The “iPhone passcode can be cracked in two minutes!” linkbait headlines going around has been bothering me (see here for an example of one, and here for a bad example of an article teaching you how to “thwart” the hack). It seems that people don’t fully understand what is going on, and some generalized / misinformation is circulating about the issue. I’d like to clarify some things, as well as tell you some real ways to “thwart” their system.
The software from XRY and all similar software utilizes jailbreak exploits to accomplish their task.
They do not use anything special that is “similar to” the exploits used in jailbreak programs; They are simply loading a custom ramdisk by utilizing the publicly available “limera1n” exploit by George Hotz. The ramdisk isn’t even very special, because anyone could put together their own using open source tools. The only “special” thing XRY has done is create a tool that is simple enough to be utilized by LE personnel.
If you have an iPhone 4S, an iPad 2, or an iPad 3, then this tool cannot be used on your device.
Due to the not-so-techincally-informed reporters writing about the XRY software, this fact has been overlooked. Personally, I think it’s a pretty important fact. The simpliest way to “thwart” the use of this software on your phone would be to get the latest model, because (as people who are farmilliar with jailbreaking know) the limera1n exploit is fixed in the bootrom of the A5 (iPad 2 and iPhone 4S) as well as the A5X (iPad 3) chip.
The “two minutes” it takes to crack your passcode will only hold true if your passcode is 0000, the passcode that XRY showed in their demo video.
If you don’t feel like upgrading to the latest model and your device is exploitable, it is still possible to protect yourself from tools like this. Just open Settings on your device, then tap the “General” menu, then go into the “Passcode Lock” menu. You should see a switch labelled “Simple Passcode”. If you turn this off and then set a lengthier password to unlock your device, that’ll make it take much longer than two minutes to crack the passcode on your device (the longer, the better).
I know this post is a few days late (been a bit busy lately), but hopefully I was able to clear up some misconceptions and put the minds of some at ease.