iPhone Passcodes Can Be Cracked as Quickly as XRY
The four-digit password on Apples iPhone is no match for Micro Systemations XRY application.
The password on the popular smartphone can probably keep a regular person who finds the device from breaking into it. However, the software from the Swedish company, which it sells to law enforcement agencies, can crack the code on an iPhone or a smartphone running Googles Android mobile operating system within minutes, as shown in this video of the application working on an iPhone 4S.
According to Micro Systemation, XRY essentially jailbreaks the device in the same manner that regular jailbreakers do. It then runs every combination of four-digit passcodes (there are 10,000 of them) until it hits the right one. Once that happens, all the data on the phone can be accessed, according to the company.
The datafrom call logs and contacts to messages, files and GPS locationis sent to a PC, decrypted and then displayed.
Micro Systemation Marketing Director Mike Dickinson told Forbes.com that there are no back doors left open by the device manufacturers that XRY exploits. Instead, the application finds the same security flaws that regular jailbreakers do when they seek to get around any restrictions on applications that can be downloaded onto the smartphone.
The company spends a lot of time on finding these security flaws, Dickinson saidhalf of the Micro Systemations 75 employees are in research and development.
Every week, a new phone comes out with a different operating system, and we have to reverse-engineer them, he told Forbes. Were constantly chasing the market.
It apparently is a good business for the company, particularly given the skyrocketing growth in smartphone sales. The company has doubled the number of employees since 2009, grown revenues 25 percent a year and generated $18 million in 2011, a $6 million jump from the previous year.
The companys passcode-breaking products are sold in 60 countries, with particular interest among law enforcement agencies, according to Micro Systemation. Many police departments in the United States are customers, as is the FBI and the U.S. military, which Dickinson said is the firms largest customer. About 98 percent of all police departments in the United Kingdom are customers.
Its a massive boom industry, the growth in evidence from mobile phones, Dickinson said. After 20 years or so, people understand they shouldnt do naughty things on their personal computers, but they still dont understand that about phones. From an evidential point of view, its of tremendous value.
iPhone users are strongly encouraged by Apple to put in a four-digit passcode to protect their smartphones in case their devices are lost or stolen. However, according to a survey last year by the developer of the iPhone app Big Brother Camera, many users arent being particularly wise about the four numbers they choose.
According to Daniel Amitay, the 10 most common passcodes used by iPhone users accounted for 15 percent of all the passwords that were analyzed. Amitay said on his Website in June 2011 that the most common passcodes were 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212 and 1998.
Formulaic passwords are never a good idea, Amitay said, but his analysis found that most users selected easy-to-guess codes.
Out of the 204,508 codes the app sent back anonymously to Amitay, "1234" was the most commonly used, with 4.3 percent of the users. The second-most-common code was "0000," picked by 2.6 percent of the users.
Amitays Big Brother Camera Security app is designed to let owners know who could be using the smartphone without permission. The app automatically takes a photo of anyone using the iPhone in the front-mounted camera; it also collects information about the passcodes being used to protect the camera app. Amitay believes theres a strong correlation between the four-digit passcode being used for the app and the one being used to lock up the iPhone.