FBI used Graykey to unlock an iPhone 11 Pro, which was previously thought to be the most secure iPhone
A recent article by Thomas Brewster at Forbes highlights the fact that the FBI is able to unlock iPhones using a product called Graykey. Specifically, a product called Graykey was used in a case against Baris Ali Koch to unlock Koch’s iPhone – an iPhone 11 Pro. Graykey works by bypassing the timeout functionality in iOS and allows for brute forcing of the passcode or password.
Graykey not only works on the newest iPhones, it also works on older versions – and is advertised as doing so. iOS 13 was supposed to defend against this type of brute force device, but it clearly does not. If the FBI already has this capability to unlock iPhones, why are they demanding Apple to unlock the iPhone 5 and 7 from the Pensacola case? The US government, and other governments around the world, have been making such a big deal of demanding backdoors be built into encryption for years now – likely to set some precedence to force companies to work with them.
iPhone 11 Pro users should consider checking the strength of their passcode, at the least
If you’re using an iPhone 11 Pro, it’s advisable that you switch from using a regular 6 digit pin to a long passcode. It takes Graykey an average of 6.5 minutes to crack a four digit passcode. For a six digit passcode, the time needed is 11.1 hours on average. A 10 digit passcode, the maximum allowed, requires the Graykey an average of 4629 days to average.
Researcher Dr. Matthew Green of the Johns Hopkins University showed in 2018 that Graykey wouldn’t work as quickly on a longer numeric passcode – whether or not a longer alphanumeric password would be stronger depends on if you choose your passwords randomly, which is a rare occurrence. For more information about password and passcode entropy, refer to this two year old, but still extremely relevant Twitter thread.
iPhone privacy and security is not as promised
Following the recent news of the iPhone 11 Pro being vulnerable to Graykey, Dr. Green tweeted again:
https://twitter.com/matthew_d_green/status/1217848456582246400
The real pertinent question that Apple users should be asking themselves is why a phone and operating system that was marketed as being so private continually is proven to be not so private. Apple has known about Graykey for years now, yet their Secure Enclave Processer is still not secure. Of course, the possibility of that being a result of human error is there, and Hanlon’s Razor tells us that we shouldn’t attribute to malice that which is equally explainable by stupidity. I believe we’re past the point of being able to blame stupidity, and it’s entirely necessary to consider that Apple leaves sidedoors for law enforcement to walk through while publicly benefiting from a standoff with the governments’ requests to make backdoors – all in the name of the same PR and marketing goal as when they tout the questionable security and privacy of their devices.
Featured image from Tatsuo Yamashita via CC By 2.0 License.
Comments are closed.
1 Comments
It doesn’t matter whether or not the iPhone is backdoored, although it likely is.
Apple admits that it has access to the entire contents of your phone backups to iCloud. Pretty much nobody would disable these, and I don’t even know that you can. They have “gigabytes” of data on each iPhone victim to turn over to the FBI, and admit that they’ve done it at least 6,000 times.
There’s no such thing as a “secure” iPhone. Jeff Bezos found that out when his iPhone X was taken over by malware sent by text message. The iOS has no security model other than stopping users from running apps that Apple has pre-approved, which opens the door to censorship and other bad behavior, including keeping good web browsers with powerful features off the iPhone (they have to use the far less capable Webkit instead), as well as open media formats, and open source software.
Webkit alone has a lot of problems. I’ve found dozens of bugs in it without even really trying. It apparently doesn’t matter to Apple if they profile their code and work out bugs and performance bottlenecks because they can sell these things at massively inflated prices and keep the money if they never do fix them.