Researcher estimates GrayKey can unlock 6-digit iPhone passcode in 11 hours, here's how to...

Posted:
in iPhone edited October 2020
New estimates from a security researcher suggest GrayKey, a digital forensics tool in active use by U.S. law enforcement agencies, is capable of cracking Apple's standard six-digit iPhone passcode in an average of 11 hours. Longer codes, however, could take years to process. Here's how to beef up your handset's security.

GrayKey
GrayKey forensic tool. | Source: MalwareBytes


Taking a closer look at GrayKey, Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute, says the iPhone unlocking device has the potential to crack a simple four-digit code in six and a half minutes, or 13 minutes at the longest.

According to his calculations, Green estimates a six-digit passcode takes up to 22.2 hours to break, while processing an 8-digit code can take as few as 46 hours or up to 92 days. That figure jumps to 25 years, or 12 years on average, for strong 10-digit passcodes made up of random numbers.

Green published the estimates in a tweet picked up by Motherboard on Monday.

Notably, Green's estimates are much faster than those reached in previous reports, which guessed a six-digit passcode would take "days" to crack.

The latest assessment assumes GrayKey uses an exploit that bypasses Apple's built-in security protections. Specifically, iOS delays multiple incorrect passcode attempts in a bid to thwart brute force attacks. These pauses are enabled after four consecutive attempts and run from one minute for a fifth unsuccessful attempt to one hour for the ninth consecutive error.

Further, users can elect to wipe their iPhone's data after ten consecutive failed attempts. GrayKey seemingly bypasses this failsafe, as well.

As suggested in previous reports, GrayKey developer Grayshift is thought to rely on an undisclosed iPhone jailbreak or zero-day exploit to achieve the relatively quick turnover. The firm markets GrayKey in a $15,000 internet-connected "flavor" with limited unlocks and a $30,000 unrestricted version.

Enable passcode

Six-digit passcodes became the norm for iOS in 2015 with the release iOS 9. Previously, Apple required a simple four-digit passcode to protect iPhone and iPad from would-be intruders, but policies changed with the advent of advanced biometrics like Touch ID and, more recently, Face ID. The specter of warranted -- and unwarranted -- government access to consumer devices is also thought to have played a role in Apple's move to longer, more secure codes.

Enable iOS Passcode


If you are currently operating an iPhone or iPad without a passcode, navigate to Face ID & Passcode or Touch ID & Passcode in the Settings app and select Turn Passcode On. You will be presented with an option to enter a six-digit passcode, but that option is made less secure with tools like GrayKey.

Instead, select the Passcode Options link to enter a custom numeric code or custom alphanumeric code. As noted by Green, an 8-digit code now offers a moderate level of security, while 10-digit codes provide even stronger protection. Alphanumeric passwords with random letter, number and symbol combinations typically provide the highest level of security.

Enter your new passcode or password into the box and reconfirm on the next screen to activate.

Switching to a longer passcode

If you are already using Apple's standard 6-digit code and want to update to a longer numeric or alphanumeric value, navigate to Face ID & Passcode or Touch ID & Passcode in the Settings app, enter your passcode and select Change Passcode.

Create a new iOS Passcode


Enter your passcode once more to reveal a passcode settings screen, then select Passcode Options. Choose either Custom Alphanumeric Code or Custom Numeric Code and plug in your desired passcode. Re-enter the code on the next screen to activate.

Erase Data

iOS presents the option to Erase Data, which wipes an iPhone or iPad after ten failed attempts. Enabling Erase Data might not protect against GrayKey intrusions, as the tool's mechanics are thought to bypass the token-based functionality. For common brute force attacks, however, we recommend switching this function on if your device contains sensitive information.
«13

Comments

  • Reply 1 of 54
    The budget model will be this year's hottest Christmas gift.
    netroxGeorgeBMacStrangeDaysdoozydozen
  • Reply 2 of 54
    foggyhillfoggyhill Posts: 4,767member
    alphanumberic all the way, if they're ready to go 10 years for my phone's data, I'm sure I deserve their effort ;-).

