'GrayKey' iPhone unlocking tool revealed as pocket-sized device with questionable security...

Posted:
in iPhone edited March 15
The forensic tool known as 'GrayKey' has grave privacy and security implications, a report into the iPhone-unlocking tool suggests, as it has the potential of being misused by thieves and other criminals if the compact device is stolen from members of law enforcement.

via MalwareBytes
via MalwareBytes


The recently surfaced 'GrayKey' tool from startup Grayshift offers a way for government agencies and members of law enforcement to gain access to an iPhone without sending it off for analysis by security analysts. The tool is marketed as being able to extract the full filesystem from an iPhone, and is able to perform brute-force passcode attacks against the device in a short period of time.

An anonymous source of MalwareBytes Labs reveals it to be a small gray box, measuring four inches square by two inches deep, with two Lightning cables on the front of the device allowing two iPhones to be connected at the same time.

The iPhones can be disconnected from the unit after about two minutes, but after disconnection, software will continue running on the iPhones to crack the security, later showing the passcode and other details on the iPhone's screen. The source advised the time for this process can vary from two hours for shorter passcodes up to three days or longer for six-digit versions.

via MalwareBytes
via MalwareBytes


After unlocking, the iPhone can be connected back to the GrayKey device to download the full contents of the filesystem, which are accessible through a web-based interface on a connected computer. This includes the unencrypted contents of the iPhone's onboard keychain.

Screenshots supplied to the report reveal it will work with newer iPhones, including the iPhone X, and will work on iOS releases up to 11.2.4.

Two versions of the GrayKey are offered, starting from $15,000 for a model that is strictly geofenced and requiring Internet connectivity to function, as well as having a limit to the number of unlocks it can perform. The $30,000 version has no unlock limit and doesn't require an Internet connection to function, though it does use token-based two-factor authentication instead of geofencing for security, meaning it can be taken to different locations and used practically anywhere.

MalwareBytes notes that given the tendency for people to ignore security protocols for the sake of convenience, like putting a password on a sticky note attached to a monitor, there is a good chance the token used to secure the more expensive version will be kept relatively nearby the GrayKey itself.

This complacency could make the GrayKey and its token far easier to steal, and be used by criminals, the report hints, due to the small pocketable size and the ability to continue working offsite. The hardware could potentially fetch a high price on the black market, due to being able to unlock stolen iPhones for resale, and to access highly valuable personal data of their owners.

The report also posits the possibility that the GrayKey could be using some sort of jailbreak to gain access, questioning if it remains jailbroken if the iPhone is returned to the owner, further adding the possibility of remote access to it by others.

While suspects are the likely targets for the tool, the state of the iPhone after the process may also be an issue for witnesses providing their devices to law enforcement with their consent. If a passcode isn't given by the witness, the technician extracting the data may elect to use GrayKey instead, which could leave the iPhone in a vulnerable unlocked state when it is returned.

The security of the network-limited version is also unknown, with further questions asked about whether it can be remotely accessed, if the data can be intercepted in transit, and even if the phone data is stored securely once acquired.

As it is unclear if sales are just limited to law enforcement in the US or to other agencies in the rest of the world, the report raises the prospect of its misuse by "agents of an oppressive regime." It is also suggested the device could end up being reverse engineered, reproduced, and sold by an enterprising hacker at a cheaper price to any criminal who wants their own unit.

"The existence of the GrayKey isn't hugely surprising, nor is it a sign that the sky is falling," sums up the report. "However, it does mean that an iPhone's security cannot be ensured if it falls into a third party's hands."

Comments

  • Reply 1 of 16
    This is bad, a lot of police enforcement is corrupt & linked to theives. There must be a shield for the good.  
    racerhomie3magman1979viclauyyccornchipwatto_cobrarinosaurstanthemanjony0
  • Reply 2 of 16
    technotechno Posts: 661member
    I want to know more about this. How does it deal with 10 failed attempts and erase? Do we have proof this works or is even a real thing?
    magman1979repressthisapplejefflostkiwiwatto_cobra
  • Reply 3 of 16
    DAalsethDAalseth Posts: 162member
    I am confident that the bad guys have already gotten their hands on these. However I am even more confident that Apple has, or shortly will, get ahold of one and figure out a way to block it from working. EDIT: I just had a thought. What will happen is that these will fall into the hands of criminals. Within a couple of weeks cheap black market copies out of the far east will flood the market. The value will crash and the original developers will end up making little if anything off of their invention. I'll be back here LMAO
    edited March 15 cornchipwatto_cobra
  • Reply 4 of 16
    Mike WuertheleMike Wuerthele Posts: 2,698administrator
    techno said:
    I want to know more about this. How does it deal with 10 failed attempts and erase? Do we have proof this works or is even a real thing?
    Seems like it does.

    https://appleinsider.com/articles/18/03/09/graykey-iphone-unlock-in-use-by-indiana-police-documents-reveal
    repressthis
  • Reply 5 of 16
    mdamagnezmdamagnez Posts: 1unconfirmed, member
    The good thing is it takes more than 3 days for a 6 digit number password. So using a longer password with numbers and text will massively increase the time and therefore making it worthless.
    anton zuykovlightvoxcornchipwatto_cobraKopfschmerzen
  • Reply 6 of 16
    Any smart criminal will just destroy the lightning port. These days with wireless charging iPhone 8 and X, you don't really need it.


