A ‘bug’ that let a $500 password cracking box open up iPhones is patched as of iOS 11

A video posted to YouTube by users EverythingApplePro yesterday shows a small $500 box unlocking an iPhone 7 locked with a short passcode. The box works on all iPhone 7 and iPhone 7+ models, as well as some iPhone 6 and 6S models and, unless you’re willing to wait an incredible amount of time, only works in a small subset of edge cases.

I did some poking around and Apple confirmed that the behavior that lets this box work will be patched out of the final version of iOS 11 that’s due this fall. It’s also patched under iOS 11 beta 4, if you’re running that.

To be clear, what this box does will not work on iOS 11. You can watch the video here, then I’ll explain what’s going on.

The box is similar to several tools that law enforcement professionals (and those who have access to the suppliers they order from) have used for years. It basically continuously guesses a series of passcodes until it finds the right one — a time-consuming process that is typically not available because an iPhone automatically locks guessers out after a few attempts. On iOS 10, there is a “bug,” for lack of a better term, that allows repeated, rapid guesses of the passcode if you’ve changed it within the last minute or so. This allows the box to work within that period. Once another threshold is crossed — say 10 minutes after a passcode is changed — you no longer have the freedom to guess rapidly. There is a major delay initiated that would make it nearly impossible (or incredibly time-consuming) to use this method.

Very specifically, this box only works at this speed in this case because the device is:

  • An iPhone 7 or iPhone 7 Plus (or some models of iPhone 6/6s)
  • Has had its passcode changed very recently
  • Has not been used for more than 10 minutes after the passcode has been changed
  • Has a 4-digit passcode

Here’s some perspective. Let’s say someone wanted to crack into your phone and they had both this box and unlimited physical access (already an issue, but one that does come up with government actors).

If your password was 6 digits (as is default now) and you had changed your password within the last few minutes, it could take up to 374 days to crack it. A 4-digit code would take over 3 days.

If it was 6 digits and you hadn’t changed it recently, it could take 19 years. A 4-digit 70 days.

And all of that is going to be much longer on iOS 11. I am reminded of the recent revelation that you’ll be able to soft-disable TouchID on iOS 11 in situations where you could be coerced to give up your fingerprint — a development that TC’s own Taylor Hatmaker referred to as “the wokest thing I’ve seen a company do on an OS.”

The cat and mouse between law enforcement and Apple’s security division is my favorite TV show.

Article has been updated to note that some iPhone 6/6s models have the flaw.