Micro Systemation iOS passcode defeat claims debunked

Micro Systemation iOS passcode defeat claims debunked

Summary: Claims by Swedish developer Micro Systemation that it can defeat an iOS passcode in under "two minutes" appear to be grossly overstated and it removed a video demo of it in action.


On March 28 I reported that Swedish developer Micro Systemation claimed that its XRY 6.2 software and hardware can detect and display an iPhone passcode in under "two minutes." Those claims appear to have been inflated according to a post today on 9to5Mac.

In the piece, prolific jail breaker Will Strafach (a.k.a. @chronic) asserts that Micro Systemation's claims of defeating the iPhone passcode lock in "two-minutes" is only true if a passcode is "0000." Strafach adds that the XRY tool cannot be used on devices using the A5 or A5X chip, including the iPhone 4S, iPad 2, and iPad 3.

Strafach explains that XRY is "simply loading a custom ramdisk by utilizing the publicly available ‘limera1n’ exploit by George Hotz. The ramdisk is not even very special, because anyone could put together their own using open source tools." He further debunks the company's claims by stating that it only works on older iOS hardware:

Due to the not-so-techincally-informed reporters writing about the XRY software, this fact has been overlooked. Personally, I think it’s a pretty important fact. The simpliest way to “thwart” the use of this software on your phone would be to get the latest model, because (as people who are farmilliar with jailbreaking know) the limera1n exploit is fixed in the bootrom of the A5 (iPad 2 and iPhone 4S) as well as the A5X (iPad 3) chip.

The XRY demonstration video has since been removed from the Micro Systemation website and the company has not replied to a request for comment.

Update: If you're concerned about the security of the data on your iOS device, I highly recommend moving to an eight-digit passcode (or stronger.) A wonderful article ("The ABCs of XRY: Not so simple passcodes") by AgileBits Inc. (publishers of 1Password) by Jeffrey Goldberg explains that simple (4-digit) passcodes can be cracked in 20 minutes (on average) while 8-digit passcodes take 4.5 months to be cracked. Good reading.

Topics: Software Development, Smartphones, Processors, Networking, Mobility, Mobile OS, iPad, iPhone, Hardware, CXO, Browser, Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Even if you assume the claim was truthful ....

    ... the fact that it required PHYSICAL access to the device made the entire thing a non-issue.

    Once a device is physically in the hands of others, the time it takes to "break-in" is the least of the problems for the owner.
    • Time matters more of physical access

      I have to disagree with your view that "once a device is physically in the hands of others, the time it takes to "break-in" is the least of the problems for the owner." There are two reasons I disagree.

      Someone could gain and maintain physical access for a few hours without the other knowing about it or being able to recover it. But if an attacker needs to work with the device for months, the owner may be able to launch legal challenges.

      The second reason that continual physical access matters is that it raises the costs for an attacker. If someone can gain temporary access of just a few minutes, but from that run an attack that takes months, that attack would be far more likely than one that requires full access to the device during those months.

      So it is specifically because these attacks require full physical access that I am happy to use a passcode that takes months to crack instead of centuries.


      Jeffrey Goldberg
      • Not really necessary

        I don't know if those 'time to find the password' are based on running the software on the device itself, but...

        The iPhone CPU is extremely weak, compared to even the lowest end desktop CPU. Knowing this, you don't even need to run the software on the device itself! All you need is to read it's flash memory content to a file and you can run whatever code you wish on that disk image on a supercomputer, or on large HPC clusters, or even on the members of your botnet :)

        In this case, you only need physical access to the device for few brief moments. Not even 20 minutes..
  • There is a wipe feature too.

    People can use the simple pin code. If you are like me I need to remember tons of passwords for all the suf i do at home or work. a simple 4 digit key for my iphone is a relief. I just pair it with the wipe feature. basically it deletes the phone after a set amount of tries. thus all my personal data is safe. I can then replace the phone and load my latest back up.
    • People CAN use the simple PIN code...

      But any corporate IT department that relies on it for enterprise security of mobile devices needs to retake information security 101. A 4 digit PIN is going to fail any 3rd party info sec assessment/audit (SAS70, SOX, GLBA, HIPAA, PCI, etc.).
    • Wipe will only defeat naive attackers

      A sophisticated attacker (and that is what we are talking about here) will know to remove the SIM card immediately. That will make both location tracking (Find My iPhone, or cell tower records) impossible and will prevent any sort of remote wipe.


      Jeffrey Goldberg
      • Think "Bakabaka" was referring to the "wipe" after ten tries...

        ...and not the "remote wipe" feature.
        Essentially, after 10 incorrect attempts the iPhone is "supposed" to erase all information itself.
        But I am certain that (process) can be interrupted as well - as essentially everything is.
        There is no perfect security. One just have to assess to the risks versus the benefits - and the obstacles that increased security always drags along.
      • No SIM in Verizon iPhone.

        There is no SIM to remove and do the SIM trick to get into the phone so some iPhones this won't work.
    • The wipe feature

      This feature only works in the phone is ON and is running it's own OS and applications. It is there to guard against casual attempts to guess the code.

      Anyone determined to get the content of your phone is going to simply copy it's internal memory to a file and proceed from there.
  • You still need the possesion of the phone for this to work.

    Once you have possession of the phone then anything can happen. You can just plug in a cable into the phone and then have at it with many methods to break into the phone and Micro Systemation is just one way. Once you loose that phone wipe it as fast as possible.
    • On wiping

      You can't wipe the phone if it is not switched on, connected to a network and running it's own OS and applications. For an attacker worth their salt, none of this will happen during the process.

      Eventually you will get your phone back, and there will be absolutely no evidence that someone has copied all data off it already.
  • i don't have a passcode

    cause i've got nothing to hide :-)