GrayKey box can guess a six-digit iPhone password in 11 hours on average

“Law enforcement agencies have a new iPhone cracking tool that works with all modern iPhones and the newest versions of iOS 11, the GrayKey, designed by a company called Grayshift,” Juli Clover reports for MacRumors.

“Previous reports have suggested the GrayKey can crack 4-digit passcodes in a matter of hours and 6-digit passcodes in days,” Clover reports, “but as highlighted by VICE’s Motherboard, cracking times for the GrayKey and other similar iPhone unlocking methods can potentially be even faster and 6-digit passcodes no longer offer adequate protection.”

Clover reports, “Matthew Green, assistant professor and cryptographer at John Hopkins Information Security Institute, said this morning on Twitter that with an exploit that disables Apple’s passcode-guessing protections, a 4-digit passcode is crackable in 6.5 minutes on average, while a 6-digit passcode can be calculated in 11 hours.”

Read more in the full article here.

MacDailyNews Take: Obviously, those concerned with security and privacy should use an alphanumeric passcode that’s seven characters – even longer is better – and mixes numbers, letters, and symbols.

To change your password in iOS:
Settings > Face ID & Passcodes > Change Passcode > Passcode Options: Custom Alphanumeric Code

Police around the U.S. can now unlock iPhones – April 12, 2018
Law enforcement uses ‘GrayKey’ box to unlock iPhones – March 16, 2018
The man who wrote those password rules has a new tip: N3v$r M1^d! – August 8, 2017


  1. Thought I read a recent programmer note Apple has put in a restriction on the rate of pinging pass codes to iPhones, to make it like only one code per second or so?

    Is that in the works?

    1. I believe these products use unpatched vulnerabilities in the software to get around this restriction. Normally an iPhone will tell you you’re entering passcodes too quickly.

      It also seems to get around the data erase feature that normally kicks in after ten wrong attempts.

      1. That is how devices like this work, however the reporting here is a little faulty. The way the device works (and others like this) are by cloning the flash chip and perfmoing a brute force attack on that clone (this bypassing the data erasure feature) What they fail to mention is that a device enabled with biometric security (Touch ID, Face ID), in addition to a passcode isn’t effected by this due to the Secure Enclave, since the flash cant be cloned without scrambling the data. However, if you just use a passcode then it can crack it unless you’re using alpha numeric.

  2. 6 digit code takes as little as 11 hours.
    In theory 7 digit code would take (11 to the power of 7) hours longer???

    Alphanumeric, all bets off, because instead of base 10 we wold be talking base 67?? Or approximately, in addition to the number of columns incorporated.

    Long for word alphanumeric pass-phrase, meaningful to the iPhone’s owner would stop GreyBox in its tracks.


    1. 1) Six digit code could take as little as one attempt, if the algorithm gets lucky.

      2) It apparently takes 22 hours for the machine to try all possible six digit combinations, and on-average the machine will get it the correct code when it has tried half of all possible combinations: half of 22 hours is 11 hours.

      3) If it can try all six digit codes in 22 hours, then trying all seven digit codes will take 10 times as long. To understand that, imagine that the machine will try all six digit codes preceded by a 0. Then it will try all six digit codes preceded by a 1. Then it will try all six digit codes preceded by a 2, and so-forth until it reaches 9. So a seven digit code takes ten times as long as a six digit code.

      4) Yes, clearly alpha-numeric is much much more secure than numeric alone.

      5) If the hacker doesn’t know how many digits in your code then she must try try them all — which makes the task take much longer. Mwa-hahahaha.

      1. Aim for the half-life of the chance of a brute force guess.

        Given what you wrote so far, 13 guesses a second.

        Alphanumeric password of 6 digits (base 95) as typed from a standard US keyboard would take 896.5 years at 13 BFG/s. 11 hours base 10, vs 897 years alphanumeric.

        8 characters takes 8 million years, at the same rate. Contrasting against 4 digit pin codes – pretty darn crappy, taking 6 minutes to brute force.

      1. At the time of writing I wasn’t sure how many characters (meaning unique hex codes) could be entered into a password from a keyboard. It now appears to be 95, which is a whole lot better than 62 or so. 52 for upper and lower case, 10 for digits and the rest for punctuation and symbols. Maybe a little less depending on how certain characters are handled or interpreted in the password field.

    1. If I read the article correctly what GrayKey has done is bypass Apple’s multi attempt barrier, thus allowing thousands of continuous attempts (brute force).

      That being correct, all Apple has to do to defeat GrayKey (and others) is identify the multi attempt exploit and close it.

      I’m in the 99.999% of iPhone users where nobody has any interest in what’s on my iPhone/iPad.

      I would only be concerned about all of this if I were a criminal. I’m not.

      1. I am a civil libertarian above all- not a Democrat or Republican. I have a serious problem with law enforcement using devices like Stingrays, this device and buying data from commercial data miners without a warrant. Stuff Law Enforcement is forbidden to collect without a warrant is available for cash from private firms.

        This violates the spirit- if not the letter – of the protection against self incrimination. In the hands of a corrupt government or a rogue officer could by one of the most prized keys to repression.

        To have the full weight of the state (as in government generically) thrown against you even with our constitutional rights is a fearsome thing. To have it thrown against you with a stacked deck is even more so.

        If they can crack your phone without a warrant and proper oversight, illegal content could easily be planted upon your phone and the presence of that content used to incarcerate you, discredit you, etc.
        In today’s society many accusations are effectively convictions in the mind of the public and media.

        I am not paranoid, but we live in a world where civil liberties, individual freedoms, open government and democracy is under broad attack – even in western democracies. The protections and expectations of privacy are essential now and will be in the future.

        SCOTUS has ruled with the opinion written by Conservative Republican Chief Justice John Roberts regarding searching phones- “Get a warrant”. The presence of these machines is a great threat to encryption and it is the only protection you have.

        It is not about being a criminal- it is about your rights when you are innocent as well.

      2. You are mistaken; The NSA is interested in everyone and everything. You know why? The reason is just in case.

        If you have nothing to hide on the phone, then voluntarily give eveything on it to the law and/or to the NSA.

      3. Well, what’s to stop this technology being stolen then used by criminals to access personal data which of little individual interest could be used to steal from you.

    1. I don’t understand. The passcode under iPhone settings only accepted 4 digits, each being numeric until recently when the passcode length was extended to 6 digits.

      On my Macs and iCloud passcodes can be of variable length consisting of Upper or Lowercase alpha, numeric and/or symbol.

      1. Incorrect. When you go to change your passcode on an iPhone/iPad, tap on the Passcode Options to reveal the option to choose “Custom Alphanumeric Code” and you are presented with the keyboard to type in anything your heart desires.

    1. And now that website has your passcode and in conjunction with all the other information Facebook and others have aggregated together, your passcode is likely compromised at this point.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.