How the Spy-Level Security in Your iPhone Works

The Department of Justice and Apple are currently entangled in scuffle that could have huge implications for the future of criminal investigations and personal privacy. On Oct. 25, U.S. Magistrate Judge James Orenstein heard arguments from both the government and Apple about whether the iPhone manufacturer can (or even should) crack the passcode on a handset that may contain evidence in a certain case. Details aren’t clear as the case is sealed, but Apple’s response to the unlock request, unearthed by the Wall Street Journal, was that compliance “would be substantially burdensome, as it would be impossible to perform.”

The reason iPhones are so difficult to break, according to Apple’s filing is that “among the security features in iOS 8 is a feature that prevents anyone without the device’s passcode from accessing the device’s encrypted data. This includes Apple.” Currently, 91% of iPhones run iOS 8 or iOS 9, which is equally secure. (Apple did not make someone available for comment by press time.)

But the iPhone’s security isn’t that straightforward. Prior to the current case, Apple had honored some government requests to crack the passcode on some handsets. In fact, it used to be fairly simple to crack into a password protected iPhone. “You could run a brute force attack, and it would take on average, 20 minutes to pop that four digit passcode,” says Trent Telford, CEO of enterprise-level encryption solution provider, Covata. Brute force attacks involve high-powered computers quickly trying all the possible passcode combinations.

But with the launch of iPhone 5S, Apple’s beefed up its phone security. Apple introduced TouchID fingerprint scanning sensor, and to keep that personally identifying information safe, the company locked it away in what it calls a “secure enclave” within the phone’s processor. In addition to keeping users fingerprints from being easily accessed, the secure enclave also inserted a delay between the passcode attempts. Because it’s a function of the hardware, not the software, the delay can’t be disabled, and it increases in time the more wrong passcode attempts are entered.

For instance, after the first four attempts, there’s no delay. But after the fifth try, you’ll need to wait a minute before taking another stab. A five-minute delay appears after the sixth guess; attempts seven and eight trigger 15-minute waits, and every try after that puts you on hold for an hour. In addition, there’s a setting that users can enable to automatically erase the phone’s contents after ten incorrect passcode attempts—something that law enforcement officials would be concerned about triggering.

As a result of the delays, entering the 10,000 possible four-digit pin codes once an hour using a brute force attack would take 416 days to crack the passcode, hardly “impossible” as Apple says, but considerably longer nonetheless.

However, iOS 9 supports six-digit and arbitrary-length alphanumeric passcodes, which means there are infinitely more possible passcodes than the 10,000 four-digit combinations. “A lot of organizations, companies, and security-conscious users don’t use a four-digit pin—they use an alphanumeric, like you would with your Internet banking,” says Telford. “Then it’s virtually impossible with the current algorithms and processing power to pop it open.”

But here’s the rub—all the big hurdles to cracking a passcode apply to the 91% of iPhones that currently run iOS 8 or iOS 9. In this particular court case, however, the iPhone in question is actually running iOS 7, which Apple admits it “has the technical ability to extract certain categories of unencrypted data from.” But the company has argued that it would rather not do that because it takes man-hours away from its operations, would damage its reputation with privacy-concerned consumers, and it encourages officials to keep asking for phone unlocking assistance.