iPhone hacking tool GrayKey techniques outlined in leaked instructions

Posted:
in iPhone
Leaked instructions for GrayShift's GrayKey iPhone unlocking device have surfaced, giving an idea of what the device intended for law enforcement officials can do, and how it works.




GrayShift's GrayKey is an infamous device used to unlock and pull data from iPhones and iPads owned by suspects, as part of an investigation by law enforcement officials. While the device is known to exist, and has even been photographed as part of FCC filings, a release of details from written instructions for the device provides a better idea of the device's capabilities.

The device effectively functions by performing a brute-force attack against the iPhone's passcode, which is used to secure the smartphone. While not entirely perfect, the system has been known to successfully gain entry into a secured iPhone using its methods.

The instructions, supposedly written by the San Diego Police Department and obtained by Motherboard, initially ask users to "determine if proper search authority has been established for the requested Apple mobile device." It then goes on to explain ways the GrayKey can be used, such as Before First Unlock (BFU), when the phone is already on (After First Unlock, AFU,) or if it has a damaged screen or low battery.

Leaked instructions for GrayKey [via Motherboard]
Leaked instructions for GrayKey [via Motherboard]


The device can install an agent to a device with 2 to 3% battery life remaining, the instructions reveal. The agent is used for the brute force attack, but continuous power is required until the passcode itself is discovered.

Users can elect to have data collected in various ways, such as extracting metadata for inaccessible files, and "immediate extraction" once unlocked.

In guidance on brute-forcing an alphanumeric passcode, analysts have to perform extra actions, such as loading a wordlist used to try against the password. A default wordlist is provided titled "crackstation-human-only.txt, which consists of around 1.5 billion words and passwords, though other wordlists can also be used.

Once the agent has been installed, the iPhone is placed into Airplane mode, and could be disconnected from GrayKey at that time.

There is also mention of HideUI, an agent that can be used to secretly record a user's passcode, if law enforcement hands it back to the suspect.

Tools like GrayKey have become an important element of police investigations around the world, as law enforcement attempt to get around the core security of operating systems to see a suspect's data. It was allegedly used by the FBI in late 2019 to gain access to a locked iPhone 11 Pro Max as part of a high-profile investigation.


Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.AppleInsider is also bringing you the best Apple-related deals for Amazon Prime Day 2021. There are bargains before, during, and even after Prime Day on June 21 and 22 -- with every deal at your fingertips throughout the event.

Comments

  • Reply 1 of 8
    Without the existence of other app stores, it sure sounds like the security model of the iPhone is already gravely threatened by this device.  
    edited June 22
  • Reply 2 of 8
    But we're safe because only law enforcement will have access to this device :eyeroll:
    watto_cobra
  • Reply 3 of 8
    davidwdavidw Posts: 1,328member
    Without the existence of other app stores, it sure sounds like the security model of the iPhone is already gravely threatened by this device.  
    You need to get your hearing check. You're going deaf. 

    First of all, this device probably cost in the 10's of 1000's of dollars and not that easily available. Second, in order for hackers to use this device to access the data in an iPhone, they need to physically have possession of the iPhone. And third, it works by trying to guess the pass code using "brute force". An iPhone with a random 10 alphanumeric pass code will probably take over 1M years for this device to guess it.  

    https://www.password-depot.de/en/know-how/brute-force-attacks.htm

    On the other hand, if a hacker can convince an iPhone owner to unknowingly download malware, by clicking on a link, the hacker can have access to the iPhone data without even being in the same country where the iPhone is or having to know the passcode.    

    A hacker can easily send out millions of phishing e-mail, knowing that more than a few will click on the link that will download the malware. This device can only try to access the data on an iPhone the is plugged into it, one iPhone at a time. Do the math.

    As long as the iPhone owners still have possession of their iPhone and they use a strong passcode, this device in not a security threat at all.  
    watto_cobrajony0
  • Reply 4 of 8
    dewmedewme Posts: 3,810member
    Does this hacking tool assume device owners turn the max attempts feature off?

    I’ve always assumed that brute force hacking tools would run into the 10-try limit as well as the imposed delay between attempts, unless of course they found a way to bypass the logic that tracks the retry count.

    Without a limit on the number of attempts and an escalating wait period between attempts, pretty much any passcode is hackable given enough time.

    Mmmm??? 
    edited June 23 cornchipwatto_cobra
  • Reply 5 of 8
    gatorguygatorguy Posts: 23,165member
    davidw said:
    Without the existence of other app stores, it sure sounds like the security model of the iPhone is already gravely threatened by this device.  
    You need to get your hearing check. You're going deaf. 

