Using a complex numeric code is essential to keep your iPhone or iPad safe. We will explain why and how to proceed.
If you have set a 4 or 6 digit iPhone unlock code (consisting of numbers only) this may not be enough to make it safe. It is much better to use an alphanumeric unlock code (composed of numbers, letters, symbols) and this is longer, making access attempts more useless.
By default, the code can be defined as a numeric PIN. On devices with Touch ID, the minimum length of a code is six digits. On the other devices, the minimum length is four digits.
Users can specify a longer alphanumeric code by selecting “Custom alphanumeric code” in the options for the code by going to Settings> PassCode. The longest and most complex codes are more difficult to guess or to attack and are the ones recommended for example in a business environment.
Entropy and brute force in unlocking the iPhone
By configuring a Passcode for the device, the user automatically enables data protection. As mentioned, iOS supports six-digit, four-digit codes and alphanumeric codes of any length. In addition to unlocking the device, a code provides entropy for certain encryption keys. This means that an attacker with a device cannot access the data stored in specific protection classes without the code.
The code is linked to the UID (“Unique ID”) of the device, so the only possible attack is to execute a brute force attack. A high number of iterations is used to make each attempt slower. The number of iterations is calibrated so that each attempt lasts approximately 80 milliseconds. This means that it would take more than 5 and a half years to try all the combinations of a six-character alphanumeric code with small letters and numbers.
The more secure the user code is, the more secure the encryption key becomes. Touch ID can be used to improve this equation by allowing the user to establish a much more secure code that would otherwise not be practical. In this way the aim is to obtain the highest possible entropy with the aim of protecting the encryption keys used for data protection, without negatively affecting the ease of use by the user who finds himself unblocking the iOS device several times during the day.
Reset a device after too many incorrect attempts
To further dissuade any hackers from trying to decipher the codes, iOS applies ever longer delays after entering an incorrect code in “Lock Screen”. If in the Settings> Touch ID and Passcode section, the “Reset data” option is active, the device will be deleted automatically after 10 consecutive incorrect attempts to enter the code. Delays are controlled by an internal coprocessor (“Secure Enclave”). If the device is restarted during a delay, this delay is still applied and the timer starts over again with the interval currently in progress.
GrayKey, the tool with which the US police violates the iPhone
A company called Grayshift has created an external box called GrayKey, a small box that promises to unlock the iPhone. The least expensive of these devices costs $15,000 and allows you to violate any iPhone by trying all possible combinations of codes. As we have mentioned, iOS allows you to activate a function that resets and renders the device useless after ten incorrect attempts but GrayKey somehow “injects” into the iPhone something capable of blocking the attempt. While waiting for Apple to fix the problem, it is also possible to make the unlocking attempts with the GrayKey box useless by activating a long unlock password.
Matthew Green, assistant professor and cryptographer at the Information Security Institute at Johns Hopkins University explained that the device in question can unlock a protected iPhone with a simple 4-digit numeric code on average in six and a half minutes or, in the worst case scenario about 13 minutes. According to his calculations, the identification of a 6-digit code can take up to 22.2 hours, while with 8 digits it goes from at least 46 hours to 92 days. The numbers reach 25 years or 12 years on average for a robust 10-digit code consisting of random numbers.
The longer the code, the longer it will take to unlock the device. If you want to keep your device safe, use an unlock code consisting of at least 7 alphanumeric characters with numbers, letters and symbols: you will complicate the possibility of completing attacks that aim to find the unlock code.
Setting a long unlock code on the iPhone
To set a more complex unlock code on the iPhone, simply go to Settings, select “Touch ID and Passcode”, enter the current unlock code, scroll down, select “Change code”, indicate the current code.
In the screen that appears it is possible to indicate a new code or select “Code Options”: by selecting the latter it is possible to set a personalized alphanumeric code, indicating letters, numbers and symbols. Specifying this option will not show the numeric keypad on the screen but the full keyboard to unlock the phone.