Prior to joining FishNet Security, I examined mobile devices as a digital forensic analyst, actively researching and using different methods to remove, recover or bypass passcodes on mobile devices. With low-end, basic devices from Nokia®, Samsung® and Sony Ericsson®, it was easy to either recover or reset the passcodes with minimal effort and no loss of data using a flasher box. From a forensic standpoint, the preservation of the data on the device was paramount. In fact without flasher boxes it was also reasonably easy. With access to details about the owners date of birth, those of their spouse or children and a list of commonly used simple passcodes it was relatively easy to just manually brute force attack the devices. These devices also had no mechanism to monitor the volume of failed passcode attempts, allowing me to keep trying until I got it right.
However, the iPhone® presented an entirely new challenge. Similar to a BlackBerry® device, the iPhone wipes the device on X number of failed passcode attempts. The bigger challenge with the iPhone was the sheer volume of them that started coming in for examination, compared to BlackBerry devices. Unable to use manual brute force, I faced the complex challenge of gaining access to iPhones whilst preserving the evidence stored on them.
With the proliferation of iPhones came different tools able to overcome the passcodes on these devices. In the beginning, one could simply remove the file containing the passcode. Later, one could use brute force to attack the file containing the passcode, having already exploited vulnerabilities in the boot ROM to force the device to run a custom RAM disk containing the necessary tools, rather than Apple’s own iOS. This approach allowed me to obtain the necessary tools on the device to facilitate the attack, however, by not invoking the iOS, there is no mechanism to monitor the attack and consequently wipe the device. After utilizing these tools and techniques for a number of years, I researched how to calculate, understand and validate the strengths of the different types of passcodes which can be used on iOS devices.
For my research, I used an iPhone 4 running iOS v6 because the iPhone 4 (and original iPad®) are currently the last iOS devices available that can have the passcodes attacked without the device already being jailbroken. I used a forensic tool developed by Elcomsoft that was able to brute-force attack passcodes on my test device at a speed of 5.7 times four-digit PINs per second. The volume of PINs which it can attempt is unfortunately governed by the device being used rather than the software, as part of the attack requires utilizing a device key that cannot be extracted from the device in order to mount an “offline” attack. In other words, the device must remain connected to a computer and the software for the duration of the attack. Earlier versions of the iPhone allowed a much simpler and quicker method for attack.
There are two types of passcodes that can be set on an iOS device: a PIN or a password. Most people secure their devices using a PIN, which by default is four-digits long. So how strong is the default PIN?
In order to understand the strength of the PIN, one can use some simple mathematics to calculate the number of permutations that can be made using four digits. Then we can perform some more calculations, along with physical testing, to establish how long it takes to brute-force attack all of those permutations.
Each PIN digit can be any number in the range of zero to nine, giving 10 possible options. In order to calculate the number of permutations, multiply the number of possible options (10) by itself (10), X number of times, where X is the length of the PIN. So, a four-digit PIN (where each digit can be one of 10 different numbers) is calculated by multiplying 10 by 10, four times (10x10x10x10) , expressed as 10 to the power of four. This equals a total of 10,000 different permutations. Seems like a lot doesn’t it?
In order to calculate the period of time it takes to test all permutations, first I took the number of possible permutations (10,000) and divided it by the number of PINs that could be tested per second (5.7). This was then divided by the number of seconds in a minute (60) to understand the period of time required to test all possible permutations, which equaled 29.24 minutes. So, if the last permutation tested was the correct one, it would take no longer than 30 minutes to crack a four-digit PIN. In practice, I have found that it takes an average of approximately 10 minutes to crack four-digit PINs on these devices. Given that timing, 10,000 permutations doesn’t seem like so many after all, which means the default PIN on iOS devices is weak.
