The $500 gizmo that cracks iPhone passcodes – and how to stop it

A recent YouTube video shows a phone-sized hacking device recovering the passcode of an iPhone 7 or 7 Plus in just a few minutes.

Posted by an American YouTuber going by the name of EverythingApplePro, the video features a $500 “iPhone unlocker” apparently bought online and imported from China.

Rather than bypassing the passcode, the $500 gizmo (which can automatically try out passcodes on up to three iPhones at the same time) keeps trying codes in sequence – e.g. 0000, 0001, and so on – until it figures out that it just entered the right one, presumably from how the phone reacts.

You then read the code off the gizmo and you should be able to unlock the phone for yourself any time the lockscreen comes up.

According to the video, there are some special situations on some iPhone versions, halfway through a firmware update, in which you don’t get locked out after making too many wrong guesses.

The gizmo, it seems, exploits these conditions so it can keep guessing pretty much for ever.

Sounds scary!

Fortunately – although we don’t have a spare iPhone or one of the $500 unlockers to verify any of this – the reality is less dramatic than you might at first think.

Firstly, you need to have changed your password very recently (TechCrunch says “within the last minute or so”) to be able to guess at a non-glacial rate.

Secondly, you need to force a firmware update to get the phone into a state where the repeated guesses will work.

Thirdly, you need to have a short passcode.

According to the video, the cracking device can only try out about six passwords a minute at best; according to TechCrunch, this guessing rate seems to be 20 times slower if your password was last changed more than about 10 minutes ago. The three phones cracked in the 12-minute video were deliberately configured with the passcodes 0015, 0016 and 0012 so they would fall to the gizmo – which started at 0000 on each phone.

So even if your iPhone falls into the wrong hands, a cracker using this gizmo is only likely to succeed if you have a very short passcode, or you have chosen one that is likely to be at the top of any “try these first” list, such as 123456, 111111 or 5683 (it spells out LOVE, in case you are wondering).

Apparently, only iPhone 7 and 7 Plus models (plus some iPhone 6 and 6s models) have this vulnerability, if that’s not an overstated way to describe it, and the bug will be eliminated anyway when iOS 11 comes out.

We’ve seen speculation that the vendor of the gizmo has started advertising it pretty openly – rather than just promoting it quietly to law enforcement or in underground forums – because it will be even less useful than it is now once iOS 11 ships.

Assuming TechCrunch is correct, if you have a six-digit passcode and haven’t changed your password in the past minute or so, you can expect to keep this gizmo guessing for about 10 years on average.

Presumably, all other things being equal, every extra digit in your passcode slows down the guessing time by another factor of 10, so a seven-digit passcode ought to hold out until the 22nd century – if your iPhone’s battery keeps going that long.

What to do?

Our suggestions, admittedly based only on hearsay so far, are:

  • Keep your phone close at hand immediately after you change the password. As far as we can see, the crook needs to pounce on it soon after you’ve done so for the attack to be even vaguely practicable.
  • Choose the longest passcode you can tolerate. Six digits is where Apple gets you to start these days; try going longer than that.
  • Upgrade to iOS 11 as soon as you can when it comes out. There will almost certainly be dozens of other critical security bug fixes included in iOS 11, giving you plenty of good reasons to patch early anyway.