The escalation of a long-running encryption conflict between the Justice Department and Apple Inc. has puzzled security experts who say that new hacking tools have made it possible to gain access to many of the company’s older devices in criminal investigations.
Attorney General William Barr ratcheted up pressure on Apple on Monday, painting the company as unhelpful to the government as it seeks to unlock two iPhones belonging to an aviation student from Saudi Arabia who authorities say killed three people at a Florida Navy base last month. Mr. Barr described the phones as “engineered to make it virtually impossible to unlock them without the password.”
Security experts are puzzled about the escalation of presure on Apple from the likes of U.S. Attorney General William Barr and U.S. President Donald Trump. They say that new hacking tools have made it possible to gain access to many of Apple’s older devices to aid investigations. Barr characterized Apple as unhelpful as the government seeks to unlock two iPhones belonging to an aviation student from Saudi Arabia who authorities say killed three people at a Florida Navy base last month in an act of Islamic terrorism.
We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements. They will have to step up to the plate and help our great Country, NOW! MAKE AMERICA GREAT AGAIN.
— Donald J. Trump (@realDonaldTrump) January 14, 2020
Robert McMillan for The Wall Street Journal:
After consulting with experts and vendors and failing to break into the devices—an iPhone 5 and an iPhone 7—investigators reached out to Apple directly, officials said…
Just a few years ago, many iPhones were almost impossible to crack, but that is no longer true, security experts and forensic examiners say. Companies including Grayshift LLC, Israel’s Cellebrite Mobile Synchronization Ltd. and others offer methods to retrieve data from recent iPhones. “We’ve got the tools to extract data from an iPhone 5 and 7 now,” said Andy Garrett, a chief executive of Garrett Discovery, a forensics investigation firm. “Everybody does.”
Four years ago, in the final year of the Obama administration, the Justice Department tried to force Apple to create a software update—a “backdoor”—that would allow law enforcement to gain access to a phone linked to a dead gunman responsible for a 2015 terrorist attack… Apple refused, and it continues to refuse to grant access via a software update, saying it could be exploited by others. The FBI turned to a third party, spending more than $1 million to obtain data from an encrypted Apple iPhone 5C. Today, the bureau could likely obtain that data for $15,000 or less…
A forensics tool built with Checkm8 works on all iPhone devices from the iPhone 5s to the iPhone X, and exploits a hardware bug that Apple is unable to patch, they say… But cracking the passcode is something that both Cellebrite and Grayshift’s device are designed to do, forensics experts say. “It may just take a while to crack the passcode,” Ms. Edwards said.
MacDailyNews Take: Here’s a nice reason to upgrade your older iPhone.
iOS uses the Secure Enclave Processor to throttle passcode input requests, introducing waiting times when too many incorrect passcode attempts have been made. GrayKey bypasses this on older iPhone models, so passcodes can be tried in succession until discovered.
This brute force method is precisely why those concerned with security don’t use four-digit passcodes. Instead, use long, alphanumeric passwords and, even if there is a GrayKey box on every corner, your data will remain secure.
Use at least seven characters – even longer is better – and mix numbers, letters, and symbols.
To change your password in iOS:
Settings > Face ID & Passcodes > Change Passcode > Passcode Options: Custom Alphanumeric Code
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)— Matthew Green (@matthew_d_green) April 16, 2018
Brute force hacks are not the most elegant way to get into an iPhone, but if you’re trying to protect your iPhone data from some nefarious group or any “state actor”, using pure numbers is not really going to do it.
Just think of it this way…
When you use the full set of characters available (upper case, lower case, numbers, and non alpha-numerics, e.g., !, @, #, $, and others) a six character code is more resistant to brute force cracking than a 10 digit numerical only code, an eight character code is more resistant than a 14 digit code, and a 10 character code is more resistant than an 18 digit code.
Bottom line: use character sets not just digits in your iPhone passcode.
Thanks Captain Obvious