New Grayshift spyware lets police surreptitiously snatch iPhone passcodes

Posted:
in General Discussion
Mobile forensics firm Grayshift is marketing a software tool that can reveal a user's iPhone passcode without cracking the device, according to a new report.

The GrayKey is a device made by a company called Grayshift that can crack the encryption on most iPhones. Credit: Malwarebytes
The GrayKey is a device made by a company called Grayshift that can crack the encryption on most iPhones. Credit: Malwarebytes


Grayshift is known for its flagship GrayKey product, a digital forensics tool that can bypass the encryption on an iPhone. Though it's been tested against even the latest iPhone models, the process it uses can take days, if not weeks to complete.

Now, NBC News reports that Grayshift has developed a tracking software called Hide UI that can reveal an iPhone user's passcode to law enforcement much more quickly.

The Hide UI tool is a piece of spyware that can be installed on an iPhone via GrayKey. Once it's on a user's device, it "hides" itself, but continues to track user input. If a user types in their passcode while Hide UI is active, the software can log it and use it to bypass encryption later.

That, of course, requires the device to be put back in the hands of a user or suspect. Law enforcement officials told NBC that using Hide UI typically entails a bit of social engineering.

Some examples include telling a suspect they can call their lawyer or delete phone contacts. Once they tap their passcode in, Hide UI saves it in a text file the next time the iPhone is plugged into a GrayKey.

According to NBC, Hide UI has been a feature of GrayKey for about a year, but required non-disclosure agreements signed by law enforcement officials have kept its existence concealed until now.

The secrecy surrounding the tool has raised concerns among civil liberties activists and lawyers, specifically the potential for it to be used without a warrant.

Law enforcement officials who spoke with NBC maintained that they've never used Hide UI without a warrant. At least one source also added that the software was "buggy," and it was usually easier to just compel suspects to hand over their passcodes.

Grayshift doesn't publicly list Hide UI as a feature, but does refer to some "advanced features" in its GrayKey marketing materials. NBC reports that Hide UI and other intelligence-gathering tools aren't explained to police departments until they sign NDAs.

In at least one NDA, Grayshift even required law enforcement to notify them if technical details were likely to be revealed through judicial processes. The advanced notice would give Grayshift an opportunity to "obtain a protective order or otherwise oppose the disclosure."

Lance Northcutt, a Chicago-based attorney, called that "pretty shocking," and told NBC that it suggests the interests of Grayshift could be interfering with due process.

News of the Hide UI feature comes just hours after the FBI revealed that it was able to unlock two iPhones belonging to the gunman in the Pensacola mass shooting, even after Justice Department officials called on Apple to help with the process. Before that, U.S. law enforcement entities have long been able to crack iPhones without Apple's help.

Attorney General William Barr maintains that Apple's strong encryption is problematic, and that a "legislative solution" is required for police agencies to be able to do their job. Apple, for its part, has been steadfast in refusing to build a backdoor for law enforcement into its products.

Comments

  • Reply 1 of 18
    EsquireCatsEsquireCats Posts: 1,268member
    It seems more and more likely that Apple will remove external ports on the iPhone thus further limiting such exploits. I’d be curious if they eventually make their own initial on-loading also entirely wireless. 
    Scot1SpamSandwichiOSDevSWEolsPetrolDave
  • Reply 2 of 18
    XedXed Posts: 2,519member
    It seems more and more likely that Apple will remove external ports on the iPhone thus further limiting such exploits. I’d be curious if they eventually make their own initial on-loading also entirely wireless. 
    Is that feasible in the foreseeable future? Even the Apple Watch has an access port. That would seem to be more of an inconvenience for users than for law enforcement and other entities looking to subvert security.

