Almost a month has passed since the security firm Malwarebytes leaked the images of the so-called iPhone unlocking hardware GrayKey Box – a boon for the security agencies.
The company named GrayShift developed the black box. The device comes in $15,000 and $30,000 variants with the former being geofenced and having an unlocking count of 300.
Earlier, it was known that GrayKey box would take around 4 hours for GrayKey to crack a 4-digit iPhone passcode and around 3 days for a 6-digit passcode. It seems it may have better capabilities.
Over the years, Apple has implemented many measures to safeguard the security of iOS devices. This includes disk encryption, mandatory 6-digit passcode, Secure Enclave chip, and data wipe after 10 failed passcode attempts. Also, the wait time increases after every failed passcode attempt. It can lock you out of your device for 48 years or maybe longer.
But all of that might fall short in front of GrayKey or some other iPhone cracking method. If GrayKey works as advertised, it may be bypassing Apple’s security measures to carry on with the passcode guessing game.
Mathew Green, an assistant professor and cryptographer at John Hopkins Information Security Institute, crunched the numbers to give an idea of the strength of the passcode in front the iPhone cracking methods.
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)
— Matthew Green (@matthew_d_green) April 16, 2018
If the iPhone cracking device like GrayKay can guess passcode as quick as Apple estimated in its iOS security guide, a 6-digit code could be cracked in 11 hours average. Even if it isn’t that fast, GrayKey may do so in a couple of days.
On a safer side, one could go for 10-digit one as it would take more than 12 years to compromise. It’s a complete no for a 4-digit PIN, just 6.5 mins average cracking time. Four-digit passcodes are now out of fashion.
Given the rise in adoption of the device, it could make some people uncomfortable because their 6-digit passcode isn’t the best protection out there. But the GrayKey is only limited to cops, not for some pickpocket in the subway.
Security experts suggest that people should use an alphanumeric passcode (7-digit at least) instead. Complete with uppercase, lowercase, and special symbols, such password can sustain dictionary attacks. It can be longer than six characters and also it’s harder to crack than the numeric one. Although, some people might have trouble recalling it during the initial days.
How to enable an alphanumeric passcode on your iPhone?
Go to Settings > Touch ID & Passcode (enter Passcode) > Change Passcode (enter Passcode). Next, tap Passcode options and choose Custom Alphanumeric Code to set a new passcode with letters and numbers.
Make sure password isn’t something like Kitty123. There is no point in choosing in it in the first place because the goal is to make it as random as possible. The passcode cracking assumptions are based on random decimal passcode. If you want, you can enable it using the Custom Numeric Code option.