iPhone unlocking tool GrayKey sees increased use across all levels of law enforcement

Posted:
in iPhone edited April 12
With the help of the iPhone-cracking GrayKey, local police departments and government agencies alike are gaining the ability to crack the security in the iPhone in ever-greater numbers, a new report says.




Back in early 2016, Apple famously refused to assist the FBI in unlocking an iPhone 5c belonging to Syed Rizwan Farook, one of the shooters in that year's San Bernardino attack. The FBI later got into the device on their own, setting off an entire round of disputes between the company and federal law enforcement.

Both federal law enforcement and local police departments have begun using GrayKey, a relatively inexpensive encryption bypass tool, and other tools like it, according to an investigative piece published by Motherboard.

Vice found, using public records requests, that the State Department has purchased GrayKey technology, as have the Indiana and Maryland State Police. The Secret Service and Drug Enforcement Agency are planning to, and the Indianapolis and Miami-Dade police departments either have bought the equipment or have sought it.

The same site had reported last month that the Indiana State Police had contracted to use GrayKey. Beyond Indiana, Vice does not say in the piece exactly how many state and local police departments are using GrayKey.

The device can unlock an iPhone in a matter of hours for a four-digit passcode, but six-digit passcodes, now the standard, can take as long as three days, according to an analysis by MalwareBytes.

GrayKey is manufactured by a startup company called Grayshift, with Braden Thomas, a former Apple security engineer, among its principals. Thomas has his name on at least five Apple patents.

The GrayKey device has been described as "a pocket-sized device with questionable security," available in $15,000 and $30,000 editions.

The piece also notes that despite the FBI using GrayKey, FBI Director Christopher Wray has said publicly that "we face an enormous and increasing number of cases that rely on electronic evidence. We also face a situation where we're increasingly unable to access that evidence, despite lawful authority to do so," according to comments published by the website Lawfare, and cited by Vice.
hcrefugee
«13

Comments

  • Reply 1 of 47
    Cesar Battistini MazieroCesar Battistini Maziero Posts: 107unconfirmed, member
    Apple should eliminate the codes and stick with just Touch ID and Face ID
  • Reply 2 of 47
    SpamSandwichSpamSandwich Posts: 29,347member
    Apple should eliminate the codes and stick with just Touch ID and Face ID
    Neither of those things protect the phone (or iPad) owner from being forced to unlock their device, either by unethical law enforcement or a criminal who may temporarily have control over both the device and the owner.
    bonobobflydoganton zuykovbaconstangjbdragonmagman1979chasmAlex1Ntallest skilwatto_cobra
  • Reply 3 of 47
    sfolaxsfolax Posts: 22member
    Good job. Can't wait for DED to tell us his thoughts on this.
  • Reply 4 of 47
    gatorguygatorguy Posts: 18,735member
    Apple should eliminate the codes and stick with just Touch ID and Face ID
    Neither of those things protect the phone (or iPad) owner from being forced to unlock their device, either by unethical law enforcement or a criminal who may temporarily have control over both the device and the owner.
    ...nor from a legal court order that demands the owner use image or fingerprint to unlock his/her device. Yes you can be forced/compelled to unlock your device secured by Touch or Face ID. You cannot be legally compelled (in the US) to reveal what's in your mind so a pass-code can be more secure than any bio-metric locking method on a consumer device if you're bound and determined that no one sees what on your phone.
    SpamSandwichchasmAlex1Nbeowulfschmidtjony0
  • Reply 5 of 47
    sflocalsflocal Posts: 4,128member
    Apple should eliminate the codes and stick with just Touch ID and Face ID
    No consumer device will ever be 100% secure.  Let's agree on that.  The deterrent for many will in the difficulty of breaking into an iPhone.

    Apple balances on a thin line in making the iPhone as secure as possible to everyone and making it easily accessible to the owner.  If my iPhone gets lost or stolen, I can be fairly confident that my data is secure.  However, if I'm in a position where my phone is confiscated by a government agency, then I would be naive to believe it's secure from a government that has the ability to throw a ton of resources, money, and manpower at breaking into my phone.

