iPhone unlocking firm Grayshift faces extortion demands after data breach

Posted:
in iPhone edited April 24
Grayshift, the firm responsible for the GrayKey iPhone hacking tool, is in the crosshairs of an extortionist after its product's source code was inadvertently exposed to the internet last week.

GrayKey
GrayKey device. | Source: MalwareBytes


An unknown party appears to have snatched GrayKey's source code and leaked a portion of the data online, reports Motherboard. Alongside the code, the hacker or hackers included a message threatening to distribute more of GrayKey unless Grayshift places two Bitcoin, currently worth about $19,000, into a secure account.

The company confirmed the breach, but says no sensitive data was exposed in the incident.

"Due [to] a network misconfiguration at a customer site, a GrayKey unit's UI was exposed to the internet for a brief period of time earlier this month," Grayshift said in a statement. "During this time, someone accessed the HTML/Javascript that makes up our UI. No sensitive IP or data was exposed, as the GrayKey was being validation tested at the time. We have since implemented changes to help our customers prevent unauthorized access."

The anonymous party posted two separate messages requesting payment from Grayshift, each of which included a snippet of code that appears to be associated with GrayKey's user interface. Grayshift maintains the hackers failed to glean code responsible for operating a GrayKey box, or functional code responsible for cracking an iPhone.

GrayKey garnered media attention in March as a cost-effective digital forensics solution designed specifically to unlock password-protected iPhone hardware. Advertised in two "flavors," GrayKey is available as an internet-connected, limited-use unit for $15,000, while an unrestricted standalone version sells for $30,000.

The device itself is a small gray box with two Lightning connectors. Once an iPhone is attached, the device inserts what appears to be jailbreak software that leverages an as-yet-undisclosed zero-day exploit to bypass built-in iOS security protocols.

To thwart brute force attacks, commonly used by automated passcode guessing solutions, Apple employs a mechanism that delays input after incorrect attempts. Specifically, iOS institutes a mandatory pauses after four consecutive attempts, running from one minute for a fifth unsuccessful attempt to one hour for the ninth consecutive error. An additional protection allows iPhone owners to wipe their device on a tenth unsuccessful attempt.

GrayKey is able to bypass each failsafe, including the automated data erase option. The method has proven capable of unlocking devices up to iPhone X running iOS 11.3.

A report earlier this month suggests GrayKey can break a simple four-digit code in a matter of minutes, while a six-digit code -- now the standard for iOS -- takes an average of 11 hours. Longer ten-digit and alphanumeric codes, however, can take up to 25 years to break.

Boasting a fairly rapid unlocking process on the cheap, GrayKey has enjoyed high demand from a variety of law enforcement agencies. Reports this month suggest Grayshift is selling units to local police departments and federal government agencies including the State Department, while the Secret Service and Drug Enforcement Agency have shown interest in the technology.

There are a number of unanswered questions surrounding GrayKey, some of which touch on security concerns related to a network-attached unlocking tool. As the exact workings of GrayKey remain under lock and key, some wonder whether the device can be remotely accessed or if third parties can intercept data sent from the box to Grayshift servers.

Today's news is troubling not only for Grayshift, but for iPhone owners as well. If the hackers were able to secure GrayKey's source code, as they claim, the information could theoretically be acquired by unscrupulous organizations or individuals. Indeed, the extortionists have set up a secondary address to accept Bitcoin offers from "wild bidders" interested in procuring the alleged code. Of course, this second address could merely be a ploy to push Grayshift into paying the ransom, but the specter of a fully developed iPhone unlocking tool floating in the wild remains.

So far, neither account has received payment, the report said.
«13

Comments

  • Reply 1 of 50
    This is too fun. Time for some fine bubbly.
    anton zuykovGeorgeBMacmagman1979airnerdanantksundaramjony0argonautwatto_cobra
  • Reply 2 of 50
    radarthekatradarthekat Posts: 2,375moderator
    Seems Apple should be able to shut down this exploit.  A code review is in order, and I imagine, in process.  At some point Apple will likely find a method to completely block jail breaking.  Perhaps there’s a means by which a gatekeeper hardware solution could be built in that requires a handshake with an Apple server before any kind of change representing a traditional jailbreak could be stored to the phone or run in memory.  Shut down these software exploits the jail breakers always seem to be able to identify.  
    edited April 24 brian greenracerhomie3lkruppmagman1979airnerdjony0watto_cobra
  • Reply 3 of 50
    georgie01georgie01 Posts: 144member
    I’m quite pleased this firm developed this product. It shows the fuss the FBI and other law enforcement agencies is unfounded, that it’s the responsibility of others to work out solutions to get at the data rather than ask the manufacturers to solve law enforcement’s problems.

