Apple's Beats brand in April unveiled the Powerbeats Pro, a redesigned wire-free version of its popular fitness-oriented Powerbeats earbuds.
iPhone Cracking Methods Like GrayKey Box Can Guess a Six-Digit Password in 11 Hours on Average
Law enforcement agencies have a new iPhone cracking tool that works with all modern iPhones and the newest versions of iOS 11, the GrayKey, designed by a company called Grayshift.
Previous reports have suggested the GrayKey can crack 4-digit passcodes in a matter of hours and 6-digit passcodes in days, but as highlighted by VICE's Motherboard, cracking times for the GrayKey and other similar iPhone unlocking methods can potentially be even faster and 6-digit passcodes no longer offer adequate protection.
GrayKey iPhone cracking box, via MalwareBytes
Matthew Green, assistant professor and cryptographer at John Hopkins Information Security Institute, said this morning on Twitter that with an exploit that disables Apple's passcode-guessing protections, a 4-digit passcode is crackable in 6.5 minutes on average, while a 6-digit passcode can be calculated in 11 hours.
Apple does have built-in options to erase an iPhone after 10 incorrect passcode guessing attempts and there are automatic delays after a wrong passcode has been entered more than five times, but GrayKey appears to bypass these protections.
It's not clear if the GrayKey can reach the fastest unlocking times outlined by Green, but even at slower unlocking speeds, it only takes days to get into an iPhone with a 6-digit passcode. Comparatively, it takes over a month to crack an iPhone with an 8-digit passcode, or more than 13 years to get into an iPhone with a 10-digit passcode.
With the release of iOS 9 in 2015, Apple switched from a four digit passcode to a 6-digit passcode as the default, making iOS devices more secure, but for those concerned about their iPhones being accessed either by law enforcement with the GrayKey or by a hacker with a similar cracking tool, a 6-digit passcode is no longer good enough.
Several security experts who spoke to Motherboard said people should use an alphanumeric passcode that's at least seven characters long and uses numbers, letters, and symbols.
You'll be asked to enter your new passcode on this screen, but you'll actually want to tap on the blue "Passcode Options" text towards the middle of the display. Choose "Custom Alphanumeric Code" to enter a passcode that consists of letters, numbers, and symbols.
With an alphanumeric passcode in place, you'll no longer be presented with a numeric keyboard when unlocking your iPhone, and instead, you'll see a full keyboard available to type in your passcode.
There's a definite compromise between easy device accessibility and security when using a longer alphanumeric passcode like this. It's a lot easier to type six numbers than it is to type a mixed character alphanumeric passcode into an iOS device, but for complete security, longer and more complex is the way to go.
Previous reports have suggested the GrayKey can crack 4-digit passcodes in a matter of hours and 6-digit passcodes in days, but as highlighted by VICE's Motherboard, cracking times for the GrayKey and other similar iPhone unlocking methods can potentially be even faster and 6-digit passcodes no longer offer adequate protection.
Matthew Green, assistant professor and cryptographer at John Hopkins Information Security Institute, said this morning on Twitter that with an exploit that disables Apple's passcode-guessing protections, a 4-digit passcode is crackable in 6.5 minutes on average, while a 6-digit passcode can be calculated in 11 hours.
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
— Matthew Green (@matthew_d_green) April 16, 2018
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)
Apple does have built-in options to erase an iPhone after 10 incorrect passcode guessing attempts and there are automatic delays after a wrong passcode has been entered more than five times, but GrayKey appears to bypass these protections.
It's not clear if the GrayKey can reach the fastest unlocking times outlined by Green, but even at slower unlocking speeds, it only takes days to get into an iPhone with a 6-digit passcode. Comparatively, it takes over a month to crack an iPhone with an 8-digit passcode, or more than 13 years to get into an iPhone with a 10-digit passcode.
With the release of iOS 9 in 2015, Apple switched from a four digit passcode to a 6-digit passcode as the default, making iOS devices more secure, but for those concerned about their iPhones being accessed either by law enforcement with the GrayKey or by a hacker with a similar cracking tool, a 6-digit passcode is no longer good enough.
Several security experts who spoke to Motherboard said people should use an alphanumeric passcode that's at least seven characters long and uses numbers, letters, and symbols.
"People should use an alphanumeric passcode that isn't susceptible to a dictionary attack and that is at least 7 characters long and has a mix of at least uppercase letters, lowercase letters, and numbers," Ryan Duff, a researcher who's studied iOS and the Director of Cyber Solutions for Point3 Security, told me in an online chat. "Adding symbols is recommended and the more complicated and longer the passcode, the better."To change your iPhone's passcode from a simple numeric 6-digit passcode to something more secure, you'll need to use the Settings app. Go to "Face ID & Passcodes" in the Settings app, enter your current passcode, scroll down, and then choose "Change Passcode."