    One thing I'm confident of is that Apple will continue to harden iPhone security, but then the iPhone cracking industry will continue as well.  Cat and Mouse.  
    muthuk_vanalingampscooter63hcrefugeeminicoffeebaconstangmagman1979Alex1NGeorgeBMacwatto_cobrajony0
  • Reply 6 of 47
    Apple should eliminate the codes and stick with just Touch ID and Face ID
    Neither of those things protect the phone (or iPad) owner from being forced to unlock their device, either by unethical law enforcement or a criminal who may temporarily have control over both the device and the owner.
    Too true. It's a mistake to use biometric verification for unlocking your iPhone. You are required to hand over such access to law enforcement. A numeric or alphanumeric or numeric code is treated differently, as you cannot be forced to share something that's stored in your brain (except when at an international border crossing [the airport, etc]). So use a long passcode for unlocking your phone, and then use biometrics for payments, filling in forms on websites, etc. And if you're backing up your iPhone to iCloud stop it. Apple will hand over all of that backup if they are required by law. The last time I checked, your iCloud backups are not encrypted.
    edited April 12 minicoffeelostkiwi
  • Reply 7 of 47
    bonobobbonobob Posts: 103member
    It seems that it's time to switch from numeric passcodes to full-blown passwords on our iPhones.
    chasm
  • Reply 8 of 47
    Mike WuertheleMike Wuerthele Posts: 2,891administrator
    sfolax said:
    Good job. Can't wait for DED to tell us his thoughts on this.
    It is Apple's job to make the iPhone as secure as possible, without law enforcement demanding holes. It is law enforcement's job to circumvent that, without Apple's help.

    I'm not sure what else there is to say on the issue, but I'll pass your desire for an editorial to him.
    jbdragonbluefire1lostkiwiwatto_cobrabeowulfschmidtjony0
  • Reply 9 of 47
    SoliSoli Posts: 7,683member
    Apple should eliminate the codes and stick with just Touch ID and Face ID
    No. A memorized passcode is still the most secure option one has on a device, which is why you need to use it after a restart, after too much time has passed between use, after too many failed attempts with the biometric, and why you can't set up the biometric without first setting up a passcode.

    If the 6-digit PIN isn't enough, then do what the security-conscious users do—create a passcode using the full keyboard. Even just 4 characters is over 1 billion combinations with the iOS keyboard.
    edited April 12 baconstangwatto_cobra
  • Reply 10 of 47
    sflocal said:
    No consumer device will ever be 100% secure.  Let's agree on that.  The deterrent for many will in the difficulty of breaking into an iPhone.
    My previous iPhone is 100% secure.
     ;) 
  • Reply 11 of 47
    cpsrocpsro Posts: 2,337member

    GrayKey is manufactured by a startup company called Grayshift, with Braden Thomas, a former Apple security engineer, among its principals. Thomas has his name on at least five Apple patents.
    I'm sure Thomas hasn't used any Apple-proprietary information to develop Graykey. Just like I'm sure Cambridge Analytica has deleted all of the Facebook data--as well as Facebook-derived data--it acquired.
    How many clients does Grayshift have in the Middle East and Asia?
    edited April 12 elijahgwatto_cobra
  • Reply 12 of 47
    78Bandit78Bandit Posts: 177member
    Shouldn't Apple be able to sue GrayKey completely out of existence?  If a former Apple security specialist is a founder of the company and they are able to easily defeat Apple's encryption methods then it seems very likely that Mr. Thomas brought proprietary information with him.  Get a multi-million dollar judgement against them and they will fold like a cheap suit.  Just take a look at the Google Waymo / Uber lawsuit for an example.
    jason leavittbaconstangbluefire1lostkiwiwatto_cobra
  • Reply 13 of 47
    entropysentropys Posts: 1,114member
    I certainly hope the makers have a “made for iPhone” licence.
    baconstangGG1bestkeptsecretwatto_cobra
  • Reply 14 of 47
    Looking forward to Apple figuring out how this works and disabling it permanently.
    jbdragonbluefire1magman1979lostkiwiwatto_cobra
  • Reply 15 of 47
    I wonder if Apple will just disable whatever allows this to work.
    watto_cobra
  • Reply 16 of 47
    flydogflydog Posts: 76member
    Apple should eliminate the codes and stick with just Touch ID and Face ID
    Passcodes are more secure
    baconstangwatto_cobra
  • Reply 17 of 47
    hexclockhexclock Posts: 390member
    Good to know. From now on I’ll write my evil plans on paper and swallow it after I have memorized the details. 
    watto_cobra
  • Reply 18 of 47
    hexclockhexclock Posts: 390member
    Soli said:
    Apple should eliminate the codes and stick with just Touch ID and Face ID
    No. A memorized passcode is still the most secure option one has on a device, which is why you need to use it after a restart, after too much time has passed between use, after too many failed attempts with the biometric, and why you can't set up the biometric without first setting up a passcode.

    If the 6-digit PIN isn't enough, then do with security-conscious users do—create a passcode using the full keyboard. Even just 4 characters is over 1 billion combinations with the iOS keyboard.
    Where in settings is the full keyboard option located?
    watto_cobra
  • Reply 19 of 47
    I opted to go with the old traditional way of a random alpha numeric, character typed password, more then the 4 or 6 character password.. not that i have anything criminal on my phone, it’s still no bodies business to touch my phone ever.. 
    watto_cobra
  • Reply 20 of 47
    ivanhivanh Posts: 169member
    An Alternate Password System can give Alternate Data Set and hide the phone user data. Pre-requisite is that the phone’s OS must be multi-user ready. This is not Apple wants.
Sign In or Register to comment.