iPhone unlocking tool GrayKey sees increased use across all levels of law enforcement

2

Comments

  • Reply 21 of 47
    ivanh said:
    An Alternate Password System can give Alternate Data Set and hide the phone user data. Pre-requisite is that the phone’s OS must be multi-user ready. This is not Apple wants.
    That is not going to help you if you can attempt to brute force the phone (or its virtual copy) as many times as you want. I think, that is why they are able to get the data and a passcode. I'd say making passcodes longer (8-10 characters) would fix the problem for now.
    baconstangwatto_cobra
  • Reply 22 of 47
    hexclock said:
    Soli said:
    Apple should eliminate the codes and stick with just Touch ID and Face ID
    No. A memorized passcode is still the most secure option one has on a device, which is why you need to use it after a restart, after too much time has passed between use, after too many failed attempts with the biometric, and why you can't set up the biometric without first setting up a passcode.

    If the 6-digit PIN isn't enough, then do with security-conscious users do—create a passcode using the full keyboard. Even just 4 characters is over 1 billion combinations with the iOS keyboard.
    Where in settings is the full keyboard option located?
    Go to: Settings>Touch ID & Passcode>Change Passcode>(after entering old code)>Passcode Options...select 4 digit, 6 digit or alpha numeric and create new passcode.
    Solimuthuk_vanalingamanton zuykovanantksundaramwatto_cobra
  • Reply 23 of 47
    jbdragonjbdragon Posts: 1,856member
    epicurus said:
    I opted to go with the old traditional way of a random alpha numeric, character typed password, more then the 4 or 6 character password.. not that i have anything criminal on my phone, it’s still no bodies business to touch my phone ever.. 
    I’m using a 8 diget passcode, but looks like I’ll be switching to a longer alpha numeric.  Maybe even turn on the wipe feature if to many wrong passwords are entered.  
    watto_cobra
  • Reply 24 of 47
    MplsPMplsP Posts: 610member
    Honestly, my main concern with this is that Greykey sells a completely unlocked, untethered version that could be stolen and used by whomever. 

    We all want privacy, but the constitution doesn’t guratantee is complete privacy, just protection from unreasonable search and seizure without due process. If a terrorist is caught with an iPhone, I absolutely want the government to be able to get into it. If I lose my iPhone, I want security knowing some lowlife can’t get into it. This seems like it’s about the right balance. If you’re that paranoid about someone getting in, you can change to a alpha numeric password. 
    watto_cobrabaconstang
  • Reply 25 of 47
    fastasleepfastasleep Posts: 1,786member
    jbdragon said:
    epicurus said:
    I opted to go with the old traditional way of a random alpha numeric, character typed password, more then the 4 or 6 character password.. not that i have anything criminal on my phone, it’s still no bodies business to touch my phone ever.. 
    I’m using a 8 diget passcode, but looks like I’ll be switching to a longer alpha numeric.  Maybe even turn on the wipe feature if to many wrong passwords are entered.  
    The entire point of this tool is that it bypasses the attempt limit to bypass the wipe feature.
  • Reply 26 of 47
    fastasleepfastasleep Posts: 1,786member

    MplsP said:
    Honestly, my main concern with this is that Greykey sells a completely unlocked, untethered version that could be stolen and used by whomever. 
    Or purchased by anyone with the $. There are huge stolen iPhone rings out there. I had mine stolen in Spain and was still getting phishing texts/emails trying to get me to sign into a fake page with my Apple ID to unlock my X. At least I can rest knowing they're staring at a $1150 paperweight... unless they get a tool like this, in which case they could potentially unlock it in 3 days.
    watto_cobra
  • Reply 27 of 47
    sflocal said:
    Apple should eliminate the codes and stick with just Touch ID and Face ID
    No consumer device will ever be 100% secure.  Let's agree on that.  The deterrent for many will in the difficulty of breaking into an iPhone.

    One thing I'm confident of is that Apple will continue to harden iPhone security, but then the iPhone cracking industry will continue as well.  Cat and Mouse.  
    Correct.  Where there is a will there is a way, provided you have the time and money to do it.  The key to cracking an iPhone is possession of the device.  Given that a 6 digit numeric code takes 3 days to crack I would venture that is more than long enough to remotely wipe the device clean.

    If Apple were ever able to implement an alpha/numeric/character password on an iOS device, cracking time would increase to months.

