New Grayshift spyware lets police surreptitiously snatch iPhone passcodes
Mobile forensics firm Grayshift is marketing a software tool that can reveal a user's iPhone passcode without cracking the device, according to a new report.

The GrayKey is a device made by a company called Grayshift that can crack the encryption on most iPhones. Credit: Malwarebytes
Grayshift is known for its flagship GrayKey product, a digital forensics tool that can bypass the encryption on an iPhone. Though it's been tested against even the latest iPhone models, the process it uses can take days, if not weeks to complete.
Now, NBC News reports that Grayshift has developed a tracking software called Hide UI that can reveal an iPhone user's passcode to law enforcement much more quickly.
The Hide UI tool is a piece of spyware that can be installed on an iPhone via GrayKey. Once it's on a user's device, it "hides" itself, but continues to track user input. If a user types in their passcode while Hide UI is active, the software can log it and use it to bypass encryption later.
That, of course, requires the device to be put back in the hands of a user or suspect. Law enforcement officials told NBC that using Hide UI typically entails a bit of social engineering.
Some examples include telling a suspect they can call their lawyer or delete phone contacts. Once they tap their passcode in, Hide UI saves it in a text file the next time the iPhone is plugged into a GrayKey.
According to NBC, Hide UI has been a feature of GrayKey for about a year, but required non-disclosure agreements signed by law enforcement officials have kept its existence concealed until now.
The secrecy surrounding the tool has raised concerns among civil liberties activists and lawyers, specifically the potential for it to be used without a warrant.
Law enforcement officials who spoke with NBC maintained that they've never used Hide UI without a warrant. At least one source also added that the software was "buggy," and it was usually easier to just compel suspects to hand over their passcodes.
Grayshift doesn't publicly list Hide UI as a feature, but does refer to some "advanced features" in its GrayKey marketing materials. NBC reports that Hide UI and other intelligence-gathering tools aren't explained to police departments until they sign NDAs.
In at least one NDA, Grayshift even required law enforcement to notify them if technical details were likely to be revealed through judicial processes. The advanced notice would give Grayshift an opportunity to "obtain a protective order or otherwise oppose the disclosure."
Lance Northcutt, a Chicago-based attorney, called that "pretty shocking," and told NBC that it suggests the interests of Grayshift could be interfering with due process.
News of the Hide UI feature comes just hours after the FBI revealed that it was able to unlock two iPhones belonging to the gunman in the Pensacola mass shooting, even after Justice Department officials called on Apple to help with the process. Before that, U.S. law enforcement entities have long been able to crack iPhones without Apple's help.
Attorney General William Barr maintains that Apple's strong encryption is problematic, and that a "legislative solution" is required for police agencies to be able to do their job. Apple, for its part, has been steadfast in refusing to build a backdoor for law enforcement into its products.

The GrayKey is a device made by a company called Grayshift that can crack the encryption on most iPhones. Credit: Malwarebytes
Grayshift is known for its flagship GrayKey product, a digital forensics tool that can bypass the encryption on an iPhone. Though it's been tested against even the latest iPhone models, the process it uses can take days, if not weeks to complete.
Now, NBC News reports that Grayshift has developed a tracking software called Hide UI that can reveal an iPhone user's passcode to law enforcement much more quickly.
The Hide UI tool is a piece of spyware that can be installed on an iPhone via GrayKey. Once it's on a user's device, it "hides" itself, but continues to track user input. If a user types in their passcode while Hide UI is active, the software can log it and use it to bypass encryption later.
That, of course, requires the device to be put back in the hands of a user or suspect. Law enforcement officials told NBC that using Hide UI typically entails a bit of social engineering.
Some examples include telling a suspect they can call their lawyer or delete phone contacts. Once they tap their passcode in, Hide UI saves it in a text file the next time the iPhone is plugged into a GrayKey.
According to NBC, Hide UI has been a feature of GrayKey for about a year, but required non-disclosure agreements signed by law enforcement officials have kept its existence concealed until now.
The secrecy surrounding the tool has raised concerns among civil liberties activists and lawyers, specifically the potential for it to be used without a warrant.