    I'd like to think Apple could offer options like a T-series chip that could evaluate how data is accessed so that such devices become unusable.
    longpathminicoffeewatto_cobra
  • Reply 3 of 18
    JFC_PAJFC_PA Posts: 932member
    It seems more and more likely that Apple will remove external ports on the iPhone thus further limiting such exploits. I’d be curious if they eventually make their own initial on-loading also entirely wireless. 
    I’d hope if they did that they would retain a “charging only” port as the inefficiency of wireless charging otherwise means every external power pack has to double in size and weight to get the same level of charge. At home that’s not an issue (though speed could be) but traveling would be much more burdensome. 
    razorpitbeowulfschmidtmuthuk_vanalingamjony0minicoffeewatto_cobra
  • Reply 4 of 18
    JFC_PAJFC_PA Posts: 932member
    It seems more and more likely that Apple will remove external ports on the iPhone thus further limiting such exploits. I’d be curious if they eventually make their own initial on-loading also entirely wireless. 
    I’d hope if they did that they would retain a “charging only” port as the inefficiency of wireless charging otherwise means every external power pack has to double in size and weight to get the same level of charge. At home that’s not an issue (though speed could be) but traveling would be much more burdensome. 
  • Reply 5 of 18
    rob53rob53 Posts: 3,241member
    I consider this spyware and malware, both are illegal to install on computer devices so why is it that our government isn't going after this company for admitting they're producing spyware? Oh, that's right, our government doesn't care about our constitutional freedom. Time for Apple to update their malware finding software along with other companies (Malwarebytes, etc.). It's also time for Apple to turn the tables on GrayShift and create a trojan horse that is sent back into the GrayKey system when it tries to load spyware on an iPhone. Once loaded it effectively destroys the GrayKey and everything GrayShift owns.
    lordjohnwhorfinkamiltonmac_dogrcfaolsPetrolDavelongpathtobiancornchipmuthuk_vanalingam
  • Reply 6 of 18
    lkrupplkrupp Posts: 10,557member
    If law enforcement confiscates a suspect’s phone, then installs the tracking software, and hands it back to the suspect telling them use it, would that stand up in a court of law? Would evidence obtained that way be admissible? Sounds like a violation of rights to me. Also, this ‘social engineering’ might work on a low level, low intelligence, run-of-the-mill criminal, but come now, what would you think if the cops took your phone and then gave it back to you an hour later saying go ahead, use it, it’s okay.
    iOSDevSWEolsPetrolDaverazorpitcornchipjony0watto_cobra
  • Reply 7 of 18
    rob53 said:
    I consider this spyware and malware, both are illegal to install on computer devices so why is it that our government isn't going after this company for admitting they're producing spyware? Oh, that's right, our government doesn't care about our constitutional freedom. Time for Apple to update their malware finding software along with other companies (Malwarebytes, etc.). It's also time for Apple to turn the tables on GrayShift and create a trojan horse that is sent back into the GrayKey system when it tries to load spyware on an iPhone. Once loaded it effectively destroys the GrayKey and everything GrayShift owns.
    And gives them explosive diarrhea.
    mac_dogolscornchiphammeroftruthjony0watto_cobra
  • Reply 8 of 18
    MplsPMplsP Posts: 3,911member
    lkrupp said:
    If law enforcement confiscates a suspect’s phone, then installs the tracking software, and hands it back to the suspect telling them use it, would that stand up in a court of law? Would evidence obtained that way be admissible? Sounds like a violation of rights to me. Also, this ‘social engineering’ might work on a low level, low intelligence, run-of-the-mill criminal, but come now, what would you think if the cops took your phone and then gave it back to you an hour later saying go ahead, use it, it’s okay.
    I'm not a constitutional law expert, but I suspect it would depend on whether they had a warrant or not. 
    razorpitwatto_cobra
  • Reply 9 of 18
    kamiltonkamilton Posts: 282member
    Freedom = Privacy 


    watto_cobra
  • Reply 10 of 18
    yuck9yuck9 Posts: 112member
    rob53 said:
    I consider this spyware and malware, both are illegal to install on computer devices so why is it that our government isn't going after this company for admitting they're producing spyware? Oh, that's right, our government doesn't care about our constitutional freedom. Time for Apple to update their malware finding software along with other companies (Malwarebytes, etc.). It's also time for Apple to turn the tables on GrayShift and create a trojan horse that is sent back into the GrayKey system when it tries to load spyware on an iPhone. Once loaded it effectively destroys the GrayKey and everything GrayShift owns.
    You say it's unlawful to load spyware, but you want  to do it to GreyKey. Sorry can't have both ways.

    cornchipunbeliever2
  • Reply 11 of 18
    rob53rob53 Posts: 3,241member
    yuck9 said:
    rob53 said:
    I consider this spyware and malware, both are illegal to install on computer devices so why is it that our government isn't going after this company for admitting they're producing spyware? Oh, that's right, our government doesn't care about our constitutional freedom. Time for Apple to update their malware finding software along with other companies (Malwarebytes, etc.). It's also time for Apple to turn the tables on GrayShift and create a trojan horse that is sent back into the GrayKey system when it tries to load spyware on an iPhone. Once loaded it effectively destroys the GrayKey and everything GrayShift owns.
    You say it's unlawful to load spyware, but you want  to do it to GreyKey. Sorry can't have both ways.

    My point is our government assumes they are above the law and will do whatever they want to including using illegal processes. If they can do it then Apple can do it because it becomes the defacto law. I don’t like either side doing it but until the government is stopped, Apple needs to protect its users. 
    razorpitcornchipjony0watto_cobra
  • Reply 12 of 18
    tobiantobian Posts: 148member
    rob53 said:
    I consider this spyware and malware, both are illegal to install on computer devices so why is it that our government isn't going after this company for admitting they're producing spyware? Oh, that's right, our government doesn't care about our constitutional freedom. Time for Apple to update their malware finding software along with other companies (Malwarebytes, etc.). It's also time for Apple to turn the tables on GrayShift and create a trojan horse that is sent back into the GrayKey system when it tries to load spyware on an iPhone. Once loaded it effectively destroys the GrayKey and everything GrayShift owns.
     Seems like you love The Net, like I do : )
    cornchipwatto_cobra
  • Reply 13 of 18
    cornchipcornchip Posts: 1,945member
    rob53 said:
    I consider this spyware and malware, both are illegal to install on computer devices so why is it that our government isn't going after this company for admitting they're producing spyware? Oh, that's right, our government doesn't care about our constitutional freedom. Time for Apple to update their malware finding software along with other companies (Malwarebytes, etc.). It's also time for Apple to turn the tables on GrayShift and create a trojan horse that is sent back into the GrayKey system when it tries to load spyware on an iPhone. Once loaded it effectively destroys the GrayKey and everything GrayShift owns.
    And gives them explosive diarrhea.
    😂😂🤣
    watto_cobra
  • Reply 14 of 18
    Physical access to any device would result in potential exploit. If one were to hand over a device to law enforcement or especially border control and received it back, you should immediately reset the device via DFU mode and set an entirely new strong passcode.  I wouldn't even unlock it, I would shut it off and connect it to a computer in DFU mode then wipe it and re-download and install the signed operating system. Then restore backup from the computer.  Previous backups being made regularly to the computer and not iCloud as your iCloud backups are not encrypted and Apple could supply your iCloud backups to law enforcement.  

    For maximum security, don't use iCloud and especially not iCloud backups. Set a very strong passcode of 20+ characters.  If handing over to someone else disable FaceID/TouchID so only the passcode is allowed.  If they give the device back, you either destroy it or DFU wipe and restore the OS and restore a local encrypted backup.  

    If traveling across nation state borders either don't bring your primary device or bring a burner you can discard. They may demand you unlock the device so they can inspect / image it. Border security laws are drastically different than normal law enforcement. They may seize your device. The US, Australia and New Zealand have highly invasive demands.

    But the truly paranoid will simply go off grid.  Zero electronics whatsoever.  Your smartphone is constantly broadcasting unique identifiers over cellular, wi-fi, bluetooth, or NFC and you can certainly be tracked. When you see that COVID-19 map of those cell phone users on the Daytona FL spring break beach and each device was tracked back to their homes across the country.  That should open ones eyes that metadata is extremely valuable.  Many retail stores are tracking your movement through the store by using these broadcast identifiers and if you pay with a credit card or store card or use a membership card they tie all that data together and identify you.

    The encrypted data stores on an iPhone contain far more detail that never leaves the device.  But Android phones send all that data back to Google.  Notice how Google is not being hounded by the DOJ only Apple.  The most sensitive privacy data is kept on the device and as such Apple is providing the highest level of privacy at this time. 

    In many cases these Grayshift articles are not explaining the details such as the latest model iPhones not being vulnerable but because there are so many older models these devices are still viable for law enforcement.  When the DOJ mentioned that latest crack against the terrorists iPhones they mentioned that the technique used already doesn't work on the latest models.  That might have been a reference to the hardware flaw that Apple fixed after the iPhone X that was the beginning stage of a jailbreak.  The Grayshift device has found some way to side-load a hidden App that breaks the rules sandboxed apps normally follow.  It's possible the device is indeed jailbroken.  Some Apps such as BlackBerry Work among others will detect the jailbreak and cease functioning as well as destroying the encrypted corporate email storage. Most MDM managed devices would also report on a jailbreak and an MDM administrator would then remotely nuke the device for security purposes.  