    Apple will likely cut t his thing out soon so hey.

    That's the advantage of using face id or touch id, you don't need to put those silly short passwords for convenience sake.
    cgWerksracerhomie3anton zuykovGeorgeBMaclongpathwatto_cobra
  • Reply 3 of 54
    tallest skiltallest skil Posts: 43,388member
    foggyhill said:
    That's the advantage of using face id or touch id, you don't need to put those silly short passwords for convenience sake.
    Except you’re required by law to use your fingerprint or face to unlock your device under penalty of felony. A passcode has to be hacked like this. Also, cops can’t beat you up and use a part of your unconscious body to type in a passcode if they wanted to abuse the law. There’s no advantage, legal or otherwise.
    brian greendoozydozenwatto_cobra
  • Reply 4 of 54
    foggyhill said:
    That's the advantage of using face id or touch id, you don't need to put those silly short passwords for convenience sake.
    Except you’re required by law to use your fingerprint or face to unlock your device under penalty of felony. A passcode has to be hacked like this. Also, cops can’t beat you up and use a part of your unconscious body to type in a passcode if they wanted to abuse the law. There’s no advantage, legal or otherwise.
    Except it is now trivial to record with the camera or voice memo and so them doing so will see all evidence obtained this way inadmissible in court.
  • Reply 5 of 54
    tallest skiltallest skil Posts: 43,388member
    Except it is now trivial to record with the camera or voice memo and so them doing so will see all evidence obtained this way inadmissible in court.
    You seem unfamiliar with how banana republics work.  :p
    ciacgWerkschasm
  • Reply 6 of 54
    SoliSoli Posts: 10,038member
    By my last count, since you can't use emoji in your passcode (yet), a 4-character passcode with the iOS keyboard is a little over 1 billion combinations.
    edited April 2018 longpathwatto_cobra
  • Reply 7 of 54
    JFC_PAJFC_PA Posts: 947member
    foggyhill said:
    That's the advantage of using face id or touch id, you don't need to put those silly short passwords for convenience sake.
    Except you’re required by law to use your fingerprint or face to unlock your device under penalty of felony. A passcode has to be hacked like this. Also, cops can’t beat you up and use a part of your unconscious body to type in a passcode if they wanted to abuse the law. There’s no advantage, legal or otherwise.
    Fingerprint or face? Only in response to an appropriate warrant. 
    GeorgeBMac
  • Reply 8 of 54
    This is why I use my big toe to unlock my phone. 
    MisterKitbaconstangtokyojimudoozydozencornchipglynhwatto_cobra
  • Reply 9 of 54
    SoliSoli Posts: 10,038member
    This is why I use my big toe to unlock my phone. 

    mac_dogfastasleep
  • Reply 10 of 54
    dunksdunks Posts: 1,254member
    foggyhill said:
    alphanumberic all the way, if they're ready to go 10 years for my phone's data, I'm sure I deserve their effort ;-).

    Apple will likely cut t his thing out soon so hey.

    That's the advantage of using face id or touch id, you don't need to put those silly short passwords for convenience sake.
    This. I just changed to a long alphanumeric password, mostly to deter theft. 
    edited April 2018 longpathspace2001
  • Reply 11 of 54
    georgie01georgie01 Posts: 437member
    I use a reasonably long alphanumeric passcode which is based on a visual pattern. It’s quite safe. Except I also use FaceID which means law enforcement may be able to force me to unlock it without much effort :)

    It’d be nice if there was a single quick action which could be taken to disable FaceID for one login—like a wink, or a smile, or lack of a smile, etc., something user definable.
    doozydozenwatto_cobra
  • Reply 12 of 54
    anderkhanderkh Posts: 24member
    georgie01 said:
    I use a reasonably long alphanumeric passcode which is based on a visual pattern. It’s quite safe. Except I also use FaceID which means law enforcement may be able to force me to unlock it without much effort :)

