How the FBI Cracked Pensacola Shooter’s iPhone: An Automated Passcode Guesser

Kevin Collier and Cyrus Farivar, reporting for NBC News:

The FBI was able to eventually access Alshamrani’s phone not by an unprecedented technical feat, but rather by “an automated passcode guesser,” according to a person familiar with the situation who spoke on condition of anonymity because the person was not authorized to speak publicly on the matter.

Each attempt at unlocking an iPhone through this sort of brute force technique takes about 80 ms to process; this cannot be sped up externally because the guesses can only be computed on the device’s secure enclave — a limit of about 12.5 guesses per second.

You may recall from earlier this year that these guessers are thus very effective against short numeric passcodes. On average, a 4-digit passcode would take 7 minutes to guess (14 minutes at the maximum, if the last possible combination were the last to be guessed). A 6-digit passcode — the current default — would take on average 11 hours to crack, 22 hours tops.

A 6-character alphanumeric passphrase — A-Z, a-z, 0-9 — would take on average 72 years to guess. That’s just 6 characters. And that’s if it only contains letters and numbers, no punctuation characters or spaces — and if the person programming the automated guesser somehow knows or guesses that the passphrase contains only letters and numbers, and that it’s exactly 6 characters in length. (When your iOS device is locked by a numeric code, the unlock screen shows you how many digits the passcode contains; when your device is locked by a passphrase, the length is not revealed.)

So you can see why the FBI and DOJ are still pressuring Apple to build backdoors into devices — if the Pensacola shooter had used a decent alphanumeric passphrase it’s very unlikely they’d have been able to get into his iPhone.

On the other hand, law enforcement benefits greatly from the fact that the default iOS passcode remains only 6 numeric digits. I suspect Apple is doing this more as a concession to user convenience than as favor to law enforcement, but one shouldn’t look a gift horse in the mouth.

Tuesday, 19 May 2020