If you’ve been following the encryption debate closely, you’ve likely head about the GrayKey. It’s a device made to crack iPhone security. It takes advantage of an unknown exploit in iOS that allows it to make many “guesses” without resetting the device. As such, it can do tens of thousands of guesses a day. It’s fast too. If you have a 4 digit passcode, your iPhone can be hacked in under 15 minutes.
If you haven’t already, go ahead and increase the number of digits in your iPhone passcode.
Passcodes Hacked in Minutes
Who Has the GrayKey?
Enough people have the GrayKey that you should be seriously concerned about it.
What Can Apple Do?
However, thanks to this bug, the iPhone can be ran through millions of incorrect guesses. No iOS device should ever be capable of that. In the past, hardware hacks involving cutting power have worked, but Apple patched those exploits using a software update.
Apple may have difficulty getting their hands on the GrayKey, but now that it’s on sale, it shouldn’t be too hard for them to get one. It’s impossible to stop the spread of secrets like this. Eventually, Apple will get a GrayKey or reverse engineer it. From there, they’ll be able to close this security hole, locking out everyone who bought a GrayKey. They’ll have $30,000 paperweights.
What Can You Do?
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)— Matthew Green (@matthew_d_green) April 16, 2018
A 4 digit passcode can be hacked in minutes. However, a 10 digit passcode would take up to 25 years. By then, your phone would be worthless to thieves, and likely to law enforcement too. A passcode longer than 10 digits would likely last a lifetime. Therefore, you should come up with a randomly generated passcode, not something based on birthdays or anniversaries, and use that. Make sure it’s at least 10 characters long (look here if you want it to be just numbers). An alphanumeric passcode is great, but numbers are easier to enter. If you’re only using numbers though, make sure it’s 10+ digits long. The longer your passcode, the safer your device is. Even the GrayKey can’t get past a long passcode.
We’re going to be stuck with this for some time. Apple likely won’t have a fix for a few months. However, if you make yourself secure now with a long passcode, it’ll save you in the future, in case a hack like this comes around again. And it will. Hackers are clever. But if you use a long passcode, you’ll be safe, for now. The FBI is still trying to violate Apple’s rights and global security to create an easily exploitable backdoor through all digital security.
Sources: