iPhone Cracking Methods Like GrayKey Box Can Guess a Six-Digit Password in 11 Hours on Average

Law enforcement agencies have a new iPhone cracking tool that works with all modern iPhones and the newest versions of iOS 11, the GrayKey, designed by a company called Grayshift.

Previous reports have suggested the GrayKey can crack 4-digit passcodes in a matter of hours and 6-digit passcodes in days, but as highlighted by VICE's Motherboard, cracking times for the GrayKey and other similar iPhone unlocking methods can potentially be even faster and 6-digit passcodes no longer offer adequate protection.

GrayKey iPhone cracking box, via MalwareBytes

Matthew Green, assistant professor and cryptographer at John Hopkins Information Security Institute, said this morning on Twitter that with an exploit that disables Apple's passcode-guessing protections, a 4-digit passcode is crackable in 6.5 minutes on average, while a 6-digit passcode can be calculated in 11 hours.


Apple does have built-in options to erase an iPhone after 10 incorrect passcode guessing attempts and there are automatic delays after a wrong passcode has been entered more than five times, but GrayKey appears to bypass these protections.

It's not clear if the GrayKey can reach the fastest unlocking times outlined by Green, but even at slower unlocking speeds, it only takes days to get into an iPhone with a 6-digit passcode. Comparatively, it takes over a month to crack an iPhone with an 8-digit passcode, or more than 13 years to get into an iPhone with a 10-digit passcode.

With the release of iOS 9 in 2015, Apple switched from a four digit passcode to a 6-digit passcode as the default, making iOS devices more secure, but for those concerned about their iPhones being accessed either by law enforcement with the GrayKey or by a hacker with a similar cracking tool, a 6-digit passcode is no longer good enough.

Several security experts who spoke to Motherboard said people should use an alphanumeric passcode that's at least seven characters long and uses numbers, letters, and symbols.

"People should use an alphanumeric passcode that isn't susceptible to a dictionary attack and that is at least 7 characters long and has a mix of at least uppercase letters, lowercase letters, and numbers," Ryan Duff, a researcher who's studied iOS and the Director of Cyber Solutions for Point3 Security, told me in an online chat. "Adding symbols is recommended and the more complicated and longer the passcode, the better."

To change your iPhone's passcode from a simple numeric 6-digit passcode to something more secure, you'll need to use the Settings app. Go to "Face ID & Passcodes" in the Settings app, enter your current passcode, scroll down, and then choose "Change Passcode."

You'll be asked to enter your new passcode on this screen, but you'll actually want to tap on the blue "Passcode Options" text towards the middle of the display. Choose "Custom Alphanumeric Code" to enter a passcode that consists of letters, numbers, and symbols.


With an alphanumeric passcode in place, you'll no longer be presented with a numeric keyboard when unlocking your iPhone, and instead, you'll see a full keyboard available to type in your passcode.

There's a definite compromise between easy device accessibility and security when using a longer alphanumeric passcode like this. It's a lot easier to type six numbers than it is to type a mixed character alphanumeric passcode into an iOS device, but for complete security, longer and more complex is the way to go.

Top Rated Comments

(View all)
Avatar
33 months ago
Concerning that they can bypass Apple's "10 strikes and you're out" feature.
Score: 65 Votes (Like | Disagree)
Avatar
33 months ago
I wonder how long it would take for it to guess this password:

Score: 49 Votes (Like | Disagree)
Avatar
33 months ago
You mean not everyone is using a memorized 64 character random string? lol. They deserve getting hacked then.


/sarcasm
Score: 46 Votes (Like | Disagree)
Avatar
33 months ago
Apple: fix this. If I activate a feature that is supposed to wipe out the phone after 10 incorrect password guesses, I expect it to work.
Score: 33 Votes (Like | Disagree)
Avatar
33 months ago
No user should be using a numeric only passcode. It should be custom Alphanumeric. Period. Doesn't matter if you're doing something wrong or if you have nothing to hide.

Don't be ****ing lazy. Think of the children.
Score: 32 Votes (Like | Disagree)
Avatar
33 months ago
0 1 2 3 4 5 6 7 8 9

It will take them 13 years!

People mess up by not using the 0 first... much more secure
Score: 26 Votes (Like | Disagree)

Top Stories

Apple References Unreleased 2020 16-Inch MacBook Pro in Boot Camp Update

Monday October 26, 2020 8:42 am PDT by
Last week, Apple released an update for Boot Camp, its utility for running Windows on a Mac. While this update would typically be unremarkable, several of our readers noticed that the release notes reference an unreleased 2020 model of the 16-inch MacBook Pro. While this could easily be a mistake, the 16-inch MacBook Pro is nearly a year old, so it is certainly a worthy candidate for a...

MagSafe Charger Only Charges at Full 15W Speeds With Apple's 20W Power Adapter [Updated]

Monday October 26, 2020 3:38 pm PDT by
Alongside the iPhone 12 and 12 Pro models, Apple introduced a new MagSafe charger that attaches to the magnetic ring in the back of the devices, providing up to 15W of charging power, which is double the speed of the 7.5W Qi-based wireless charging maximum. Apple does not provide a power adapter with the $39 MagSafe charger, requiring users to supply their own USB-C compatible option. Apple...

Google Reportedly Pays Apple $8-12 Billion Per Year to be Default iOS Search Engine

Sunday October 25, 2020 2:59 pm PDT by
The United States Justice Department is targeting a lucrative deal between Apple and Google as part of one of the U.S. government's largest antitrust cases, reports The New York Times. On Tuesday, the Justice Department filed an antitrust lawsuit against Google, claiming the Mountain View-based company used anticompetitive and exclusionary practices in the search and advertising markets to ...

After Mocking Apple, Samsung May Remove Power Adapter From Galaxy S21 Box

Tuesday October 27, 2020 4:29 pm PDT by
Samsung's Galaxy S21, coming in 2021, may not include a power adapter or headphones in the box, according to reports from Korean media sites highlighted by SamMobile. Rumors earlier this year also said that Samsung was considering removing these accessories from future smartphone models, but that didn't stop Samsung from mocking Apple for selling the iPhone 12 models without a power adapter...

Report: Apple Silicon iMac Featuring Desktop Class 'A14T' Chip Coming First Half of 2021

Tuesday October 27, 2020 4:14 am PDT by
The first iMac powered by Apple Silicon is set to arrive in the first half of next year and will feature a desktop class "A14T" chip, according to Chinese-language newspaper The China Times. Codenamed "Mt. Jade," Apple's first custom-made desktop processor will be twinned with its first self-developed GPU, codenamed "Lifuka," both of which are being produced using TSMC's 5-nanometer process, ...

iPhone 12 Six-Foot Drop Test Results: Ceramic Shield More Durable But Not Damage Proof

Monday October 26, 2020 5:00 am PDT by
Apple's new iPhone 12 and iPhone 12 Pro feature a new Ceramic Shield screen that Apple says offers 4x better drop performance. To test that claim, Allstate Protection Plans put the two models through a range of breakability tests and recorded the results. In a face down sidewalk drop test at six feet, the iPhone 12 suffered small cracks and scuffed corners and edges, leaving sharp grooves in ...

Bloomberg: New AirPods and AirPods Pro Coming in 2021, AirPods Studio Delayed, Third HomePod Model Also Possible

Monday October 26, 2020 3:34 am PDT by
Apple plans to update its AirPods line next year with two new models including third-generation AirPods and second-generation AirPods Pro, according to a new report from Bloomberg. The Cupertino, California-based technology giant is working on two new models: third-generation entry-level AirPods and the second version of the AirPods Pro earbuds, according to people familiar with the plans. ...

2020 iPad Air vs. iPad Pro: Hands-On Comparison

Tuesday October 27, 2020 3:03 pm PDT by
Apple announced the new 2020 fourth-generation iPad Air in September, but the new tablets just started shipping out to customers last Friday. We picked one up and thought we'd do a hands-on comparison with the iPad Pro, which was last updated in March, because both tablets are about as powerful and share many similarities. Subscribe to the MacRumors YouTube channel for more videos. Design and ...

iPhone 12 Ceramic Shield Still 'Scratches at Level 6 With Deeper Grooves at Level 7' in Mohs Hardness Test

Wednesday October 28, 2020 7:10 am PDT by
iPhone 12 and iPhone 12 Pro models feature a new Ceramic Shield front cover that is "tougher than any smartphone glass," according to Apple, but the displays on the devices still have similar scratch resistance as previous iPhones based on a new test. Zack Nelson today shared his much-anticipated iPhone 12 Pro durability test on his YouTube channel JerryRigEverything, and based on the Mohs...

Apple Files Mystery 'Personal Computer' With Placeholder 'B2002' Name in Bluetooth Product Database

Tuesday October 27, 2020 12:36 pm PDT by
Last week, a listing appeared in the Bluetooth product database for an Apple product with a placeholder name "B2002" and a model number of "TBD." MacRumors was alerted to the listing by health and fitness tech website MyHealthyApple. The product is filed under the "personal computer" category, which Apple has used for previous Mac and iPad listings in the database, so it is hard to pinpoint...