Micro Systemation iOS passcode defeat claims debunked

Claims by Swedish developer Micro Systemation that it can defeat an iOS passcode in under "two minutes" appear to be grossly overstated and it removed a video demo of it in action.

On March 28 I reported that Swedish developer Micro Systemation claimed that its XRY 6.2 software and hardware can detect and display an iPhone passcode in under "two minutes." Those claims appear to have been inflated according to a post today on 9to5Mac.

In the piece, prolific jail breaker Will Strafach (a.k.a. @chronic) asserts that Micro Systemation's claims of defeating the iPhone passcode lock in "two-minutes" is only true if a passcode is "0000." Strafach adds that the XRY tool cannot be used on devices using the A5 or A5X chip, including the iPhone 4S, iPad 2, and iPad 3.

Strafach explains that XRY is "simply loading a custom ramdisk by utilizing the publicly available ‘limera1n’ exploit by George Hotz. The ramdisk is not even very special, because anyone could put together their own using open source tools." He further debunks the company's claims by stating that it only works on older iOS hardware:

Due to the not-so-techincally-informed reporters writing about the XRY software, this fact has been overlooked. Personally, I think it’s a pretty important fact. The simpliest way to “thwart” the use of this software on your phone would be to get the latest model, because (as people who are farmilliar with jailbreaking know) the limera1n exploit is fixed in the bootrom of the A5 (iPad 2 and iPhone 4S) as well as the A5X (iPad 3) chip.

The XRY demonstration video has since been removed from the Micro Systemation website and the company has not replied to a request for comment.

Update: If you're concerned about the security of the data on your iOS device, I highly recommend moving to an eight-digit passcode (or stronger.) A wonderful article ("The ABCs of XRY: Not so simple passcodes") by AgileBits Inc. (publishers of 1Password) by Jeffrey Goldberg explains that simple (4-digit) passcodes can be cracked in 20 minutes (on average) while 8-digit passcodes take 4.5 months to be cracked. Good reading.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All