iOS security is typically a hot topic, and it certainly has been lately, especially as cracking options start to find their way out into the real world.
Recently, for instance, it was reported that police departments in the United States are starting to buy Grayshift’s cracking option, what they call GrayKey, which is giving them unprecedented access to previously secured iOS devices. Now, in a new report from Motherboard, we can get a look at potential speeds at which GrayKey (and some other cracking options) can bypass a passcode.
Up to this point, there has been a debate on how fast something like GrayKey can bypass an iOS device that’s secured by a passcode. Of course, it depends on how many digits there are. A 4-digit passcode is the easiest to bypass, with expectations that it could last just a few hours. But, based on this report, it looks like it’s much, much faster.
As noted by Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute, it might take GrayKey only six and a half minutes to bypass a 4-digit passcode. A six-digit passcode? About 11 hours on average, or just over 22 hours in a worst-case scenario:
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)
— Matthew Green (@matthew_d_green) April 16, 2018
The consensus, as is par for the course, is that utilizing a longer passcode is the best possible method. The best scenario, though, is a longer alphanumeric passcode:
“People should use an alphanumeric passcode that isn’t susceptible to a dictionary attack and that is at least 7 characters long and has a mix of at least uppercase letters, lowercase letters, and numbers,” Ryan Duff, a researcher who’s studied iOS and the Director of Cyber Solutions for Point3 Security, told me in an online chat. “Adding symbols is recommended and the more complicated and longer the passcode, the better.”
The general rule of thumb has been the same for so many years: Use a long, complicated passcode for the best possible results. Going with a simple 4-digit code may be the easiest input option, but it isn’t the most secure.