It looks like Apple’s plans to strengthen iPhone security to make it impossible for the company to comply with future demands to hack into them will require new hardware. But you can already make it effectively impossible to gain access to your iPhone, even if Apple was forced to bypass passcode time-outs. All that is needed are two simple changes.
First, if you currently use a 6-digit passcode, change it to a longer one. If Apple removes the timeouts, and that compromised firmware gets into the wrong hands, it will take an average of just 11 hours to brute-force a 6-digit code. Simply doubling the number of digits to 12 means that the average time needed increases exponentially to 1,268 years.
If that isn’t enough for you, changing it to a complex alphanumeric one literally pushes the brute-force attack time into the millions of years. There is, however, one other weakness you need to address …
While your iPhone is encrypted locally, meaning that Apple doesn’t have the key, the same isn’t true of iCloud. That is encrypted, but Apple does have the key. That means Apple – or anyone able to gain access to that key – could gain access to the contents of your phone indirectly, by downloading your iCloud backup. That’s what Apple did in the San Bernardino case (at least, up to the point when the government changed the password).
Apple plans to come up with a method of encrypting iCloud backups in such a way that the company no longer holds a key, but in the meantime, switching off iCloud backup and switching instead to encrypted backups in iTunes will protect your data. Both steps take just a few minutes.
To change your passcode to 12 digits, go to Settings > Touch ID & Passcode > Change Passcode > Passcode Options > Custom Numeric Code and enter as many digits as you like. Or choose Custom Alphanumeric Code if you want to use letters too. Once that’s done, you’ll also notice the lock screen gives no clue as to how many digits or characters are needed (as shown in the photo above).
To stop backing up to iCloud – and delete your existing backup – go to Settings > iCloud > Storage > Manage Storage then select your device before pressing Delete Backup. When asked to confirm, select Turn Off & Delete.
You then need to switch to local backups in iTunes. Click on the devices icon in the tabbed menu, select your iPhone and then click the radio button for ‘This computer.’ Check the box for ‘Encrypt iPhone backup,’ and then click the Apply button at the bottom of the window.
Warning: backing up locally is much riskier than iCloud backups when it comes to protecting your data from being lost. If your house burns down, or someone steals your MacBook and external drives, that’s your phone backup gone.
You need to balance the risks of being hacked against the risks of losing your data. Personally, I consider the data loss risk far higher, so I’m happy to backup to iCloud and wait for Apple to upgrade the encryption there so I get the best of both worlds. But if you disagree, and consider hacking the greater risk, protecting yourself takes just minutes.