GrayKey: What you need to know about this iPhone hacker and how to protect yourself

Police and other law-enforcement agencies now have inexpensive access to a hacking device that can crack iPhone and iPad passwords in a matter of minutes. First reported in early March by Forbes, GrayKey, from a company called Grayshift, is designed for turn-key cracking of iOS passcodes.

In mid-March, Malwarebytes explored the device in greater depth, noting that a four-digit PIN could be cracked in a couple of hours and a six-digit PIN would require as many as a few days.

Motherboard extended this reporting a few days ago with more details about how GrayKey has been used in the field. And last Monday, security researcher Matthew Green posted a message on Twitter showing the theoretically fastest cracking time possible given the parameters he knew, which brought the issue back to the fore given the potential for even quicker breaking of six-digit PINs.

GrayKey has two Lightning plugs, and requires iOS devices to be connected for about two minutes, after which the cracking starts on the device. It’s not currently known what exploits the company uses to accomplish this on-device feat that also disables a number of passcode-retry and re-entry delay strategies Apple started building in years ago. You can expect Apple is working all its angles to discover the exploit and patch it, as it’s done for any techniques for jailbreaking iOS or bypassing security in the past.

greykey malwarebytesMalwarebytes

GrayKey iPhone unlocker

If you’re not involved in criminal, civil, or political behavior that might subject you to law-enforcement action, you might think that GrayKey is of no importance to you, as your device would never be subject to it. And in many countries, including the U.S., courts can compel you to provide information to unlock a device, with penalties of imprisonment if you fail, too, which have been effective so far in cases in which this has emerged.

But the mere existence of GrayKey means it’s possible, even likely, that there are other people who have discovered similar paths, and that unless Apple patches this vector, less-polished devices will wind up in the hands of criminals, even organized syndicates, who can then make use of stolen phones in a way they haven’t been able to before.

What can you do to better secure yourself, if you haven’t taken these steps before? Switch to a longer PIN or a sufficiently long and complicated passcode and enable Find My iPhone/iPad. Here’s how.

Pick a stronger passcode

Apple started pushing six-digit PINs with iOS 9, likely because it was aware of how rapidly the right hardware and phone-cracking software could pick a four-digit “lock.” However, it didn’t force owners with older devices to upgrade to six digits, and you can downgrade to four digits after setting up a longer PIN.