A recent article by Thomas Brewster at Forbes highlights the fact that the FBI is able to unlock iPhones using a product called Graykey. Specifically, a product called Graykey was used in a case against Baris Ali Koch to unlock Koch’s iPhone – an iPhone 11 Pro. Graykey works by bypassing the timeout functionality in iOS and allows for brute forcing of the passcode or password.

Graykey not only works on the newest iPhones, it also works on older versions – and is advertised as doing so. iOS 13 was supposed to defend against this type of brute force device, but it clearly does not. If the FBI already has this capability to unlock iPhones, why are they demanding Apple to unlock the iPhone 5 and 7 from the Pensacola case? The US government, and other governments around the world, have been making such a big deal of demanding backdoors be built into encryption for years now – likely to set some precedence to force companies to work with them.

iPhone 11 Pro users should consider checking the strength of their passcode, at the least

If you’re using an iPhone 11 Pro, it’s advisable that you switch from using a regular 6 digit pin to a long passcode. It takes Graykey an average of 6.5 minutes to crack a four digit passcode. For a six digit passcode, the time needed is 11.1 hours on average. A 10 digit passcode, the maximum allowed, requires the Graykey an average of 4629 days to average.

Researcher Dr. Matthew Green of the Johns Hopkins University showed in 2018 that Graykey wouldn’t work as quickly on a longer numeric passcode – whether or not a longer alphanumeric password would be stronger depends on if you choose your passwords randomly, which is a rare occurrence. For more information about password and passcode entropy, refer to this two year old, but still extremely relevant Twitter thread.

iPhone privacy and security is not as promised

Following the recent news of the iPhone 11 Pro being vulnerable to Graykey, Dr. Green tweeted again:

https://twitter.com/matthew_d_green/status/1217848456582246400

The real pertinent question that Apple users should be asking themselves is why a phone and operating system that was marketed as being so private continually is proven to be not so private. Apple has known about Graykey for years now, yet their Secure Enclave Processer is still not secure. Of course, the possibility of that being a result of human error is there, and Hanlon’s Razor tells us that we shouldn’t attribute to malice that which is equally explainable by stupidity. I believe we’re past the point of being able to blame stupidity, and it’s entirely necessary to consider that Apple leaves sidedoors for law enforcement to walk through while publicly benefiting from a standoff with the governments’ requests to make backdoors – all in the name of the same PR and marketing goal as when they tout the questionable security and privacy of their devices.

Featured image from Tatsuo Yamashita via CC By 2.0 License.