There are a number of media reports out that Israeli firm Cellebrite is now able to unlock iPhones even running the latest version of iOS, including the iPhone X. Should you be worried? Let’s look at some potential threats.
One rumor, via Bruce Schneier indicates that it only defeats the password limitation mechanism, rather than move the data off the phone to run an offline password cracker. The defense against that is to use a strong passcode – six digits may be enough, as long as you avoid meaningful patterns (e.g. birthday, anniversary, etc) to force an exhaustive search. I prefer a full 8-character alpha/numeric/special passcode myself, especially now that it’s used as an actual encryption key rather than just a device unlock code. I’ve written about why I prefer TouchID over FaceID before – part of the reason is that it makes using a robust passcode more user friendly (less lockouts). Net is that you can mitigate this threat.
Other speculation is that they’re directly reading the memory chips, and then performing an offline crack. That makes it an error prone (e.g. frying the phone), expensive, and highly targeted attack. Again, using a long, robust passcode is a defense against this – and I’d look at using as long a passphrase as iOS allows if you’re in that situation. Otherwise, this isn’t an scalable option.
The last option is a software bug. Apple’s been in the news a lot lately for security blunders, and there’s been widespread discussion of the decline in software quality over the past few years. It appears that message has been heard, as Apple’s now moving towards a ‘when it’s ready’ rather than ‘when it’s scheduled’ model for feature releases. Part of that includes this year’s releases as focusing on bug swatting – a ‘Snowy High Sierra’ release if you will. I’ve no doubt that Apple will close any known bugs that allow device bypassing as quickly as they can.
In the end, while this is technically impressive, and certainly of interest, it’s not something the average person needs to worry about. Use a strong-enough passcode to protect not only the data on the device, but the data that it can access via email or cloud services. Turn on the escalating timeout lock, and the wipe-after-attempts options. Make sure you have Find My Phone turned on, so you can remote wipe it, and most importantly, use a robust passphrase (or 1Password random string) for your AppleID. That’ll keep you safe from all but a deep pocketed threat.