Law enforcement officials who spoke with NBC maintained that they've never used Hide UI without a warrant. At least one source also added that the software was "buggy," and it was usually easier to just compel suspects to hand over their passcodes.
Grayshift doesn't publicly list Hide UI as a feature, but does refer to some "advanced features" in its GrayKey marketing materials. NBC reports that Hide UI and other intelligence-gathering tools aren't explained to police departments until they sign NDAs.
In at least one NDA, Grayshift even required law enforcement to notify them if technical details were likely to be revealed through judicial processes. The advanced notice would give Grayshift an opportunity to "obtain a protective order or otherwise oppose the disclosure."
Lance Northcutt, a Chicago-based attorney, called that "pretty shocking," and told NBC that it suggests the interests of Grayshift could be interfering with due process.
News of the Hide UI feature comes just hours after the FBI revealed that it was able to unlock two iPhones belonging to the gunman in the Pensacola mass shooting, even after Justice Department officials called on Apple to help with the process. Before that, U.S. law enforcement entities have long been able to crack iPhones without Apple's help.
Attorney General William Barr maintains that Apple's strong encryption is problematic, and that a "legislative solution" is required for police agencies to be able to do their job. Apple, for its part, has been steadfast in refusing to build a backdoor for law enforcement into its products.
Comments
I'd like to think Apple could offer options like a T-series chip that could evaluate how data is accessed so that such devices become unusable.
For maximum security, don't use iCloud and especially not iCloud backups. Set a very strong passcode of 20+ characters. If handing over to someone else disable FaceID/TouchID so only the passcode is allowed. If they give the device back, you either destroy it or DFU wipe and restore the OS and restore a local encrypted backup.
If traveling across nation state borders either don't bring your primary device or bring a burner you can discard. They may demand you unlock the device so they can inspect / image it. Border security laws are drastically different than normal law enforcement. They may seize your device. The US, Australia and New Zealand have highly invasive demands.
But the truly paranoid will simply go off grid. Zero electronics whatsoever. Your smartphone is constantly broadcasting unique identifiers over cellular, wi-fi, bluetooth, or NFC and you can certainly be tracked. When you see that COVID-19 map of those cell phone users on the Daytona FL spring break beach and each device was tracked back to their homes across the country. That should open ones eyes that metadata is extremely valuable. Many retail stores are tracking your movement through the store by using these broadcast identifiers and if you pay with a credit card or store card or use a membership card they tie all that data together and identify you.
The encrypted data stores on an iPhone contain far more detail that never leaves the device. But Android phones send all that data back to Google. Notice how Google is not being hounded by the DOJ only Apple. The most sensitive privacy data is kept on the device and as such Apple is providing the highest level of privacy at this time.
In many cases these Grayshift articles are not explaining the details such as the latest model iPhones not being vulnerable but because there are so many older models these devices are still viable for law enforcement. When the DOJ mentioned that latest crack against the terrorists iPhones they mentioned that the technique used already doesn't work on the latest models. That might have been a reference to the hardware flaw that Apple fixed after the iPhone X that was the beginning stage of a jailbreak. The Grayshift device has found some way to side-load a hidden App that breaks the rules sandboxed apps normally follow. It's possible the device is indeed jailbroken. Some Apps such as BlackBerry Work among others will detect the jailbreak and cease functioning as well as destroying the encrypted corporate email storage. Most MDM managed devices would also report on a jailbreak and an MDM administrator would then remotely nuke the device for security purposes.
If a device leaves your possession you can no longer trust it. This has always been the case.
https://blogs.findlaw.com/blotter/2017/07/can-i-be-arrested-for-installing-keylogging-software.html
"When it comes to the legality of the software, or the hardware, generally, keyloggers, like other hacking software and hardware, are legal to own or possess. However, installing it on a computer, even your personal computer, can expose you to legal trouble. If you let anyone else use your computer without disabling the keylogger, or letting them know it is active, you are likely violating federal law."
disclaimer: I am not a lawyer and of course our police force can get away with anything until they are challenged.
Takes phone, bends it in half or completely wipes it...