Apple iPhone Passcodes: Little To No Protection

October 18, 2018
Apple iPhone Passcodes - Little To No Protection

Anyone using a four or six-digit passcode on your iPhone? If so, you need to change it immediately because your device has little to no protection. This advice comes after an anonymous source provided security firm Malwarebytes with evidence of a cheap technology which promises to crack any iPhone.

Developed by long-time US intelligence agency contractors and an ex-Apple security engineer, the product known as GrayKey claims it can crack any iPhone running iOS 10 or 11 using Brute force – a trial and error method used by application programs to decode encrypted data such as passwords.

“GrayKey is a grey box, four inches wide by four inches deep by two inches tall, with two lightning cables sticking out of the front,” Malwarebytes explained.

“Two iPhones can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device, but are not yet cracked.

“Some time later, the phones will display a black screen with the passcode, among other information. The exact length of time varies, taking about two hours in the observations of our source.

“It can take up to three days or longer for six-digit passcodes, according to Grayshift documents, and the time needed for longer passphrases is not mentioned. Even disabled phones can be unlocked, according to Grayshift.”

After the device is unlocked, the full contents are downloaded to the GrayKey device where they can be accessed through a web-based interface on a connected computer.

Based on the claims made by Grayshift and Apple’s delays between password attempts, assistant professor and cryptographer at the Johns Hopkins Information Security Institute Matthew Green did the maths to find out just how vulnerable passcodes are.

Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):


4 digit passcodes: ~13min worst (~6.5avg)

6 digit passcodes: ~22.2hrs worst (~11.1avg)

8 digit passcodes: ~92.5days worst (~46avg)

10 digit passcodes: ~9259days worst (~4629avg)

Based on his findings, your best bet would be to change your password to 10 digits because that would take as much at 25 years for the tool to crack – the average was 12 years. “People should use an alphanumeric passcode that isn’t susceptible to a dictionary attack and that is at least seven characters long and has a mix of at least upper-case letters, lower case letters, and numbers,” he told Motherboard.

Adding symbols is recommended and the more complicated and longer the passcode, the better.

Likewise, you can turn on a setting that wipes all data from the phone after 10 failed passcode attempts.

With today’s progressive cyber criminals, we need all the help we can get in making sure all our devices are secure.

About the author

Leave a Reply