By John Gruber
WorkOS: APIs to ship SSO, SCIM, FGA, and User Management in minutes. Check out their launch week.
Great explanation from Jack Nicas, in his column for The New York Times:
Tools like those from Cellebrite and Grayshift don’t actually break iPhones’ encryption; they guess the password. To do so, they exploit flaws in the software, like Checkm8, to remove the limit of 10 password attempts. (After about 10 failed attempts, an iPhone erases its data.) The tools then use a so-called brute-force attack, which automatically tries thousands of passcodes until one works.
That approach means the wild card in the Pensacola case is the length of the suspect’s passcode. If it’s six numbers — the default on iPhones — authorities almost certainly can break it. If it’s longer, it might be impossible.
A four-number passcode, the previous default length, would take on average about seven minutes to guess. If it’s six digits, it would take on average about 11 hours. Eight digits: 46 days. Ten digits: 12.5 years.
If the passcode uses both numbers and letters, there are far more possible passcodes — and thus cracking it takes much longer. A six-character alphanumeric passcode would take on average 72 years to guess.
It takes 80 milliseconds for an iPhone to compute each guess. While that may seem small, consider that software can theoretically try thousands of passcodes a second. With the delay, it can try only about 12 a second.
The basic thing to understand is that there are effectively two systems on a modern iPhone: (1) the iPhone itself, running iOS; and (2) the Secure Enclave. iOS can be hacked. That’s how these tools remove the 10-passcode-guesses-and-you’re-out limit. But it’s the Secure Enclave that evaluates a passcode and controls encryption, and the 80 millisecond processing time for passcode evaluation isn’t an artificial limit that could be set to 0 by hackers. It’s a hardware limitation, not software.
So, if you’re worried about any of this, the answer is simple: use an alphanumeric passphrase to unlock your iOS device, not a 6-digit numeric passcode.
★ Monday, 20 January 2020