    It also shows the lack of willingness of the FBI and other law enforcements agencies to sacrifice security for freedom (which is very shortsighted because it solves an immediate problem while creating a much bigger one) is even more problematic, because the problem can be solved.
    seanismorrisrweschasmbloggerblogcornchipbrian greenbaconstangolsMacsplosionrobin huber
  • Reply 4 of 50
    Criminals are stuuuuupid.  Now the FBI is 2x motivated to shut them up. 
    (One because extortion is illegal.  Two because they don’t want the code leaked and the vulnerability patched)
  • Reply 5 of 50
    roakeroake Posts: 550member
    georgie01 said:
    I’m quite pleased this firm developed this product. It shows the fuss the FBI and other law enforcement agencies is unfounded, that it’s the responsibility of others to work out solutions to get at the data rather than ask the manufacturers to solve law enforcement’s problems.

    It also shows the lack of willingness of the FBI and other law enforcements agencies to sacrifice security for freedom (which is very shortsighted because it solves an immediate problem while creating a much bigger one) is even more problematic, because the problem can be solved.
    With all due respect, the FBI has a great deal of willingness to sacrifice both.
    rob53chasmbrian greenolsadm1entropysbeowulfschmidtSpamSandwichjbdragonmagman1979
  • Reply 6 of 50
    chasmchasm Posts: 585member
    BWAHAHAHAHAHA ... gasps for air ... HAHAHAHAHA
    anton zuykovmagman1979watto_cobra
  • Reply 7 of 50
    radarthekatradarthekat Posts: 2,375moderator
    Maybe it should be a federal crime to pay hostage and extortion demand via cryptocurrency.  It’s a real threat to society to have an untraceable medium of exchange.  Hmm, maybe gold too.  Lol
    h2pmagman1979watto_cobra
  • Reply 8 of 50
    SoliSoli Posts: 7,367member
    Maybe it should be a federal crime to pay hostage and extortion demand via cryptocurrency.  It’s a real threat to society to have an untraceable medium of exchange.  Hmm, maybe gold too.  Lol
    So bearer bonds shouldn't exist either?
    adm1
  • Reply 9 of 50
    MplsPMplsP Posts: 460member
    Today's news is troubling not only for Grayshift, but for iPhone owners as well...the specter of a fully developed iPhone unlocking tool floating in the wild remains.

    This is my concern. Of course, if the code is released, Apple will also be able to analyze it and potentially patch the hole. Who knows, maybe they've already ponied up the 2 bit coin to get the code.

    On a side note, I'm starting to think the US should do like other countries and ban bitcoin. One of the primary uses is for ransom, extortion and terror funding to countries like North Korea, and aside from the curiosity, I can't think of many true reasons to use bitcoin.

    baconstangbonobobmacseekermagman1979jony0argonautwatto_cobra
  • Reply 10 of 50
    We’ve entered William Gibson’s world...
    watto_cobra
  • Reply 11 of 50
    sflocalsflocal Posts: 4,097member
    This article sounds more like click-bait dramatics than actually damage.  Sounds like the box has a built-in web server and all a user has to do is communicate via a browser instead of having to install some kind of software on their computers.  

    This is not even anything remotely close to having access to the actual code which makes this hardware work unless the actually code is a bunch of php, java, javascript, etc.. which to me would just not make sense.

    There is way more to this story that is not being discussed, and I'm beginning to think it's another one of the media's "Let's be the first to post, and retract later" antics.  I'm a software engineer and there's just too many holes in this story to come to any kind of conclusion just yet.  
    h2pStrangeDaysbonobobadm1racerhomie3davenrandominternetpersonjony0lostkiwiwatto_cobra
  • Reply 12 of 50
    StrangeDaysStrangeDays Posts: 4,787member
    MplsP said:
    Today's news is troubling not only for Grayshift, but for iPhone owners as well...the specter of a fully developed iPhone unlocking tool floating in the wild remains.

    This is my concern. Of course, if the code is released, Apple will also be able to analyze it and potentially patch the hole. Who knows, maybe they've already ponied up the 2 bit coin to get the code.