    It’d be nice if there was a single quick action which could be taken to disable FaceID for one login—like a wink, or a smile, or lack of a smile, etc., something user definable.
    Squeeze your iPhone X for 2 seconds making sure to get the sleep button and one volume button, and Face ID is disabled until you enter your passcode.
    MuntzfirelockStrangeDaysdoozydozenwatto_cobra
  • Reply 13 of 54
    gatorguygatorguy Posts: 24,622member
    I doubt very many of us have the level of "sensitive information" on our phones that would dictate we should use long alpha-numeric pass codes to prevent Graykey from accessing it. First: Why would law enforcement have any interest whatsoever in your iPhone? Second: What the heck do you have on there so important to protect. Third: Is the reason they would want to access your device important enough for the substantial time and money involved to do so? Sidenote: If you'd answer "yes" to number three that potentially (not necessarily) raises safety questions for those around you IMHO.

    If you have legitimate highly sensitive information there and have a fear that you may be targeted by an investigative agency who also believes they have a legitimate need to look at it and you need to keep out of their hands then by all means set up the longest pass code you can remember. Otherwise I'm not convinced hand-wringing and worry over Graykey are warranted. The standard 6 digit pass-code should be quite sufficient. Just my opinion.
    mwhitefarmboy
  • Reply 14 of 54
    SoliSoli Posts: 10,038member
    gatorguy said:
    I doubt very many of us have the level of "sensitive information" on our phones that would dictate we should use long alpha-numeric pass codes to prevent Graykey from accessing it. First: Why would law enforcement have any interest whatsoever in your iPhone? Second: What the heck do you have on there so important to protect. Third: Is the reason they would want to access your device important enough for the substantial time and money involved to do so? Sidenote: If you'd answer "yes" to number three that potentially (not necessarily) raises safety questions for those around you IMHO.

    If you have legitimate highly sensitive information there and have a fear that you may be targeted by an investigative agency who also believes they have a legitimate need to look at it and you need to keep out of their hands then by all means set up the longest pass code you can remember. Otherwise I'm not convinced hand-wringing and worry over Graykey are warranted. The standard 6 digit pass-code should be quite sufficient. Just my opinion.
    Would you say the same for a PC? Is a 6-digit PIN also "quite sufficient" there, because all the very personal data that could lead to stealing my identity via my Mac is mirrored on my iPhone?
    MuntzradarthekatbonobobStrangeDaysdoozydozenwatto_cobra
  • Reply 15 of 54
    mattinozmattinoz Posts: 2,470member
    They should improve the keypad for old school T9 text input. Maybe use a swipe off the key in four directions to add the 3 char as extra options. Expand 6 digits from 1mil to  combos to 191mil (87days assuming same test rate). Remove the dots allow variable with hash key as trigger.

    There seems to be many options Apple has here to expand scope and blow machine out of water while keeping easy for user.
    watto_cobra
  • Reply 16 of 54
    dysamoriadysamoria Posts: 3,430member
    gatorguy said:
    I doubt very many of us have the level of "sensitive information" on our phones that would dictate we should use long alpha-numeric pass codes to prevent Graykey from accessing it. First: Why would law enforcement have any interest whatsoever in your iPhone? Second: What the heck do you have on there so important to protect. Third: Is the reason they would want to access your device important enough for the substantial time and money involved to do so? Sidenote: If you'd answer "yes" to number three that potentially (not necessarily) raises safety questions for those around you IMHO.

