It is no longer safe to use a six-digit passcode on your iPhone.
Thanks to a new kind of specialized cracking device, law enforcement officials can bypass any 6-digit iPhone passcode in up to eleven hours or less while a four-digit passcode can be calculated in 6.5 minutes on average or 13 minutes at the longest.
A gray box measuring four inches wide by four inches deep by two inches tall, with two Lightning cables sticking out of the front, the GrayKey box was designed by a company called Grayshift. It works with all recent iPhone models.
The device is designed for law enforcement officials.
According to VICE’s Motherboard, the Internet-connected $15,000 device uses an undisclosed iPhone jailbreak or zero-day exploit which lets it break password entry throttling enforced by the Apple-designed Secure Enclave cryptographic coprocessor.
After four consecutive passcode attempts, the Secure Enclave begins delaying further attempts, by one minute for a fifth unsuccessful attempt or one hour for the ninth consecutive passcode error. GrayKey not only bypasses this failsafe, but also iOS’s option to have the contents of your iPhone wiped after ten consecutive failed passcode attempts.
According to Matthew Green, assistant professor and cryptographer at John Hopkins Information Security Institute, an 8-digit passcode can take anywhere between 46 hours and 92 days to guess. A strong 10-digit passcode with random numbers can take up to 25 years to crack, or more than 13 years on average.
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)
— Matthew Green (@matthew_d_green) April 16, 2018
In September 2014, Apple made disk encryption the default on iPhone.
While full disk encryption protects your data, someone who is able to guess your passcode can easily read or extract your data. After your device has been successfully unlocked using the cracking box, the full contents of the filesystem are downloaded to the GrayKey device, including the unencrypted contents of the system keychain.
Your account credentials, names and phone numbers, emails, texts, banking account information and even credit card numbers or social security numbers can be accessed from there through a web-based interface on a connected computer for analysis.
Ryan Duff, a researcher who’s studied iOS and the Director of Cyber Solutions for Point3 Security, told Motherboard in an online chat:
People should use an alphanumeric passcode that isn’t susceptible to a dictionary attack and that is at least 7 characters long and has a mix of at least uppercase letters, lowercase letters and numbers. Adding symbols is recommended and the more complicated and longer the passcode, the better.
Since the release of iOS 9, Apple requires a 6-digit passcode by default.
If you’d like to bolster the security of your iPhone or iPad, you can crank up the strength of your passcode even more by setting a custom numeric passcode or an alphanumeric password.
If I were you, I’d set up an alphanumeric password.
Sure, typing a long alphanumeric code is a pain in the you-know-what, but since it contains multiple letters and numbers it’s going to be incredibly stronger than those easily crackable 6-digit passcodes. Oh, and please be sure to check your passcode length—people who have restored backups when upgrading to newer iPhones may still have 4-digit passcodes.
Devices like the GrayKey box will work until Apple fixes whatever exploits they rely on, at which time updated iPhones would no longer be susceptible to password attacks like this. For those wondering, the GrayKey device works on the latest hardware with iOS 11.2.5.
Hero image: GrayKey iPhone cracking box, courtesy of MalwareBytes