iPhone Encryption is Unbreakable – As Long As You Use a Password

With all the news about the FBI attempting to force Apple to help them hack into an iPhone used by a terrorist, I thought it would be a good time to touch upon the security of your smartphone and give you some helpful tips.

In case you weren’t aware, since the fall of 2014 (iOS 8) the encryption technology Apple has used in the operating system of the iPhone and iPad is so strong that not even government agencies like the FBI can crack it. In fact, the way it is designed, not even Apple themselves can decrypt the data stored on the iPhones or iPads of their customers. However – and this is very important – that encryption is only as good as the passcode you use with your iPhone. If you do not use a passcode with your iPhone or iPad, anyone can unlock it and get at your data immediately. If you use a weak passcode (like 1234), it makes it more likely that someone could unlock your iPhone by guessing your passcode. Also, simple passcodes like your birthday, your spouse’s birthday, your anniversary, etc., are some of the first things a smart criminal will attempt if they are trying to steal your data. The bottom line is to please make sure to use a good passcode to keep the data stored on your iPhone or iPad data safe. If you have a more recent Apple device with the Touch ID feature (iPhone 5S or higher, iPad Air 2 or higher, iPad  mini 3 or higher) then it is strongly advised that you use a “complex” password with alphanumeric characters and symbols since you will use your fingerprint to unlock your device most often.

Any decent passcode, combined with Apple’s security features to defeat password-guessing attempts (called brute-force attacks), is generally sufficient to stop even the most sophisticated hacking attempts. This is why the FBI is trying to force Apple to help them hack into the terrorists’ iPhone. Even the FBI can not work around Apple’s iPhone security features. They want Apple to create a special security-disabled iPhone operating system that would allow the FBI to initiate a computer assisted brute-force password attack on the iPhone in question. Apple contends that this will threaten the security of all iPhone and iPad owners so we’ll see how this situation plays out.

iMessage and FaceTime Encrypted As Well

It’s all well and good that the data stored on your iPhone is encrypted, but what about communications? Apple’s iMessage and FaceTime systems also encrypt the data being transmitted. So for iMessages, any text, pictures, video, or sounds you send are end-to-end encrypted in transmission. Apple’s FaceTime system also uses strong encryption to protect conversations, whether those conversations are video or audio calls. Not even Apple can decrypt the data in an iMessage or FaceTime call. Note that regular SMS text messages (the green messages) are not encrypted. These messages are sent directly over your wireless carrier’s old SMS system which in theory could be intercepted. Regular phone calls are also not encrypted. So make sure that the messages you are sending are the blue iMessages to ensure they are secured, and make sure to use FaceTime to place a secured call. If you need to send sensitive data, iMessage is an acceptable platform to use, although you need to trust that the person you are sending this data to is using a good password on their Apple device(s) so that the data is safe once it arrives and is stored on their end.

Business Owners Can Enforce Strong Passwords

If you run a business and you want to ensure that your employees are using strong passwords, it is possible to enforce technology policies on their devices, such as the use of a good password, even if they are using their own personal devices to access business data. This is accomplished through a technology called Mobile Device Management or MDM, of which there are many third-party systems that you or your technology staff can manage. The great thing about MDM is that it is relatively simple to deploy and also very easy for the user to remove once they leave the company or no longer want to use their device to access your business data. If you are interested in better managing the security of the devices your employees use, please contact me for more information.

Can the FBI Hack Your iPhone?

Setting aside the political discussion for a moment, if the FBI gets their way and forces Apple to provide them with a hacked version of the iOS operating system, they should be able to crack a 4-digit numeric passcode in less than 15 minutes (10,000 possible combinations with each attempt taking 80 milliseconds). A 6-digit numeric passcode could take just under one day (1 million possible combinations). However, if the password uses alpha-numeric characters, then the time required for the FBI to crack the password could be unfeasible. For example, by my calculations there are 192 possible combinations for each character in an iPhone password – this includes upper and lowercase letters, the 10 numbers, the space character, various punctuation and special characters, plus all the “diacritic” characters such as å, é, ñ, and ü. Even just a 4-character “complex” password comprises 1,358,954,496 (1.3 billion) possible combinations and could take up to 3.5 years to crack using a brute-force attack. Bump that up to 8 characters and suddenly the time to crack that password could take over 4 billion years! If the FBI were to skip the diacritic characters assuming most people do not use them (hint!) it would take up to 85 days to crack a 4 character password (98 combinations per character, 92,236,816 combinations total). However an 8 character complex password without diacritic characters would still take up to 21 million years to crack! So … if you’re worried that the FBI could hack into your iPhone, then simply use a password of 8 or more characters and throw in a diacritic character or two for good measure.

What About Other Smartphones?

Other smartphones, such as Android and Windows-based phones (even BlackBerry phones if anyone out there is still using them), are capable of using strong encryption similar to what the iPhone uses. However, whether or not a specific model of smartphone can use strong encryption or if that encryption is turned on by default depends on the particular model of smartphone and the version of operating system it runs. I would encourage users of other smartphones to consult with their phone manufacturer to verify if strong encryption is available for their phone, how to enable it if it does support it, and then actually enable encryption if their phone can make use of it (note that enabling encryption may cause performance issues on older smartphones).

There are other third-party platforms such as WhatsApp and Viber that are also end-to-end encrypted in message transmission, similar to iMessage and FaceTime. You should verify with any third-party apps that you use whether they employ strong encryption for the messages and data they transmit on your behalf.

Questions?

If you have any questions about the security of your devices, including smartphones, tablets, laptops, and even desktop computers, please feel free to ask me a question on my Q&A page.