Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Researcher estimates GrayKey can unlock 6-digit iPhone passcode in 11 hours, here's how to protect yourself

GrayKey forensic tool. | Source: MalwareBytes

Last updated

New estimates from a security researcher suggest GrayKey, a digital forensics tool in active use by U.S. law enforcement agencies, is capable of cracking Apple's standard six-digit iPhone passcode in an average of 11 hours. Longer codes, however, could take years to process. Here's how to beef up your handset's security.

Taking a closer look at GrayKey, Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute, says the iPhone unlocking device has the potential to crack a simple four-digit code in six and a half minutes, or 13 minutes at the longest.

According to his calculations, Green estimates a six-digit passcode takes up to 22.2 hours to break, while processing an 8-digit code can take as few as 46 hours or up to 92 days. That figure jumps to 25 years, or 12 years on average, for strong 10-digit passcodes made up of random numbers.

Green published the estimates in a tweet picked up by Motherboard on Monday.

Notably, Green's estimates are much faster than those reached in previous reports, which guessed a six-digit passcode would take "days" to crack.

The latest assessment assumes GrayKey uses an exploit that bypasses Apple's built-in security protections. Specifically, iOS delays multiple incorrect passcode attempts in a bid to thwart brute force attacks. These pauses are enabled after four consecutive attempts and run from one minute for a fifth unsuccessful attempt to one hour for the ninth consecutive error.

Further, users can elect to wipe their iPhone's data after ten consecutive failed attempts. GrayKey seemingly bypasses this failsafe, as well.

As suggested in previous reports, GrayKey developer Grayshift is thought to rely on an undisclosed iPhone jailbreak or zero-day exploit to achieve the relatively quick turnover. The firm markets GrayKey in a $15,000 internet-connected "flavor" with limited unlocks and a $30,000 unrestricted version.

Enable passcode

Six-digit passcodes became the norm for iOS in 2015 with the release iOS 9. Previously, Apple required a simple four-digit passcode to protect iPhone and iPad from would-be intruders, but policies changed with the advent of advanced biometrics like Touch ID and, more recently, Face ID. The specter of warranted — and unwarranted — government access to consumer devices is also thought to have played a role in Apple's move to longer, more secure codes.

Enable iOS Passcode

If you are currently operating an iPhone or iPad without a passcode, navigate to Face ID & Passcode or Touch ID & Passcode in the Settings app and select Turn Passcode On. You will be presented with an option to enter a six-digit passcode, but that option is made less secure with tools like GrayKey.

Instead, select the Passcode Options link to enter a custom numeric code or custom alphanumeric code. As noted by Green, an 8-digit code now offers a moderate level of security, while 10-digit codes provide even stronger protection. Alphanumeric passwords with random letter, number and symbol combinations typically provide the highest level of security.

Enter your new passcode or password into the box and reconfirm on the next screen to activate.

Switching to a longer passcode

If you are already using Apple's standard 6-digit code and want to update to a longer numeric or alphanumeric value, navigate to Face ID & Passcode or Touch ID & Passcode in the Settings app, enter your passcode and select Change Passcode.

Create a new iOS Passcode

Enter your passcode once more to reveal a passcode settings screen, then select Passcode Options. Choose either Custom Alphanumeric Code or Custom Numeric Code and plug in your desired passcode. Re-enter the code on the next screen to activate.

Erase Data

iOS presents the option to Erase Data, which wipes an iPhone or iPad after ten failed attempts. Enabling Erase Data might not protect against GrayKey intrusions, as the tool's mechanics are thought to bypass the token-based functionality. For common brute force attacks, however, we recommend switching this function on if your device contains sensitive information.



54 Comments

Dead_Pool 129 comments · 8 Years

The budget model will be this year's hottest Christmas gift.

foggyhill 4767 comments · 10 Years

alphanumberic all the way, if they're ready to go 10 years for my phone's data, I'm sure I deserve their effort ;-).
Apple will likely cut t his thing out soon so hey.

That's the advantage of using face id or touch id, you don't need to put those silly short passwords for convenience sake.

tallest skil 43086 comments · 14 Years

foggyhill said:
That's the advantage of using face id or touch id, you don't need to put those silly short passwords for convenience sake.

Except you’re required by law to use your fingerprint or face to unlock your device under penalty of felony. A passcode has to be hacked like this. Also, cops can’t beat you up and use a part of your unconscious body to type in a passcode if they wanted to abuse the law. There’s no advantage, legal or otherwise.

lowededwookie 1175 comments · 16 Years

foggyhill said:
That's the advantage of using face id or touch id, you don't need to put those silly short passwords for convenience sake.
Except you’re required by law to use your fingerprint or face to unlock your device under penalty of felony. A passcode has to be hacked like this. Also, cops can’t beat you up and use a part of your unconscious body to type in a passcode if they wanted to abuse the law. There’s no advantage, legal or otherwise.

Except it is now trivial to record with the camera or voice memo and so them doing so will see all evidence obtained this way inadmissible in court.

tallest skil 43086 comments · 14 Years

Except it is now trivial to record with the camera or voice memo and so them doing so will see all evidence obtained this way inadmissible in court.

You seem unfamiliar with how banana republics work.  :p