How your iPhone can be hacked in 6 minutes

April 19, 2018

Is your iPhone secure enough from snoops and would-be hackers? If you think about it, our smartphones hold so much information about us.

It knows who your contacts and friends are, it takes snapshots of our lives through photos and videos, it knows where you’ve been and where you’re headed, your browsing habits, your financial transactions, and your shopping habits; it knows virtually everything about you!

I hope you’re using some kind of security system on your iPhone to protect your privacy. For most iPhone users, a passcode is enough to give them a good amount of reassurance that their gadget is safe.

But what if law enforcement gets involved? Are you sure your iPhone is still going to be uncrackable? Remember back in 2016, Apple and the FBI were in a legal tussle when the tech giant refused to forcibly unlock the iPhone of one of the San Bernardino shooters.

The FBI ultimately ended up using an undisclosed decrypting tool from a third party (possibly this one from a company called Cellebrite).

But it turns out, Cellebrite is not the sole iPhone unlocking game in town. A mysterious company based in Atlanta named Grayshift has developed a relatively inexpensive standalone gadget that can crack iPhone and iPad passcodes in mere minutes.

Behold the GrayKey

Visit Grayshift’s homepage right now and you’ll be greeted by its flagship product, a gadget called GrayKey.

It’s a sparse page – no specifications, no ad blurbs, no “Buy Now” button, no earth-shattering revelations about the device – just a simple tagline that reads “The state of the art has a new requirement.”

In line with Grayshift’s industrial secrecy, if you want to know more about GrayKey, you’ll need to request special access by filling out an application form.

Grayshift even proudly states that “GrayKey is not for everyone.” Since the GrayKey can be a devastating hacking tool, the company is most likely scrutinizing every applicant very closely.

Note: According to Malwarebytes, Grayshift was founded in 2016. It is a privately-held company with fewer than 50 employees. Its website is also protected by a portal that screens for law enforcement links.

What we know about GrayKey so far

Based on some reports, feelers and advertising brochures for GrayKey are now circulating within private online police and forensic groups.

Unlike Cellebrite, where customers have to send the iPhone to their facilities, Grayshift will ship the GrayKey device directly to its buyers.

According to leaked marketing materials, Grayshift is offering two models of GrayKey. The first one is a $15,000/year online model that has a limit of 300 iPhone or iPad unlocks. The higher-end offline model costs $30,000/year and it can be used an unlimited amount of times within the license period.

These prices may sound astronomical to the average consumer but to government agencies and private investigation companies, they’re probably going to be worth every penny spent. (For perspective, the FBI reportedly paid $900,000 to unlock the San Bernardino shooter’s iPhone.)

How does it work?

Software security company Malwarebytes describes the GrayKey as a “four inches wide by four inches deep by two inches tall” gray box, with two lightning cables sticking out of the front.

With these two Lightning cables, a user can connect two iPhones at one time for about two minutes. GrayKey then disconnects them after that and after some time, the iPhone will display a black screen with the passcode and other information.

 

 

This suggests that the GrayKey jailbreaks a connected iPhone, installs the hacking software then runs the cracking process on the device itself.

Malwarebytes said that the hacking times vary depending on the complexity of the passcode, taking up to three days or longer for six-digit passcodes.

Other GrayKey ads claim that the gadget can unlock iPhones and iPads running iOS 10 and 11 and will work with the latest models, including the iPhone 8 and X. Grayshift claims that even phones that are disabled can be unlocked.

Understandably, Grayshift doesn’t disclose what specific exploit methods GrayKey uses to unlock iPhones but it’s possible that it’s using the same techniques that Cellebrite uses – a zero-day flaw in Apple’s Secure Enclave. Note: The Secure Enclave is a dedicated chip on iPhones and iPads that handles security and encryption.

According to Ryan Duff, director of cyber solutions at Point3 Security, without an exploitable flaw that breaks the encryption, iPhone passcode hacks will always be of the brute-force variety.

This means hackers will have to guess the passcode via trial and error, an extremely time-consuming affair with a perfectly operational Secure Enclave. With the speed the GrayKey cracks an iPhone’s passcode, we can only assume it’s using brute force in tandem with a Secure Enclave exploit.

Matthew Green, a cryptographer and an assistant professor at John Hopkins University also believes that an exploit is indeed in play and based on the information at hand, he calculated the estimated times the GrayKey can crack passcodes of various lengths.

Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):

4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)

— Matthew Green (@matthew_d_green) April 16, 2018

According to his estimates, a 4-digit passcode can be unlocked by GrayKey at around 6.5 minutes, 6 digits at 11, 8 digits at 92 days and a 10-digit passphrase at around 4,629 days (that’s still 12 years and 8 months!)

Apple’s “fix”

Apple has not discovered the security flaws that the GrayKey and Cellebrite use but it made some key changes in iOS 11.3 to make cracking attempts by these types of methods more difficult.

According to a report from Motherboard, starting with iOS 11.3, an iPhone or iPad will save the last time a device has been unlocked (either by passcode, Touch ID or Face ID) or was connected to a computer. If seven days have elapsed since the last time iOS saved any of these activities, the Lightning port will be entirely disabled.

It’s always good practice to keep your iOS gadgets updated with the latest software versions and security fixes anyway.

Please pick a stronger passcode

Although iPhone cracking devices are meant for law enforcement agencies, what if they fall into the wrong hands? Imagine what a criminal can do with all that information if your iPhone is stolen. Since these cracking techniques and are now out there, a four-digit passcode just doesn’t cut it anymore.

Do the math on that and you’ll realize that a 4-digit code allows just 10,000 passcode combinations.

It’s also easy for someone to simply snoop behind your shoulders and see the simple combination you use to enter your passcode. And a relative or friend who knows you well might guess your four-digit passcode based on your personal information or another PIN you use a lot.

Thankfully, since iOS 9, Apple has expanded its passcode options. You can now choose between a four-digit numeric code, a six-digit numeric code, a custom numeric code, or a custom alphanumeric code.

These other options are definitely more secure than just the four-digit option.

Even a 5- or 6-digit PIN is exponentially safer than a 4-digit code – as long as it’s not 123456. From then on, the Lock Screen will show you the numeric keypad when it asks for your passcode.

For ultimate safety, I recommend a password that’s a combination of letters, numbers and symbols. Aim for at least eight characters.

Here’s how to change your iPhone or iPad passcode to a more secure one.

Go to Settings >> Touch ID & Passcode (Face ID & Passcode for the iPhone X) >> Tap Turn Passcode On >> Enter a six-digit passcode or tap Passcode Options and choose among the options we’ve listed above >> Enter your passcode again to confirm it and activate it.

Have a question about anything tech related? Kim has your answer! Click here to send Kim a question.

The Kim Komando Show is broadcast on over 450 stations. Click here to find the show time in your area.

In other news, here’s how cybercriminals are using your router to spread malware

We’ve always been warning you about how vulnerable your router can be if it’s not configured properly. Hackers can hijack it to harvest your personal information, commandeer your smart devices, install malware on your computer and redirect your traffic to fake websites.

This newly discovered malware campaign does precisely that. If you’re not careful, cybercriminals can quickly drain your bank accounts without warning! You have to read more about this hacking technique.

Tags: Apple, Apple iPhone, cybercriminals, hackers, malware, security