Deep-pocketed law enforcement agencies won’t hesitate to spend big bucks breaking into a smartphone if they feel there’s critical evidence on it that could help solve a major crime. Sophisticated, expensive hardware or software from a company like Cellebrite isn’t always required, though. In some cases, a $500 gizmo might be all that’s needed.
Screen capture: Lee Mathews/Forbes
The $500 passcode breaker in action
Yes, there really is a $500 gadget for sale online that can break an iPhone passcode. Apart from being relatively cheap (and well within reach of even small-time criminals) it’s also quite simple to use. Just dial in settings in the desktop application, push them to the device and then unleash the attack on a connected iPhone. Simple passcodes can be broken in a matter of minutes. It all looks pretty impressive in action in a YouTube demonstration.
Dig deeper, however, and things aren’t as scary as they first appear. While this inexpensive piece of electronics can indeed figure out the secret digits to unlock a passcode-protected iPhone, it can only do so under very specific circumstances.
For starters, it’s only capable of breaking into four different iPhones: the iPhone 7 and iPhone 7+ and certain models of the iPhone 6S and iPhone 6. That’s still tens of millions of vulnerable devices, but that’s just the first caveat. Only phones running iOS 10 are vulnerable, and it only works if the passcode has been changed very recently — as in within the last 60 seconds or so.
If all those boxes are checked, someone could theoretically crack the code in just a few minutes. As long as you’ve made some a couple very poor passcode creation choices, that is… and you just changed your passcode and happened to leave it unattended for several minutes near a very attentive criminal.
Although the YouTube video does show the box guessing three different passcodes fairly quickly those codes were cherry-picked. This particular isn’t all that sophisticated. It’s basically the automated form of a human pecking in codes in sequence. The box tries to brute force the code, starting at 0000 and counting up. Setting up demo iPhone with passcodes like 0015 and 0016 guarantees that they’ll be discovered in a minimal amount of time.
Armed with that knowledge, it becomes pretty clear how you can protect yourself. By opting for a 6-digit passcode and a more carefully-chosen set of numbers you make it exponentially harder for a device like this to break in.
In the case of this particular attack, you’ll also be fully protected when iOS 11 becomes available later this year. Apple’s latest update will patch the vulnerability that allows this little device to hammer away at passcodes.