    I, for one, am happy with 6 numeric, mainly because I can't imagine that there is anything on my iPhone/iPad that somebody would want so much, that they would spend $15,000 (minimum) for a device to crack it.
    watto_cobra
  • Reply 28 of 47
    hexclockhexclock Posts: 416member
    hexclock said:
    Soli said:
    Apple should eliminate the codes and stick with just Touch ID and Face ID
    No. A memorized passcode is still the most secure option one has on a device, which is why you need to use it after a restart, after too much time has passed between use, after too many failed attempts with the biometric, and why you can't set up the biometric without first setting up a passcode.

    If the 6-digit PIN isn't enough, then do with security-conscious users do—create a passcode using the full keyboard. Even just 4 characters is over 1 billion combinations with the iOS keyboard.
    Where in settings is the full keyboard option located?
    Go to: Settings>Touch ID & Passcode>Change Passcode>(after entering old code)>Passcode Options...select 4 digit, 6 digit or alpha numeric and create new passcode.
    Thanks! I never noticed that option before. Of course I haven’t updated my password in about 4 OS versions either. 
    watto_cobra
  • Reply 29 of 47
    mattinozmattinoz Posts: 895member
    jbdragon said:
    epicurus said:
    I opted to go with the old traditional way of a random alpha numeric, character typed password, more then the 4 or 6 character password.. not that i have anything criminal on my phone, it’s still no bodies business to touch my phone ever.. 
    I’m using a 8 diget passcode, but looks like I’ll be switching to a longer alpha numeric.  Maybe even turn on the wipe feature if to many wrong passwords are entered.  
    The entire point of this tool is that it bypasses the attempt limit to bypass the wipe feature.
    Sounds like it's time for Apple to optionally require second factor after a number of attempts then. Include ability to ping your other or families devices in find my friends (phone) to let them know it might be in wrongful hands.
    GeorgeBMacwatto_cobrabaconstang
  • Reply 30 of 47
    dcgoodcgoo Posts: 199member
    Soli said:
    If the 6-digit PIN isn't enough, then do what the security-conscious users do—create a passcode using the full keyboard. Even just 4 characters is over 1 billion combinations with the iOS keyboard.
    Not withstanding, it being impossible to determine the LENGTH of the passcode.  
    watto_cobrabaconstang
  • Reply 31 of 47
    chasmchasm Posts: 832member
    I hope these law enforcement agencies spending the money on this understand that the hacks the box depends on will be circumvented, probably no later than iOS 11 this fall — rendering their device nearly worthless within another six weeks after that, as most everyone who can upgrade upgrades pretty quickly. But hey, it’s only OPM, and in some cases law enforcement has a legit need and reason to crack one open.

    Not as often as THEY think they need to, but still ...

    I notice that the GrayKey box doesn’t even offer the ability to crack into Android phones ... because there’s no need for it, the exploits for that platform are widely available and in even more widespread (and capricious) use.
    GeorgeBMacwatto_cobrabaconstang
  • Reply 32 of 47
    SoliSoli Posts: 8,283member
    dcgoo said:
    Soli said:
    If the 6-digit PIN isn't enough, then do what the security-conscious users do—create a passcode using the full keyboard. Even just 4 characters is over 1 billion combinations with the iOS keyboard.
    Not withstanding, it being impossible to determine the LENGTH of the passcode.  
    True, which is why I also do a non-4-digit PIN for my Watch since it can also be used to unlock my MBP. Only the 4-digit PIN option will auto-submit the selection.
    watto_cobra
  • Reply 33 of 47
    Correct.  Where there is a will there is a way, provided you have the time and money to do it.  The key to cracking an iPhone is possession of the device.  Given that a 6 digit numeric code takes 3 days to crack I would venture that is more than long enough to remotely wipe the device clean.
    That would require the stolen iPhone to have a data signal or connect to wi-fi. Afaik, if the phone is in Airplane mode, remote wipe would not work.
    mattinoz said:
    Sounds like it's time for Apple to optionally require second factor after a number of attempts then. Include ability to ping your other or families devices in find my friends (phone) to let them know it might be in wrongful hands.
    As GrayKey doesn't rack up attempt numbers to avoid the wipe, each attempt is attempt no1 afaik. This would render the above method also useless sadly.
  • Reply 34 of 47
    gatorguygatorguy Posts: 19,260member
    chasm said:
    I notice that the GrayKey box doesn’t even offer the ability to crack into Android phones ... because there’s no need for it, the exploits for that platform are widely available and in even more widespread (and capricious) use.
    There are companies out there with relatively high-priced "cracking" services for Android phones, ie Cellebrite, so not likely as simple as you want to claim. I would imagine that since Greykey is owned by a former Apple security engineer that's the reason he's concentrating on Apple devices, not that cracking an encrypted and properly secured Android phone is childsplay as you seem to think. Nice try at whataboutism tho. 
  • Reply 35 of 47
    GeorgeBMacGeorgeBMac Posts: 2,866member