A number of companies understand that a four-digit PIN is weak –and use their MDM solution of choice to set their device passcode policies to require a six-digit PIN. So my next move was to calculate and test how long it would take to attack a six-digit PIN. The mathematical calculation is the same, except now we are looking at 10 to the power of six, which equals 1,000,000 permutations. In theory, this should be 100-times stronger than a four-digit PIN, as we have added an additional 10x10 to the formula. Again the mathematics to calculate the period of time it takes to test each permutation is the same, except that now the length of the PIN has changed the number of PINs that can be tested each second reduces to 3.7. The result is that six-digit PINs are more than 100- times stronger than four-digit PINs due to the reduced number of permutations that can be tested per second. Calculating this with the new figures equals 75.08 hours or 3.12 days to test every possible permutation. I set a six-digit PIN on my test device that was cracked in 24 hours. With the use of just digits, the volume of permutations is somewhat limited due to the possibility of there only being 10 different digits for each number of the PIN. Each time an additional number is required, the strength of the PIN increases by a factor of 10.So, even though it’s 100 -times stronger, a six-digit PIN is also weak.
FishNet Security’s best recommendation is that mobile users set a password of seven alphanumeric characters including at least one uppercase letter and one digit. Given my research breaking four- and six-digit PINs, I calculated the total possible permutations and the time to test them.
Setting an alphanumeric password opens up the 26- character alphabet, but you need to double this to include uppercase letters. Add the numeric digits and you get 62 different possibilities for each character of the password. And that’s with no special characters or symbols included! So, the mathematic formula to calculate the total different permutations is 62 to the power of 7 (62x62x62x62x62x62x62) which equals 3,521,614,606,208.
Unfortunately no guidance is provided by the software developer for the speed at which alphanumeric passwords can be attacked. I took a conservative estimate that at seven alphanumeric characters, the tool could attack ,2.5 passwords per second. Using the formula outlined above, ,I calculated that this equals a period of 16,303,771 days or 44,667 years to test every permutation. Due to my presumed life expectancy, I didn’t bother starting a physical test of this to confirm my calculations.
When using the tool, it gives you a hint about the type of passcode that is set on the device: a four-digit PIN, a six-digit- PIN or greater, or a password of unknown length. This is handy when selecting what type of attack to mount.
It is useful to know that the calculations above show the volume of permutations and period of time to test them all when using a given string length for the calculation. Unfortunately in practice, one does not necessarily know the length of the PIN/passcode string. As mentioned, FishNet Security’s recommendation is a length of at least seven, however an attacker doesn’t necessarily know that. First, they must attack using all available characters but they must also attack with all other lengths of passcode strings prior to getting to a length of seven, making the password exponentially stronger. The attacker must test a length of one, followed by a length of two, followed by a length of three, etc.
Of course, it is important to understand that each of the calculations shows the total time to test every permutation. It is entirely feasible that even with FishNet Security’s recommended passcode, it could be cracked in five minutes. Ultimately, we just don’t know.
For those who are interested, I decided to calculate exactly how long an iOS passcode could be. Using the English keyboard, I was able to set a passcode using all available alphanumeric, special characters and symbols. There are 102 different characters available and I can use all of them at least once, giving a password string of 102 in length. The mathematics to calculate the volume of permutations again is the same:
A to the power of B = Answer
Where A is the number of available characters and B is the length of the string. This is a very large number indeed, more than can be displayed on a calculator. I had to use Python to calculate the answer for me:
And that’s just the number of permutations when you know the password string is 102 in length, but as previously mentioned an attacker will need to test with a length of one, followed by a length of two, etc.. You need to add the volume of permutations for each length making the final volume of possible permutations colossal:
It is important to note that the above calculations and findings relate only to device passcodes and not those set when encrypting an iOS backup. Elcomsoft has also developed a tool that is capable of attacking iOS backup passcodes. Depending on the hardware configuration and the utilization of GPU processing power, it is potentially possible to test in excess of 10,000 passcodes per second. Using the same calculations, the best recommendation of passcode strength that FishNet Security advocates can be reduced from 44,647 to a meager 11.16 years. Still a long time, but by boosting the processing power of the computer being used to mount the attack this can be reduced further.