    repressthisviclauyyccornchipking editor the gratestantheman
  • Reply 7 of 16
    zenmasterzenmaster Posts: 2unconfirmed, member
    techno said:
    I want to know more about this. How does it deal with 10 failed attempts and erase? Do we have proof this works or is even a real thing?
    According to my fuzzy understanding (I could be completely wrong) It runs the brute-force script on the extracted image of the iPhone's OS. Once it reaches the limit, let's say 9 attempts is the limit, it starts again on a separate but identical image of the iPhone's OS.
    SpamSandwichrepressthisanton zuykovlostkiwifastasleepwilliamhcornchipwatto_cobrastantheman
  • Reply 8 of 16
    williamhwilliamh Posts: 595member
    DAalseth said:
     However I am even more confident that Apple has, or shortly will, get ahold of one and figure out a way to block it from working.
    This does seem to be a real thing.  My worry is that they've found a fundamental flaw in iOS security that can't be fixed without a hardware update.  Whatever it is, it will be BIG news when the flaw is revealed. I'm surprised it hasn't generated more news already.
    zenmasterDAalsethwatto_cobra
  • Reply 9 of 16
    SpamSandwichSpamSandwich Posts: 29,266member
    Future iPhones should have no connecting ports of any kind and any attempts to crack the completely sealed device should result in bricking it.

    Whatever happens, it will be an ongoing effort on Apple’s part to meet and exceed the efforts of others in their attempts to break into any secure devices.
    edited March 15 repressthiswatto_cobra
  • Reply 10 of 16
    Any smart criminal will just destroy the lightning port. These days with wireless charging iPhone 8 and X, you don't really need it.


    That wouldn't work - the investigators would just solder a new one on.
    minicoffeestantheman
  • Reply 11 of 16
    jdb8167jdb8167 Posts: 102member
    Good luck with my passcode—it is 10 digits. Since the password rate is controlled by the Secure Enclave and takes 20 ms per attempt. That is is 6+ years of brute force.

    Good Luck.
    edited March 15 cornchipwatto_cobra
  • Reply 12 of 16
    JFC_PAJFC_PA Posts: 172member
    Complex passcode. 

    then it’s Darwin criminals that get hacked. 
    watto_cobra
  • Reply 13 of 16
    StrangeDaysStrangeDays Posts: 4,787member
    zenmaster said:
    techno said:
    I want to know more about this. How does it deal with 10 failed attempts and erase? Do we have proof this works or is even a real thing?
    According to my fuzzy understanding (I could be completely wrong) It runs the brute-force script on the extracted image of the iPhone's OS. Once it reaches the limit, let's say 9 attempts is the limit, it starts again on a separate but identical image of the iPhone's OS.
    Not according to this paragraph:

    ”The iPhones can be disconnected from the unit after about two minutes, but after disconnection, software will continue running on the iPhones to crack the security, later showing the passcode and other details on the iPhone's screen.”

    ...that sounds like it installs software onto the iphone and runs the attack there. 
    edited March 15 cornchipwatto_cobra
  • Reply 14 of 16
    viclauyycviclauyyc Posts: 251member
    I wonder what is the end game for this company?

    They might sell tens of thousands unit for the first year. But the sales number is highly affected by Apple’s security updates. Given IOS user update more frequently than other OS. The box might not sell as well as they hope. Or even worse, each state only purchase a few for the whole state. After all, they need warrants to crack the phone. How often do they need each day? Unless they start to sell to everyone.

    But what if their end game is to make Apple buy the company and pay every engineer few millions a year?


    cornchipwatto_cobra
  • Reply 15 of 16
    adm1adm1 Posts: 808member
    viclauyyc said:
    I wonder what is the end game for this company?

    They might sell tens of thousands unit for the first year. But the sales number is highly affected by Apple’s security updates. Given IOS user update more frequently than other OS. The box might not sell as well as they hope. Or even worse, each state only purchase a few for the whole state. After all, they need warrants to crack the phone. How often do they need each day? Unless they start to sell to everyone.

    But what if their end game is to make Apple buy the company and pay every engineer few millions a year?


    they're a security start-up, their goal is what they are currently achieving - to create and sell a method to access locked iOS devices. As Apple beefs up security, they will continue to find new ways to break in. The tit-for-tat battle continues and we as mere consumers benefit from the enhanced security that it brings. Just like competition in innovation and design, the security/hacker community keep Apple on their toes to continue improving their hardware and software offerings.

    If Apple buys them out, one or two guys might make a few bob but a replacement start-up company will just take their place in no time at all and the cycle continues.
    muthuk_vanalingam
  • Reply 16 of 16
    It's wise to use a long alphanumeric password anyway. Some corporations require their employees to use it if they want to get access to corporate resources from personal iPhones. With TouchID or FaceID it's not a big deal from user's perspective.
    markbyrn
Sign In or Register to comment.