Why Even the FBI Can’t Hack the iPhone


There may be secrets on the iPhone 5C used by the San Bernardino shooters, but the FBI apparently can’t unlock them. The same security system that thwarts your drunk friend (or your cat) from getting into your texts is safeguarding the data of this terrorist duo.

You can’t just take a stab at guessing someone’s iPhone passcode. After five wrong guesses, you’re forced to wait a minute. After nine wrong guesses, you have to wait an hour. And depending on how the phone was set up, it might delete all its data after ten wrong tries.

A federal judge has ordered Apple to disable some of these security features on the shooters’ phone. Apple is resisting. But even if Apple complies with the judge’s orders, there’s a deeper delay built into the iPhone that may take the FBI a really really long time to circumvent.

Apple has significantly beefed up security on the iPhone in recent years, which is why it says that it cannot just unlock the phone for the FBI. Only the phone knows what the passcode is, and there’s no way to get around that, according to Apple’s security whitepaper. You just have to try over and over.

Here’s the problem. When you enter a passcode into your iPhone, the processor has to make a calculation to check if your code is correct. But Apple has made the math so complicated that it takes about 80 milliseconds – roughly 1/12 of a second – for the phone to crunch the numbers.

“This means it would take more than 5 ½ years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers,” Apple security guide says.

How did they come up with 5.5 years?

Well, that’s assuming, first, that the phone has been disabled from locking you out after a few bad tries. Also we’re assuming that you have some way to enter your guesses electronically instead of tapping out billions of numbers by hand. (Basically, we’re assuming that Apple has chosen to help you guess and doesn’t have another backdoor into the system we don’t know about.)

Even with Apple’s assistance in bypassing the lockouts – even if you can instantly input different passcodes without penalty – Apple is saying that it would still take the phone about 1/12 of a second to process each attempt.

If the shooters picked a six-letter passcode that only uses numbers or lowercase letters, there are over 2.1 billion possibilities. At about 12 tries a second, that’s about five and a half years to go through them all (assuming you don’t fry the iPhone’s processor by then).

There’s a huge caveat here though. It’s unclear what kind of passcode the San Bernardino shooters used on their phone. The phone appears to be running Apple’s latest software, iOS 9, which by default asks people to lock their phone with a six-digit passcode.

That’s digits, not letters. Huge difference.

Six lowercase letters and numerical digits can be arranged in 2.17 billion ways. But six numerical digits can only be arranged one million ways. There are only one million possibilities. Given Apple’s help, the FBI could crack such a six-number passcode in about 22 hours.

There’s more.

In the past, Apple has asked people to lock their phones with only a four-digit passcode. That was the default. There are only 10,000 ways to arrange four numerical digits. It would only take 13 minutes for the FBI to try out all the different possible passcodes if Apple complied with the judge’s orders.

Faced with such an insecure password, the FBI might not even need Apple’s assistance. If the FBI could guess one passcode an hour, it would take about 13 months to try out all 10,000 possibilities.

On the other hand, the San Bernardino shooters could have picked a longer, or trickier passcode to lock their phone. What if they used a six-letter passcode, but mixed in capital letters in addition to lowercase letters, and numerical digits? Then there would be 56.8 billion possibilities, instead of 2.1 billion. Instead of 5.5 years, it would take 144 years to crack such a passcode – again, assuming the FBI had Apple’s help to prevent it from getting locked out.

Past versions of Apple’s iPhone software have not been quite as secure. One bug in early versions of iOS 8, which came out in late 2014, allowed people to prevent themselves from getting locked out by cutting power to the phone really quickly if they made a bad guess. Researchers at MDsec, a British security firm, showed off a device last year that appears to take advantage of this flaw. You still have to wait for the phone to restart after every passcode attempt, but at this rate, the researchers say the process could try every possible four-digit passcode in about 111 hours.

One more thing of note. The San Bernardino shooters were using an iPhone 5C, which is an older model that lacks an important security feature. Newer Apple phones, starting with iPhone 5S, have a special, separate processor that handles passcodes and fingerprints, which is called Secure Enclave.

Apple has warned that if it helps the FBI in this case, there could be major security repercussions. In an open letter today, Tim Cook said: “Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks – from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”

But some are skeptical about Cook’s claim. Security researcher Dan Guido points out that unlocking the iPhone 5C should be a simpler task. There’s a possibility that any “master key” Apple provides to the FBI would be useless on newer devices like the iPhone 5S and the iPhone 6 / 6S because these phones have a special security chip that the iPhone 5C lacks.

(C) 2016, The Washington Post · Jeff Guo 



  1. Unless there is hardware involved you may be able to create an image from the iPhone and you can run many in parallel on emulators