With at least two companies selling technology that can be used by law enforcement and government agencies to unlock iPhones, this would be a good time to safeguard your information with a stronger passcode. Here’s how.
With police departments and federal agencies lining up to buy technology from two companies whose products can bypass iPhone security mechanisms, experts said users concerned about privacy should use a strong passcode to help prevent unwanted access to data.
That’s also true for enterprise users with iPhones that access potentially sensitive coporate data.
Simply put, complex passcodes are always better for security, according to Phil Hochmuth, IDC’s program director for enterprise mobility. Common best practices for creating a hard-to-crack passcode includes using both upper- and lower-case characters, numbers and uncommon words.
“I expect enterprises with high security concerns and large iOS corporate deployments will start requiring this and enforcing it via their MDM/EMM platforms,” Hochmuth said via an email.
iPhone cracking technology now in use
Grayshift’s GrayKey de-encrypting device is a 4-in. x 4-in. box with two iPhone-compatible lightening cables. It can reportedly unlock an iPhone in about two hours – if the owner used only a four-digit passcode. (A six-digit passcode can take three days or longer to crack.)
One GrayKey box retails for $15,000 and is geofenced to a specific location, requiring an internet connection that enables up to 300 unlocks. There is also a $30,000 GrayKey model that can be used independent of internet connectivity and offers an unlimited number of device unlocks, according to Motherboard.
Cellebrite provides an iPhone unlocking service to law enforcement agencies; it reportedly charges $5,000 per device.
Last week, Motherboard reported that local and regional U.S. police departments and the federal government have been purchasing the technologies in earest.
While both companies claim they only sell to police and government law enforcement agencies, it’s virtually impossible to keep that genie in the bottle, according to Nate Cardozo, a senior staff attorney with the Electronic Frontier Foundation (EFF), a non-profit digital rights group.
“If you believe the only people who will access to GreyKey or Celebrate are the cops, I’ve got a bridge to sell you,” Cardozo said.
The default security setting on current iPhones is to erase all data on the device after 10 failed attempts to unlock it. An algorithm that attempted a brute-force attack on an iPhone, should therefore, fail. So the speculation is that the technologies from Cellebrite and GrayKey must be using a different decyphering mechanism.
“Basically, you fool the mechanism that updates that ’10 tries’ counter. Or you image the memory, and make 10 tries repeatedly on different copies,” cryptographer and computer security specialist Bruce Schneier said in an email.
More digits means better iPhone security
At a minimum, consumers and businesses should use a six-character alphanumeric passcode or a pass phrase, which addresses risks associated with the leak of personal and enterprise data, according to Gartner research director Dionisio Zumerle.
“In terms of risk assessment, everyone should assume that the tools are improving. Security is a moving target and people need to move with it,” said Gartner research vice president John Girard. “Using stronger PINs and passwords, phrases and so on is a necessary step forward.”
While Apple’s Touch ID and Face ID help with security as well, they don’t preclude the use of a passcode to unlock a phone.
Apple’s iOS 9 operating system boosted the default iPhone passcode from four digits to six; but an even stronger option, an alphanumeric passcode, is more secure.
How to change your passcode
If you’re ready to change your passcode, here’s how to do it:
- Go to Settings
- Click on Touch ID & Passcode (You will have to enter your current passcode here)
- Click on Change Passcode (enter your current passcode again)
- Click on Password options at the bottom of the screen
- Click on Custom Alphanumeric Code
- Enter your new passcode, which can now include letters, numbers and symbols.
Final word of advice: Make sure you use a phrase or a combination of letters, numbers and symbols that’s easy to remember.
This story, “How to use a strong passcode to better secure your iPhone” was originally published by ComputerWorld.com.