How Law Enforcement Bypassed iPhone Passcodes

A four-digit iPhone passcode might deter a casual snoop, but in 2012, law enforcement agencies had access to commercial tools that could crack that security in remarkably little time. A Swedish firm called Micro Systemation sold a product called XRY to police departments and military customers in over 60 countries, offering the ability to bypass smartphone passcodes, extract data, and decrypt the contents for analysis.

The tool worked on both iOS and Android devices, extracting GPS location data, files, call logs, contacts, text messages, and even keystroke logs. Micro Systemation supplied 98 percent of the United Kingdom’s police departments, numerous American law enforcement agencies, the FBI, and — as its largest single customer — the U.S. military.

The Brute-Force Method

XRY operated by first bypassing the iPhone’s security restrictions to run its own code on the device, similar to the jailbreak techniques used by hobbyists to remove Apple’s installation restrictions. Once running, the tool used a brute-force approach, systematically testing every possible combination of numbers until it found the correct passcode.

The speed of this process varied dramatically depending on the complexity of the password. A demonstration video showed the tool cracking the simplest possible passcode — 0000 — in seconds, though more complex passwords could take significantly longer. Micro Systemation’s marketing director Mike Dickinson acknowledged that users who set longer passcodes could make their devices substantially harder to access: “The more complex the password, the longer and harder it’s going to be to access the phone. In some cases, it takes so long to brute force that it’s not worth doing it.”

Limitations of the Technology

The tool had notable limitations. While XRY supported the latest version of Apple’s iOS operating system, it could only gain access to older iPhone and iPad hardware. The iPhone 4S, iPad 2, and iPad 3 were not supported, meaning that users with newer hardware had stronger protections regardless of which iOS version they ran.

The limitations of such cracking tools were illustrated by real-world cases where law enforcement agencies were unable to bypass device security on their own. In one case, the FBI sought Google’s assistance to access the Android phone of a paroled convict accused of running a criminal operation, apparently unable or unwilling to crack the device’s protections independently.

A Booming Industry Built on Mobile Evidence

Micro Systemation’s business reflected a broader trend in digital forensics. The company had grown roughly 25 percent in revenue year-over-year, reaching $18 million in 2010 and doubling its workforce since 2009. Half of the company’s 75 employees were devoted to research and development, constantly working to reverse-engineer new devices and operating systems as they entered the market.

Dickinson described the field as a “massive boom industry,” driven by the fact that while people had learned over two decades to be cautious about their personal computers, they had not yet developed the same awareness about their phones. From an evidentiary standpoint, the data stored on smartphones was proving tremendously valuable to investigations.

The Broader Privacy Question

The existence of commercial phone-cracking tools raised significant questions about the balance between law enforcement needs and personal privacy. The tools exploited security vulnerabilities that affected millions of ordinary users, not just criminal suspects. While Micro Systemation claimed it did not rely on manufacturer-created backdoors, instead discovering its own security flaws through reverse engineering, the result was the same: any vulnerability found for law enforcement use was also potentially exploitable by malicious actors.

The episode foreshadowed the much larger public debate about encryption and law enforcement access to devices that would intensify in subsequent years, culminating in high-profile legal battles between technology companies and government agencies over the fundamental question of whether any smartphone could — or should — be truly impervious to official access.