    If you have legitimate highly sensitive information there and have a fear that you may be targeted by an investigative agency who also believes they have a legitimate need to look at it and you need to keep out of their hands then by all means set up the longest pass code you can remember. Otherwise I'm not convinced hand-wringing and worry over Graykey are warranted. The standard 6 digit pass-code should be quite sufficient. Just my opinion.
    Doesn't matter if you're an expensive target or not. If they have the device, they can use it on countless devices, including random people they might want to "investigate". Doesn't matter if they have a valid reason to suspect you or not. In a world where anyone can be declared a "terrorist" or some other "national security risk", anyone can be exposed to potential abuse by corrupt law enforcement agents who think their mission is more important than your civil rights.

    Also, identity theft is a money-making enterprise. Who's to say this device won't be bought by some group of phone thieves who steal phones for their credit card and other identity info? Buying an expensive device to steal a hundred times more from many phones would still be a profit for them.
    Muntzlostkiwiradarthekatmuthuk_vanalingampropoddoozydozencornchipwatto_cobra
  • Reply 17 of 54
    cgWerkscgWerks Posts: 2,952member
    gatorguy said:
    I doubt very many of us have the level of "sensitive information" on our phones that would dictate we should use long alpha-numeric pass codes to prevent Graykey from accessing it. First: Why would law enforcement have any interest whatsoever in your iPhone? Second: What the heck do you have on there so important to protect. Third: Is the reason they would want to access your device important enough for the substantial time and money involved to do so? Sidenote: If you'd answer "yes" to number three that potentially (not necessarily) raises safety questions for those around you IMHO.

    If you have legitimate highly sensitive information there and have a fear that you may be targeted by an investigative agency who also believes they have a legitimate need to look at it and you need to keep out of their hands then by all means set up the longest pass code you can remember. Otherwise I'm not convinced hand-wringing and worry over Graykey are warranted. The standard 6 digit pass-code should be quite sufficient. Just my opinion.
    Depends... when you're living in a 'State' with an irrational government, what's legal and good (and thus, what is illegal and 'bad') might vary dramatically. But, I also somewhat agree, given technology is at the level where evidence is pretty easy to fabricate (given the above irrational/unethical government). So, we're probably screwed even if we aren't doing anything wrong and have nothing on our phones to incriminate us.
    cornchipwatto_cobra
  • Reply 18 of 54
    taddtadd Posts: 136member
    It seems like we should have the option of biometric, or password, or BOTH within a short period of time.  That would fix them. 

    It would also be nice if Apple closed this bug which gets around the longer and longer wait periods between attempts. 

    I'd also like a feature where if anybody yelled in anger near my phone that it would not unlock without then requiring BOTH, else it would require just biometric.  

    How about if facial recognition could let me program in a winking pattern or funny face or something?  Better, it could give me a clue of WHICH of the facial actions were required.  I'd know if the image on the screen raised an eyebrow that I'm supposed to frown.  or some such. 


  • Reply 19 of 54
    seanismorrisseanismorris Posts: 1,624member
    As soon as I heard about the source code leak, I disabled the fingerprint reader for logins...

    I’ve always had the erase feature enabled.  And, my login passwords are now 24(+) characters. (Takes about 3 sec. to type)

    Most administer passwords have been 12 characters for a while now (for businesses).  The biggest problem is unknown or unpatched vulnerabilities.  

    The 4 digit passwords were laughable... they might keep unmotivated children out.
  • Reply 20 of 54
    tallest skiltallest skil Posts: 43,388member
    JFC_PA said:
    Fingerprint or face? Only in response to an appropriate warrant. 
    I believe both, and warrants don’t matter or exist anymore. This isn’t about law; this is about when law fails you. Are you still secure then? No.
    This is why I use my big toe to unlock my phone. 
    TouchID is surprisingly responsive to non-standard skin patterns.
    tadd said:
    It seems like we should have the option of biometric, or password, or BOTH within a short period of time.  That would fix them. 
    I still want an option where the device tells you that the password is wrong after the first time you type it correctly, forcing you to do it twice (or more) for actual entry.
    watto_cobra
Sign In or Register to comment.