    On a side note, I'm starting to think the US should do like other countries and ban bitcoin. One of the primary uses is for ransom, extortion and terror funding to countries like North Korea, and aside from the curiosity, I can't think of many true reasons to use bitcoin.

    Yes, and let’s ban money — should put an end to greed and exploitation if there’s no money, right?
    Soliracerhomie3randominternetpersonargonaut
  • Reply 13 of 50
    mac_dogmac_dog Posts: 539member
    Holy fuck! that was much too fast! Yeah, I sure trust this government and it’s contractors with the safety of information for this country. /s

    we’re fucked...
    magman1979watto_cobra
  • Reply 14 of 50
    sflocalsflocal Posts: 4,097member
    MplsP said:
    Today's news is troubling not only for Grayshift, but for iPhone owners as well...the specter of a fully developed iPhone unlocking tool floating in the wild remains.

    This is my concern. Of course, if the code is released, Apple will also be able to analyze it and potentially patch the hole. Who knows, maybe they've already ponied up the 2 bit coin to get the code.

    On a side note, I'm starting to think the US should do like other countries and ban bitcoin. One of the primary uses is for ransom, extortion and terror funding to countries like North Korea, and aside from the curiosity, I can't think of many true reasons to use bitcoin.

    Yes, and while you're at it, let's ban U.S dollars as well so folks like Pablo Escobar doesn't go and bury billions of it in his back yard to fund future wars. :/
    Solientropys
  • Reply 15 of 50
    urashidurashid Posts: 41member
    Live by the sword, die by the sword ...
  • Reply 16 of 50
    lukeilukei Posts: 316member
    Maybe it should be a federal crime to pay hostage and extortion demand via cryptocurrency.  It’s a real threat to society to have an untraceable medium of exchange.  Hmm, maybe gold too.  Lol
    It isn’t untraceable. That’s the big con. 
  • Reply 17 of 50
    macseekermacseeker Posts: 361member
    lukei said:
    Maybe it should be a federal crime to pay hostage and extortion demand via cryptocurrency.  It’s a real threat to society to have an untraceable medium of exchange.  Hmm, maybe gold too.  Lol
    It isn’t untraceable. That’s the big con. 
    Isn't there a master log book of all cryptocurrency transactions?  I think I've read that somewhere.
  • Reply 18 of 50
    fastasleepfastasleep Posts: 1,438member
    sflocal said:
    This article sounds more like click-bait dramatics than actually damage.  Sounds like the box has a built-in web server and all a user has to do is communicate via a browser instead of having to install some kind of software on their computers.  

    This is not even anything remotely close to having access to the actual code which makes this hardware work unless the actually code is a bunch of php, java, javascript, etc.. which to me would just not make sense.

    There is way more to this story that is not being discussed, and I'm beginning to think it's another one of the media's "Let's be the first to post, and retract later" antics.  I'm a software engineer and there's just too many holes in this story to come to any kind of conclusion just yet.  
    How do you know what code lives where and what they got? There is a web interface to interact with the box itself, but if you have the source code for the box itself you could just build your own box. 
  • Reply 19 of 50
    radarthekatradarthekat Posts: 2,375moderator
    Soli said:
    Maybe it should be a federal crime to pay hostage and extortion demand via cryptocurrency.  It’s a real threat to society to have an untraceable medium of exchange.  Hmm, maybe gold too.  Lol
    So bearer bonds shouldn't exist either?
    There would still remain plenty of other things cryptocurrencies, gold and bearer bonds could be used to pay for.  How did you jump from what I said to assume I was suggesting these financial instruments shouldn’t exist at all?   
  • Reply 20 of 50
    SoliSoli Posts: 7,367member
    Soli said:
    Maybe it should be a federal crime to pay hostage and extortion demand via cryptocurrency.  It’s a real threat to society to have an untraceable medium of exchange.  Hmm, maybe gold too.  Lol
    So bearer bonds shouldn't exist either?
    There would still remain plenty of other things cryptocurrencies, gold and bearer bonds could be used to pay for.  How did you jump from what I said to assume I was suggesting these financial instruments shouldn’t exist at all?   
    Because you made a claim again untraceable currencies. Bearer bonds are less traceable than cryptocurrencies which leave a trail with every transaction. So if you're against something that is recorded you'd then have to be against something that isn't, based on your previous statement.
    edited April 25 adm1nunzy
Sign In or Register to comment.