You'll be asked to enter your new passcode on this screen, but you'll actually want to tap on the blue "Passcode Options" text towards the middle of the display. Choose "Custom Alphanumeric Code" to enter a passcode that consists of letters, numbers, and symbols.
With an alphanumeric passcode in place, you'll no longer be presented with a numeric keyboard when unlocking your iPhone, and instead, you'll see a full keyboard available to type in your passcode.
There's a definite compromise between easy device accessibility and security when using a longer alphanumeric passcode like this. It's a lot easier to type six numbers than it is to type a mixed character alphanumeric passcode into an iOS device, but for complete security, longer and more complex is the way to go.
[ 288 comments ]
Top Rated Comments
(View all)
16 months ago
Concerning that they can bypass Apple's "10 strikes and you're out" feature.
16 months ago
I wonder how long it would take for it to guess this password:
[MEDIA=youtube]IPphyjkXnPc[/MEDIA]
[MEDIA=youtube]IPphyjkXnPc[/MEDIA]
16 months ago
You mean not everyone is using a memorized 64 character random string? lol. They deserve getting hacked then.
/sarcasm
/sarcasm
16 months ago
Apple: fix this. If I activate a feature that is supposed to wipe out the phone after 10 incorrect password guesses, I expect it to work.
16 months ago
No user should be using a numeric only passcode. It should be custom Alphanumeric. Period. Doesn't matter if you're doing something wrong or if you have nothing to hide.
Don't be ****ing lazy. Think of the children.
Don't be ****ing lazy. Think of the children.
16 months ago
0 1 2 3 4 5 6 7 8 9
It will take them 13 years!
People mess up by not using the 0 first... much more secure
It will take them 13 years!
People mess up by not using the 0 first... much more secure
16 months ago
If only I could access 1Password from the lock screen. I’d have a 30+ digit, mixed case, alphanumeric passcode.
16 months ago
Sigh. Fine. I’m going to pick a random Welsh street sign and add my high school gym locker combination to it.
16 months ago
I've seen 25 character mixed case with numbers of special characters cracked in under 20 hours. But keep telling yourself that kind of stuff is impossible if it makes you feel better.
Yeah, no. Mixed case with numbers and special characters is drawing from a set of about 70 characters and 70^25 is over 10^46. If you try a billion passwords a second, that still takes over 10^29 years for an exhaustive search, or about 10^19 times the age of the universe. No one is brute-forcing passwords of that length.
Now, people are generally crap at picking passwords, so that 25-character password isn't random, and is probably made of a few words with predictable case patterns and character substitutions, substantially reducing that space. However, it's far more likely there's a bug in the code that implements all that, and any crack is taking advantage of that exploit instead of searching for the actual password.
16 months ago
I've seen 25 character mixed case with numbers of special characters cracked in under 20 hours. But keep telling yourself that kind of stuff is impossible if it makes you feel better.
Total and utter bull that can be brute forced.
And do you know why I know that (other than the mathematical impossibility)? Because anybody with that capability wouldn't be posting here.
[ Read All Comments ]
Twelve South today announced its latest HiRise accessory, called the "HiRise Wireless," and it's available to purchase now on Twelve South's website. The new accessory is a...
OWC, a well-known maker of storage solutions for Macs and PCs, today debuted what it says is "the fastest USB-C SSD ever."
The new OWC Envoy Pro EX with USB-C is a bus-powered NVMe...
Apple accessory maker Mophie today debuted a three-in-one portable battery pack, wall charger, and wireless charging pad.
The new Powerstation Hub is equipped with a 6,100mAh battery, one 5W...
Encrypted messaging platform Telegram has pushed out an update that introduces a number of new location-based features, including the ability to Add People Nearby.
Users of the chat app can open...
Apple has released the first public beta of macOS Catalina, the next major version of its Mac operating system due to launch in the fall. The availability of the public beta means Mac users don't...
Apple has released the first public beta of iOS 13 for compatible iPhone and iPod touch models, enabling users who aren't signed up for the Apple Developer Program to test the software update...
iOS 13 may come with built-in support for Hong Kong's Octopus contactless payment system, if a few lines of code discovered on Apple's servers are any indication.
Tech blog Ata Distance...
Apple today seeded the first beta of an upcoming tvOS 13 software update to its public beta testing group, giving non-developers a chance to try out the new software ahead of its fall public release....
