Skip to content Skip to navigation

If Apple loses, you'll pay with your time to stay secure

The recent legal dispute between the FBI and Apple over whether the latter can be compelled to develop and sign software that will undermine the security of Syed Farook’s work-issued iPhone 5c has brought much-needed public scrutiny to issues of digital security and privacy. The case is also about product guarantees, and the integrity of the technology you purchase once it’s in your hands, because the FBI wants Apple to degrade the security that your iPhone currently has. This case may be about one phone, but once the software is available and precedent has been set, it’s about every phone, for the same reason that legal scholars always look for, and reference, prior relevant cases.

If the FBI prevails, and you want to maintain the current level of security of your phone, you’ll have to change your passcode—and that change will cost you. You’ll have to pay, in your time, to maintain the current functionality of a device you already own.

I have an iPhone 5c, so I timed myself entering passcodes. I know the plural of anecdote is not data, so feel free to time your own typing, but for me it takes 1.2 seconds to enter a 4-digit code, 2.4 seconds to enter an 8-digit code, and about 4.4 seconds to ender a 6-character alphanumeric code (remember, you have to change the keyboard at least once, depending on where your numerals are placed in the passcode string. To type in a1b2c3, you need to switch keyboards five times because you start with the alphabet keyboard).

Why does this matter? The software the FBI wants would enter 12.5 passcode guesses per second. At that rate, it will take less than 13 minutes to brute-force a 4-character passcode. (Less than, because you can stop once you’ve found the right one, so only if you’re very unlucky will the right passcode be the last one you try). The Intercept did some calculations, and found that:
“eight-digit passcodes will take up to three months to crack
nine-digit passcodes will take up to 2.5 years to crack
10-digit passcodes will take up to 25 years to crack
11-digit passcodes will take up to 253 years to crack
12-digit passcodes will take up to 2,536 years to crack
13-digit passcodes will take up to 25,367 years to crack”
But that’s just using numerical digits, and the iPhone will accept an alphanumeric passphrase, which are much harder to brute-force. Using only lowercase letters and digits 0-9, a 4-character alphanumeric passphrase will take less than 108 days. Five characters will take less than 31 years. Six characters will take less than 3,125 years to crack—but if your passphrase is sufficiently arbitrary, you’re still looking at an average of 1,563 years. The FBI is going to give up long before then. So let’s say that to maintain the security currently available on your device, you’re going to have to change to a 5 or 6-character alphanumeric passphrase. Let’s go with 6 characters to be on the safe side.*

You'll spend an extra 32 hours per year unlocking your phone, just to stay secure

Let’s say you unlock your phone 100 times per day (studies have found between 85 and 110 times per day is average). So you’re unlocking your phone 36,500 times per year. Currently you’re spending 120 seconds per day unlocking your phone. With your new 6-digit password, you’re spending an additional 3.2 seconds each time, so now you’re spending 440 seconds per day unlocking your phone, or about 7 minutes and 18 seconds per day. That’s about 44 hours and 40 minutes per year unlocking your phone, versus the 12 hours per year you spend unlocking your phone with your current 4-digit passcode. You'll spend almost an extra day and a half per year unlocking your phone, with a 5 to 6 digit alphanumeric passphrase. This doesn’t take into account the time you’ll spend re-learning your new code; that will mean about 5.6 seconds each time you unlock, because you’ll type in the wrong (old) passcode first.

As Stanford’s Jennifer Granick wrote today, this case is about the basic rules of the world we live in. Can the government compel a company to weaken the security of its own products? Do you want to spend an additional 32 hours per year just to maintain the security functionality of a device that you’ve already bought? If I buy a bike lock, and the manufacturer then makes a pair of wire-cutters that destroy my bike lock unless I also tie a knot in the lock, I’m going to spend more time locking my bike, thereby losing some of the value of the lock; I’m also going to wish I’d known before buying the lock that the company planned to make the wire-cutters. Apple shouldn’t have to make the wire-cutters.

*Can’t I just buy an iPhone 6, which has TouchID and a secure enclave? You can, but that doesn’t solve the problem. First, the authorities can compel you to give up your biometric indicators to bypass TouchID (you know they take your fingerprints when you’re in custody anyway), but they can’t compel you to give up a password stored in your mind. Second, Apple could just as easily be forced to bypass iPhone 6 (and 7, etc.) security, if they’re forced to bypass 5c security--and passcode timing and entry works the same on later models as on the 5c. If you want to go this route, you’re staking $500 (about the cost of a carrier-agnostic iPhone 6) on a bet that no matter the outcome of the current case, Apple will win the next case. That’s not a great bet if Apple loses the current case, and if they win the current case, you could just stick with your 5c for no additional cost.


-Allison Berke

 

 
 
Please enable JavaScript to view the comments powered by Disqus.