Police and other law-enforcement agencies now have inexpensive access to a hacking device that can crack iPhone and iPad passwords in a matter of minutes. First reported in early March by Forbes, GrayKey, from a company called Grayshift, is designed for turn-key cracking of iOS passcodes.
In mid-March, Malwarebytes explored the device in greater depth, noting that a four-digit PIN could be cracked in a couple of hours and a six-digit PIN would require as many as a few days.
Motherboard extended this reporting a few days ago with more details about how GrayKey has been used in the field. And last Monday, security researcher Matthew Green posted a message on Twitter showing the theoretically fastest cracking time possible given the parameters he knew, which brought the issue back to the fore given the potential for even quicker breaking of six-digit PINs.
GrayKey has two Lightning plugs, and requires iOS devices to be connected for about two minutes, after which the cracking starts on the device. It’s not currently known what exploits the company uses to accomplish this on-device feat that also disables a number of passcode-retry and re-entry delay strategies Apple started building in years ago. You can expect Apple is working all its angles to discover the exploit and patch it, as it’s done for any techniques for jailbreaking iOS or bypassing security in the past.
If you’re not involved in criminal, civil, or political behavior that might subject you to law-enforcement action, you might think that GrayKey is of no importance to you, as your device would never be subject to it. And in many countries, including the U.S., courts can compel you to provide information to unlock a device, with penalties of imprisonment if you fail, too, which have been effective so far in cases in which this has emerged.
But the mere existence of GrayKey means it’s possible, even likely, that there are other people who have discovered similar paths, and that unless Apple patches this vector, less-polished devices will wind up in the hands of criminals, even organized syndicates, who can then make use of stolen phones in a way they haven’t been able to before.
What can you do to better secure yourself, if you haven’t taken these steps before? Switch to a longer PIN or a sufficiently long and complicated passcode and enable Find My iPhone/iPad. Here’s how.
Pick a stronger passcode
Apple started pushing six-digit PINs with iOS 9, likely because it was aware of how rapidly the right hardware and phone-cracking software could pick a four-digit “lock.” However, it didn’t force owners with older devices to upgrade to six digits, and you can downgrade to four digits after setting up a longer PIN.
The ease with which GrayKey can crack a six-digit PIN means they’re no longer secure enough. A seven-digit PIN would extend days to weeks of cracking, and an eight-digit PIN would extend that to several weeks or a few months.
Security researcher Green recommends an even longer numeric PIN, because, like a phone number, it can ultimately be memorized. (Please don’t pick anything that looks like a phone number, however.) A 10-digit PIN would take over a decade on average to crack using an on-device tool on average, according to his calculations.
I recommend using Diceware or similar approach, which involves rolling for or using a generator to create a set of words unlikely to appear together and that add up to enough length to defeat brute-force cracking, like this one I just generated:
departed-refute-armored-clock-stinky. (The time to crack on the site linked for Diceware is for generic offline cracking of passwords, not the GrayKey on-device method, which is substantially slower.)
Many security experts recommend long passphrases comprising words because they’re more likely to be memorized, and dictionary-based cracking tools—even ones that use frequency analysis and other predictors of words to occur together—won’t help for unlikely combinations.
These are more tedious to enter—mine is over 20 characters and has some punctuation separating the words—but they’re easier to retain and can be very strong. I rely on 1Password’s password generator feature to create these, but many password safes and other tools can create word-based long passwords. Do not use common phrases or common words with a few numbers or punctuation marks added.
Based on how GrayKey works, more sophisticated attacks that require massive dictionaries don’t appear to be feasible, because of how the tool runs on the iOS device itself. That could change, of course.
How to set your passcode in iOS
Here’s how to set a longer passcode or one make of words and punctuation:
- Launch Settings and tap Passcode or Touch ID & Passcode or Face ID & Passcode.
- Enter your current passcode.
- Tap Change Passcode.
- Tap Passcode Options.
- For a longer numeric passcode, tap Custom Numeric Code. For ones with more than just numbers, tap Custom Alphanumeric Code.
- Enter the new code and verify it.
Apple instituted an additional Touch ID expiration period of six days on top of existing passcode entry requirements more than two years ago. If you haven’t entered your passcode for any reason, including restarting your device, for more than six days, you’ll be prompted for it after eight hours of not unlocking your phone with a Touch ID. For many people, that will happen in the morning.
Enable Find My iPhone/iPad
Apple added an activation lock in iOS 7 that connects Find My iPhone (labeled Find My iPad on those devices) to your iCloud account. Even if an iOS device is erased, so long as Find My iPhone was active, it can’t be used again without access to the iCloud account password.
While you might think that having your phone’s passcode cracked would be enough harm, because someone could then obtain access to everything on your device, Find My iPhone can offer two bits of piece of mind.
First, you can use Find My iPhone to mark that you want your device erased. This will happen either immediately if the iOS device is connected to the internet, or the next time it comes online. I assume GrayKey has methods to prevent the device from accessing the internet after being cracked, too, but that’s not useful for those whose intent is reselling it. And they may make a mistake.
Second, the activation lock feature means that even if the phone or tablet is erased, it can’t be reset and resold. This may seem like a false victory to you—your hardware is still in somebody else’s hands. But it deters theft in general, and any criminal or gang that uses tools like those in the GrayKey to crack phones will be reminded quickly that there’s little utility in it for extracting cash.