    If a device leaves your possession you can no longer trust it.  This has always been the case.  
    fastasleepwatto_cobra
  • Reply 15 of 18
    beowulfschmidtbeowulfschmidt Posts: 2,120member
    lkrupp said:
    If law enforcement confiscates a suspect’s phone, then installs the tracking software, and hands it back to the suspect telling them use it, would that stand up in a court of law? Would evidence obtained that way be admissible? Sounds like a violation of rights to me. Also, this ‘social engineering’ might work on a low level, low intelligence, run-of-the-mill criminal, but come now, what would you think if the cops took your phone and then gave it back to you an hour later saying go ahead, use it, it’s okay.
    If a cop takes your phone and gives it back, assume it's been compromised and wipe it.  Better yet, get it replaced.
    watto_cobra
  • Reply 16 of 18
    rob53rob53 Posts: 3,241member
    Some more information about GrayKey, two years old but good info for those who haven't read about it, https://blog.malwarebytes.com/security-world/2018/03/graykey-iphone-unlocker-poses-serious-security-concerns/ Supposedly, Apple was able to kill the process used two years ago and hopefully will be able to kill the process being used in this article.

    https://blogs.findlaw.com/blotter/2017/07/can-i-be-arrested-for-installing-keylogging-software.html

    "When it comes to the legality of the software, or the hardware, generally, keyloggers, like other hacking software and hardware, are legal to own or possess. However, installing it on a computer, even your personal computer, can expose you to legal trouble. If you let anyone else use your computer without disabling the keylogger, or letting them know it is active, you are likely violating federal law."

    disclaimer: I am not a lawyer and of course our police force can get away with anything until they are challenged.


    watto_cobra
  • Reply 17 of 18
    GG1GG1 Posts: 483member
    Physical access to any device would result in potential exploit. If one were to hand over a device to law enforcement or especially border control and received it back, you should immediately reset the device via DFU mode and set an entirely new strong passcode.  I wouldn't even unlock it, I would shut it off and connect it to a computer in DFU mode then wipe it and re-download and install the signed operating system. Then restore backup from the computer.  Previous backups being made regularly to the computer and not iCloud as your iCloud backups are not encrypted and Apple could supply your iCloud backups to law enforcement.  

    For maximum security, don't use iCloud and especially not iCloud backups. Set a very strong passcode of 20+ characters.  If handing over to someone else disable FaceID/TouchID so only the passcode is allowed.  If they give the device back, you either destroy it or DFU wipe and restore the OS and restore a local encrypted backup.  

    If traveling across nation state borders either don't bring your primary device or bring a burner you can discard. They may demand you unlock the device so they can inspect / image it. Border security laws are drastically different than normal law enforcement. They may seize your device. The US, Australia and New Zealand have highly invasive demands.

    But the truly paranoid will simply go off grid.  Zero electronics whatsoever.  Your smartphone is constantly broadcasting unique identifiers over cellular, wi-fi, bluetooth, or NFC and you can certainly be tracked. When you see that COVID-19 map of those cell phone users on the Daytona FL spring break beach and each device was tracked back to their homes across the country.  That should open ones eyes that metadata is extremely valuable.  Many retail stores are tracking your movement through the store by using these broadcast identifiers and if you pay with a credit card or store card or use a membership card they tie all that data together and identify you.

    The encrypted data stores on an iPhone contain far more detail that never leaves the device.  But Android phones send all that data back to Google.  Notice how Google is not being hounded by the DOJ only Apple.  The most sensitive privacy data is kept on the device and as such Apple is providing the highest level of privacy at this time. 

    In many cases these Grayshift articles are not explaining the details such as the latest model iPhones not being vulnerable but because there are so many older models these devices are still viable for law enforcement.  When the DOJ mentioned that latest crack against the terrorists iPhones they mentioned that the technique used already doesn't work on the latest models.  That might have been a reference to the hardware flaw that Apple fixed after the iPhone X that was the beginning stage of a jailbreak.  The Grayshift device has found some way to side-load a hidden App that breaks the rules sandboxed apps normally follow.  It's possible the device is indeed jailbroken.  Some Apps such as BlackBerry Work among others will detect the jailbreak and cease functioning as well as destroying the encrypted corporate email storage. Most MDM managed devices would also report on a jailbreak and an MDM administrator would then remotely nuke the device for security purposes.  

    If a device leaves your possession you can no longer trust it.  This has always been the case.  
    Interesting advice for the truly paranoid.

    Time to go back to a dumbphone**? (embedded OS, no GPS or BT, no ability to add apps). There are Linux (not Android) OS' for phones out there for the security-conscious, but I don't know how secure they really are. Effectively, if your phone connects to a cell tower, you can be tracked (even with no GPS or BT or WiFi or data-scraping apps).

    ** I remember when standby times of dumphones were measured in days or even a week.
    watto_cobra
  • Reply 18 of 18
    bitsandbytesbitsandbytes Posts: 6unconfirmed, member
    "That, of course, requires the device to be put back in the hands of a user or suspect"

    Takes phone, bends it in half or completely wipes it...
    edited May 2020 watto_cobra
Sign In or Register to comment.