GrayKey: What is it and how can you protect yourself?
Glenn Fleishman reveals everything you need to know about this iPhone hacker and how to protect yourself
Police now have access to an inexpensive device that can crack iPhone and iPad passwords in a matter of minutes. First reported in early March by Forbes, GrayKey, from a company called Grayshift, is designed for turn-key cracking of iOS passcodes.
In mid-March, Malwarebytes Labs explored the device in greater depth, noting that a four-digit PIN could be cracked in a couple of hours and a six-digit
PIN would require as many as a few days. Tech website Motherboard extended this reporting in April with more details about how GrayKey has been used in the field. And security researcher Matthew Green posted a message on Twitter showing the theoretically fastest cracking time possible given the parameters he knew, which brought the issue back to the fore given the potential for even quicker breaking of six-digit PINs.
GrayKey has two Lightning plugs, and requires iOS devices to be connected for about two minutes, after which the cracking starts on the device. It’s not currently known what exploits the company uses to accomplish this on-device feat that also disables a number of passcode-retry and re-entry delay strategies Apple started building in years ago. You can expect Apple is working all its angles to discover the exploit and patch it, as it’s done for any techniques for jailbreaking iOS or bypassing security in the past.
If you’re not involved in criminal behaviour that might subject you to scrutiny by the law, then you might think that GrayKey is of no importance to you, as your device would never be subject to it.
But the mere existence of GrayKey means it’s possible, even likely, that there are other people who have discovered similar paths, and that unless Apple patches this vector, less-polished devices will wind up in the hands of criminals, even organized gangs, who can then make use of stolen phones in a way they haven’t been able to before.
What can you do to better secure yourself, if you haven’t taken these steps before? Switch to a longer PIN or a sufficiently long and complicated passcode and enable Find My iPhone/iPad. Here’s how.
Pick a stronger passcode
Apple started pushing six-digit PINs with iOS 9, likely because it was aware of how rapidly the right hardware and phone-cracking software could pick a four-digit ‘lock’. However, it didn’t force owners with older devices to upgrade to six digits, and you can downgrade to four digits after setting up a longer PIN.
The ease with which GrayKey can crack a six-digit PIN means that they are no longer secure enough. A seven-digit PIN would extend days to weeks of cracking, and an eight-digit PIN would extend that to several weeks or a few months.
Security researcher Green recommends an even longer numeric PIN, because, like a phone number, it can ultimately be memorized. (Don’t pick anything that looks like a phone number, though.) A 10-digit PIN would take over a decade on average to crack using an on-device tool on average, according to his calculations.
I recommend using Diceware ( fave.co/2I34MuN) or similar approach, which involves rolling for or using a
generator to create a set of words unlikely to appear together and that add up to enough length to defeat brute-force cracking, like this one I just generated:
departed-refute-armored-clock-stinky. (The time to crack on the site linked for Diceware is for generic offline cracking of passwords, not the GrayKey ondevice method, which is substantially slower.)
Many security experts recommend long passphrases comprising words because they are more likely to be memorized, and dictionary-based cracking tools – even ones that use frequency analysis and other predictors of words to occur together – won’t help for unlikely combinations.
These are more tedious to enter – mine is over 20 characters and has some punctuation separating the words – but they are easier to retain and can be very strong. I rely on 1Password’s ( fave.co/2k3SMMU) password generator feature to create these, but many password safes and other tools can create word-based long passwords. Do not use common phrases or common words with a few numbers or punctuation marks added.
Based on how GrayKey works, more sophisticated attacks that require massive dictionaries don’t appear to be feasible, because of how the tool runs on the iOS device itself. That could change, of course.
How to set your passcode in iOS
1. Launch Settings and tap Passcode or Touch ID & Passcode or Face ID & Passcode.
2. Enter your current passcode.
3. Tap Change Passcode.
3. Tap Passcode Options. 5. For a longer numeric passcode, tap Custom Numeric Code. For ones with more than just numbers, tap Custom Alphanumeric Code. 6. Enter the new code and verify it.
Apple instituted an additional Touch ID expiration period of six days on top of existing passcode entry requirements more than two years ago. If you haven’t entered your passcode for any reason, including restarting your device, for more than six days, you’ll be prompted for it after eight hours of not unlocking your phone with a Touch ID. For many people, that will happen in the morning.
Enable Find My iPhone/iPad
Apple added an activation lock in iOS 7 that connects Find My iPhone (labelled Find My iPad on those
devices) to your iCloud account. Even if an iOS device is erased, so long as Find My iPhone was active, it can’t be used again without access to the iCloud account password.
While you might think that having your phone’s passcode cracked would be enough harm, because someone could then obtain access to everything on your device, Find My iPhone can offer two bits of peace of mind.
First, you can use Find My iPhone to mark that you want your device erased. This will happen either immediately if the iOS device is connected to the Internet, or the next time it comes online. I assume GrayKey has methods to prevent the device from accessing the Internet after being cracked, too, but that’s not useful for those whose intent is reselling it. And they may make a mistake.
Secondly, the activation lock feature means that even if the phone or tablet is erased, it can’t be reset and resold. This may seem like a false victory to you – your hardware is still in somebody else’s hands. But it deters theft in general, and any criminal or gang that uses tools like those in the GrayKey to crack phones will be reminded quickly that there’s little utility in it for extracting money.