iPhone Passcodes Can Be Cracked as Quickly as XRY

Micro Systemation’s XRY app can crack passcodes for iPhones and Android devices within minutes, and is being used by a growing number of law enforcement agencies.

The four-digit password on Apple€™s iPhone is no match for Micro Systemation€™s XRY application.

The password on the popular smartphone can probably keep a regular person who finds the device from breaking into it. However, the software from the Swedish company, which it sells to law enforcement agencies, can crack the code on an iPhone or a smartphone running Google€™s Android mobile operating system within minutes, as shown in this video of the application working on an iPhone 4S.

According to Micro Systemation, XRY essentially jailbreaks the device in the same manner that regular jailbreakers do. It then runs every combination of four-digit passcodes (there are 10,000 of them) until it hits the right one. Once that happens, all the data on the phone can be accessed, according to the company.

The data€”from call logs and contacts to messages, files and GPS location€”is sent to a PC, decrypted and then displayed.

Micro Systemation Marketing Director Mike Dickinson told Forbes.com that there are no €œback doors€ left open by the device manufacturers that XRY exploits. Instead, the application finds the same security flaws that regular jailbreakers do when they seek to get around any restrictions on applications that can be downloaded onto the smartphone.

The company spends a lot of time on finding these security flaws, Dickinson said€”half of the Micro Systemation€™s 75 employees are in research and development.

€œEvery week, a new phone comes out with a different operating system, and we have to reverse-engineer them,€ he told Forbes. €œWe€™re constantly chasing the market.€

It apparently is a good business for the company, particularly given the skyrocketing growth in smartphone sales. The company has doubled the number of employees since 2009, grown revenues 25 percent a year and generated $18 million in 2011, a $6 million jump from the previous year.

The company€™s passcode-breaking products are sold in 60 countries, with particular interest among law enforcement agencies, according to Micro Systemation. Many police departments in the United States are customers, as is the FBI and the U.S. military, which Dickinson said is the firm€™s largest customer. About 98 percent of all police departments in the United Kingdom are customers.

€œIt€™s a massive boom industry, the growth in evidence from mobile phones,€ Dickinson said. €œAfter 20 years or so, people understand they shouldn€™t do naughty things on their personal computers, but they still don€™t understand that about phones. From an evidential point of view, it€™s of tremendous value.€

iPhone users are strongly encouraged by Apple to put in a four-digit passcode to protect their smartphones in case their devices are lost or stolen. However, according to a survey last year by the developer of the iPhone app Big Brother Camera, many users aren€™t being particularly wise about the four numbers they choose.

According to Daniel Amitay, the 10 most common passcodes used by iPhone users accounted for 15 percent of all the passwords that were analyzed. Amitay said on his Website in June 2011 that the most common passcodes were 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212 and 1998.

€œFormulaic passwords are never a good idea,€ Amitay said, but his analysis found that most users selected easy-to-guess codes.

Out of the 204,508 codes the app sent back anonymously to Amitay, "1234" was the most commonly used, with 4.3 percent of the users. The second-most-common code was "0000," picked by 2.6 percent of the users.

Amitay€™s Big Brother Camera Security app is designed to let owners know who could be using the smartphone without permission. The app automatically takes a photo of anyone using the iPhone in the front-mounted camera; it also collects information about the passcodes being used to protect the camera app. Amitay believes there€™s a strong correlation between the four-digit passcode being used for the app and the one being used to lock up the iPhone.