    MplsP said:
    Honestly, my main concern with this is that Greykey sells a completely unlocked, untethered version that could be stolen and used by whomever. 
    Or purchased by anyone with the $. There are huge stolen iPhone rings out there. I had mine stolen in Spain and was still getting phishing texts/emails trying to get me to sign into a fake page with my Apple ID to unlock my X. At least I can rest knowing they're staring at a $1150 paperweight... unless they get a tool like this, in which case they could potentially unlock it in 3 days.
    Assuming that you put an Apple Lock on it through "Find My iPhone", they would still need your Apple ID password to unlock it.
    edited April 13 anantksundaramwatto_cobrafastasleep
  • Reply 36 of 47
    GeorgeBMacGeorgeBMac Posts: 2,866member
    A number of posts have stated that it bypasses the counting of the number of attempts without specifying how it does that.   But, two thoughts on this:
    1)  Based on the length of time this takes to unlock a phone, it suggests that it is a brute force procedure rather than some magic used to turn off the counter in a phone they have not yet accessed.  A simple switch under "Touch ID & Passcode" enables:  "Erase all data on this iPhone after 10 failed passcode attempts".   Since the default for this switch is "off", I suspect the program simply (and correctly) assumes that this switch is "off".

    2)  Assuming that are bypassing the counter (say by managing the waiting periods between attempts) rather than disabling it, I suspect that Apple has multiple methods available to fix this and, that the fix would be fairly simple....
    watto_cobra
  • Reply 37 of 47
    jbdragon said:
    epicurus said:
    I opted to go with the old traditional way of a random alpha numeric, character typed password, more then the 4 or 6 character password.. not that i have anything criminal on my phone, it’s still no bodies business to touch my phone ever.. 
    I’m using a 8 diget passcode, but looks like I’ll be switching to a longer alpha numeric.  Maybe even turn on the wipe feature if to many wrong passwords are entered.  
    wipe is not going to work, since it seems they could use a virtualized version of the data and OS from the phone to run it. So, basically, if the virtual "phone" wipes itself due to 10 failed attempts, you just get a new virtual copy and continue trying those passwords. Setting passwords to be 8 characters (alpha numeric) will be a much better solution, I think.
    watto_cobrafastasleep
  • Reply 38 of 47
    It is somewhat surprising to me that these supposed "walled-off" FaceID and TouchID hardware can be (supposedly) so easily hacked. I seriously wonder what the truth is.
  • Reply 39 of 47
    volcanvolcan Posts: 1,710member
    I'd rather have no password. I have nothing on my iPhone that is secret or even private. My various collection of women all have each other's contact info. A couple years ago I had a serious medical condition that was life threatening. Fortunately my attorney was able to access all my contacts while I was in the ER due to no password. Saved my life. I'd rather risk any privacy concerns over first responders not being able to access my info quickly.
    edited April 13 gatorguy
  • Reply 40 of 47
    jdb8167jdb8167 Posts: 105member
    It is somewhat surprising to me that these supposed "walled-off" FaceID and TouchID hardware can be (supposedly) so easily hacked. I seriously wonder what the truth is.
    From the description of how long it takes to crack 4 and 6 digit passcodes, it seems likely that this is brute force using the iPhone hardware to test against the secure enclave. This means that they've hacked the code that counts attempts but haven't cracked the enclave itself. And the enclave also slows down each attempt in hardware to about 20 ms per attempt which is consistent with the numbers stated for how long it takes to break in. If this is correct (I'm guessing) then a longer passcode or an alpha-numeric password will significantly increase the amount of time it takes to break encryption. I use a 10+ digit passcode. My estimate is that it would take over 3 years on average to break the encryption on my iPhone.
    edited April 13 watto_cobrabaconstangGeorgeBMac
Sign In or Register to comment.