    First of all, this device probably cost in the 10's of 1000's of dollars and not that easily available. Second, in order for hackers to use this device to access the data in an iPhone, they need to physically have possession of the iPhone. And third, it works by trying to guess the pass code using "brute force". An iPhone with a random 10 alphanumeric pass code will probably take over 1M years for this device to guess it.  

    https://www.password-depot.de/en/know-how/brute-force-attacks.htm

    On the other hand, if a hacker can convince an iPhone owner to unknowingly download malware, by clicking on a link, the hacker can have access to the iPhone data without even being in the same country where the iPhone is or having to know the passcode.    

    A hacker can easily send out millions of phishing e-mail, knowing that more than a few will click on the link that will download the malware. This device can only try to access the data on an iPhone the is plugged into it, one iPhone at a time. Do the math.

    As long as the iPhone owners still have possession of their iPhone and they use a strong passcode, this device in not a security threat at all.  
    FWIW I get far more fishing expeditions targeting my iPhone and AppleID than I do for my Pixels. Heck, I get phone calls on my Android phone purportedly from Apple security teams telling me my Apple account has been hacked and they're here to help. LOL

     Another fun fact: In over 11 years of using Android devices for hours a day I've encountered exactly the same number of malware events as I have on my Apple gear. ZERO.
    edited June 23 muthuk_vanalingamjony0
  • Reply 6 of 8
    emig647emig647 Posts: 2,435member
    dewme said:
    Does this hacking tool assume device owners turn the max attempts feature off?

    Without a limit on the number of attempts and an escalating wait period between attempts, pretty much any passcode is hackable given enough time.

    Mmmm??? 
    I’m assuming that is the agent installed with 2-3% battery left that is dealing with that. If not, then yah it is going to be tough. 
    watto_cobra
  • Reply 7 of 8
    tobiantobian Posts: 116member
    Once we did something similar for our customer who forgot his passcode, using arduino. We have unlocked the iPhone in around 4 hours, but it was 4 digit only that time.
    watto_cobra
  • Reply 8 of 8
    davidwdavidw Posts: 1,328member
    gatorguy said:
    davidw said:
    Without the existence of other app stores, it sure sounds like the security model of the iPhone is already gravely threatened by this device.  
    You need to get your hearing check. You're going deaf. 

    First of all, this device probably cost in the 10's of 1000's of dollars and not that easily available. Second, in order for hackers to use this device to access the data in an iPhone, they need to physically have possession of the iPhone. And third, it works by trying to guess the pass code using "brute force". An iPhone with a random 10 alphanumeric pass code will probably take over 1M years for this device to guess it.  

    https://www.password-depot.de/en/know-how/brute-force-attacks.htm

    On the other hand, if a hacker can convince an iPhone owner to unknowingly download malware, by clicking on a link, the hacker can have access to the iPhone data without even being in the same country where the iPhone is or having to know the passcode.    

    A hacker can easily send out millions of phishing e-mail, knowing that more than a few will click on the link that will download the malware. This device can only try to access the data on an iPhone the is plugged into it, one iPhone at a time. Do the math.

    As long as the iPhone owners still have possession of their iPhone and they use a strong passcode, this device in not a security threat at all.  
    FWIW I get far more fishing expeditions targeting my iPhone and AppleID than I do for my Pixels. Heck, I get phone calls on my Android phone purportedly from Apple security teams telling me my Apple account has been hacked and they're here to help. LOL

     Another fun fact: In over 11 years of using Android devices for hours a day I've encountered exactly the same number of malware events as I have on my Apple gear. ZERO.
    Here's a fun fact. That stays on the subject. 

    https://www.wired.com/story/smartphone-encryption-law-enforcement-tools/

    >The researchers found that Android has a similar setup to iOS with one crucial difference. Android has a version of “Complete Protection” that applies before the first unlock. After that, the phone data is essentially in the AFU state. But where Apple provides the option for developers to keep some data under the more stringent Complete Protection locks all the time—something a banking app, say, might take them up on—Android doesn't have that mechanism after first unlock. Forensic tools exploiting the right vulnerability can grab even more decryption keys, and ultimately access even more data, on an Android phone.<

    The thing about the"Pixel" is that Google keeps that up to date, nearly all the time. I think even older "Pixels" keeps getting updated, as far as the hardware permits. Just like an iPhone. The same can't be said about the other 99% of Android devices. The majority of Android devices do not have the latest updates nor are using the latest, most secure version of Android. Over 50% of Android users are on a 2 years or old version of Android. Number wise, that's a lot of Android users.     



    We all know how sensitive you are about anything that seems to put Google in the bad light but here, Google is not so much to blame as are the Android phone makers that do not provide their users with updates to Android, in a timely manner, if at all. Even though Google provided the makers with the updates. What works for Apple and iPhones, works for Google and "Pixel", but "Pixels" are the exceptions. You can't just take the best 1% of Android, credit Google and then claim that Android is just as safe as iOS. And then ignore the other 99% of Android. For most consumers, Google is Android, all of it. Not just the good part.       



    docno42watto_cobrajony0Detnator
Sign In or Register to comment.