to decrypt your passcode that is stored encrypted in the Secure Enclave on the iPhone. When you use FaceID, you are decrypting your normal passcode which then gets entered like normal. It doesn't replace your passcode.
[doublepost=1523969564][/doublepost]

This is quite shocking. When will Apple patch this vulnerability? Is there a class action lawsuit I can join? No more iPhones for me until this is patched. Apple needs to start focussing on privacy, instead of teaching Siri more jokes. Outrageous.

This is a ridiculous view. An iPhone is still RIDICULOUSLY more secure than an Android. You're talking about switching from a device that someone has to spend millions of dollars of R&D to break to a device that is always breakable at any given time. Apple will fix this eventually. Saying they don't take security seriously is just wrong.
[doublepost=1523970070][/doublepost]

"10 digits: ~9259days worst (~4629avg)"
Not sure if this is a theoretical estimate or they've been trying to hack a 1994 iPhone all this time.

No it's not theoretical. Matt is calculating that based on the fact that it takes 80ms per attempt. Because of how the iPhone is designed, the cracking HAS to be done on device (without a really destructive process which is out of scope here).

 

[deanthedev]

I found companies that offer the same service for Android phones. The basic version and the advanced version.

 

[Ryan.D.Duff]

My understanding of how it works is that it copies the contents of the phone into virtual machines that can then rapidly try different codes. Throttling never comes into play because they are effectively using thousands of different virtual phones and then discarding them. That means the real limitation is how fast the computer can enter the PIN then move on to the next VM.

Or I could be totally wrong.

They can't bring it to an external VM so you are wrong on that point. It's a more nuanced issue than that. The design of the iPhone requires the passcode to be cracked on device. The GrayKey device DOES remove the protection that adds delays between guesses but it still is limited to the hard 80ms per try limit.

 

[lkrupp]

I haven’t read through all 200+ comments so this may have come up. If this box works by using an exploit to defeat iOS’s password attempts limit then what happens when Apple closes the hole? This brings up something I have been thinking about. How about a law that requires any exploit found to be reported to the manufacturer within, say, thirty days of discovery. Follow that up with stiff criminal and financial penalties if convicted. Obviously the company making these boxes is not willingly going to reveal its exploit to Apple. Make it a crime punishable by prison not to do so.

It’s also laughable to think these devices are not already in the hands of hackers and bad actors. For this company to say it only sells to law enforcement agencies is a cruel joke.

 

[fabrica64]

Concerning that they can bypass Apple's "10 strikes and you're out" feature.

Is it true? They claim it but has someone checked if it is really true, on latest updated devices?

 

[deanthedev]

You know people also value not being blown up or run over or shot, or their children being so, things that terrorists do... so would they rather their phones with useless information no one cares about unless your being watched can be accessed with a judges approval, or would they rather suspected terrorises walk free because the government services are incapable of collecting the evidence they need?

I don’t particularly care about Americans and their crazy values, but in my country I want it to be law that electronics firms MUST assist security sources in accessing data on suspects devices. And I believe it will be made so eventually too.

Glad I don’t live in your country.

 

[GaryMumford]

It's all a bit paranoia for the sake of paranoia!

All this article does is advise bad guys to use a stronger password!

Yep. Couldn't agree more.

 

[DynaFXD]

Glad I don’t live in your country.

Well to be clear, Apple and all the big data firms do comply with every legal warrant that is served to them. None of them have, TTBOMK, have ever taken a stand against supplying the information requested or trying to assist with unlocking a device or account in so far as they can (they don't build defeat devices). The issue becomes being compelled to deliberately bake in 'back doors' and other security holes that can be exploited by either Apple or some other actor. That is where Apple, and many other firms, draw the line.

 

[newellj]

You just enabled me to crack your password in 4.6236 days. Thanks for playing.

Too late.

 

[AnthonyHarris]

Let's say Apple had made and signed software for the FBI to allow easy access to iPhones. At what point do you think it would start being able to predict when someone is going to go on a shooting spree or ram their car into pedestrians?

It'd only be good for after such an even when the 'sometimes lone' terrorist is normally dead. Apple refused because it would get into the wrong hands and then every non criminal's data is at risk, too! Apple have no obligation to create flaws in their security features. If they did, they might as well not bother putting the features there in the first place.

You know people also value not being blown up or run over or shot, or their children being so, things that terrorists do... so would they rather their phones with useless information no one cares about unless your being watched can be accessed with a judges approval, or would they rather suspected terrorises walk free because the government services are incapable of collecting the evidence they need?

I don’t particularly care about Americans and their crazy values, but in my country I want it to be law that electronics firms MUST assist security sources in accessing data on suspects devices. And I believe it will be made so eventually too.

 

[deanthedev]

Well to be clear, Apple and all the big data firms do comply with every legal warrant that is served to them. None of them have, TTBOMK, have ever taken a stand against supplying the information requested or trying to assist with unlocking a device or account in so far as they can (they don't build defeat devices). The issue becomes being compelled to deliberately bake in 'back doors' and other security holes that can be exploited by either Apple or some other actor. That is where Apple, and many other firms, draw the line.

Warrants are perfectly fine and how things should be done. I’m strongly opposed to back doors and efforts by government to try and force companies to create them.

 

[kemal]

11 hours, sure. But what is the standard deviation?

 

[Luap]

The cost is so stupid its laughable. And still not one video of it doing its thing? Oh and for that money, you'd think it wouldn't look like something you built yourself. And do people really need to hack their way into 2 at once?
Call me a sceptic, but yes I am sceptical..

 

[DaveN]

I use four digits. If anyone ever hacks my phone, they will be disappointed as there isn't anything of value on it other that the photos I took which are backed up to iCloud anyway.

 

[78Bandit]

Just throwing one alpha character into the mix of a six digit passcode will make it almost unbreakable. Instead of 10^6 (1 million) combinations it will be a minimum of 62^6 (56 billion) possible combinations. The 62 is 10 numbers, 26 lower case letters, and 26 upper case letters. The cracking program has no idea where or what the alpha character is so it would have to try them all in sequence. It makes it even longer if the password program is designed to use special characters too.

The code 123x56 would take years to brute force.

 

[shareef777]

FaceID is such a disaster that I had to switch back to a 4-digit pin because of how often I have to enter it. Thanks Apple, way to move forward SMH.