“A Motherboard investigation has found that law enforcement agencies across the country have purchased GrayKey, a relatively cheap tool for bypassing the encryption on iPhones, while the FBI pushes again for encryption backdoors,” Joseph Cox reports for Motherboard. “FBI Director Christopher Wray recently said that law enforcement agencies are ‘increasingly unable to access’ evidence stored on encrypted devices. Wray is not telling the whole truth.”
“Police forces and federal agencies around the country have bought relatively cheap tools to unlock up-to-date iPhones and bypass their encryption, according to a Motherboard investigation based on several caches of internal agency documents, online records, and conversations with law enforcement officials,” Cox reports. “Many of the documents were obtained by Motherboard using public records requests.”
“The news highlights the going dark debate, in which law enforcement officials say they cannot access evidence against criminals. But easy access to iPhone hacking tools also hamstrings the FBI’s argument for introducing backdoors into consumer devices so authorities can more readily access their contents,” Cox reports. “The GrayKey itself is a small, 4×4 inches box with two lightning cables for connecting iPhones, according to photographs published by cybersecurity firm Malwarebytes. The device comes in two versions: a $15,000 one which requires online connectivity and allows 300 unlocks (or $50 per phone), and and an offline, $30,000 version which can crack as many iPhones as the customer wants. Marketing material seen by Forbes says GrayKey can unlock devices running iterations of Apple’s latest mobile operating system iOS 11, including on the iPhone X, Apple’s most recent phone.”
Read more in the full article here.
MacDailyNews Take: As we wrote last month:
Needless to say, if they haven’t already, Apple should get their hands on these boxes and patch whatever security hole(s) the boxes are exploiting.
Obviously, the very existence of this MalwareBytes report proves the folly of “backdoors” that are only for the good guys.
“There have been people that suggest that we should have a back door. But the reality is if you put a back door in, that back door’s for everybody, for good guys and bad guys.” — Apple CEO Tim Cook, December 2015
“This is not about this phone. This is about the future. And so I do see it as a precedent that should not be done in this country or in any country. This is about civil liberties and is about people’s abilities to protect themselves. If we take encryption away… the only people that would be affected are the good people, not the bad people. Apple doesn’t own encryption. Encryption is readily available in every country in the world, as a matter of fact, the U.S. government sponsors and funs encryption in many cases. And so, if we limit it in some way, the people that we’ll hurt are the good people, not the bad people; they will find it anyway.” — Apple CEO Tim Cook, February 2016
SEE ALSO:
Law enforcement uses ‘GrayKey’ box to unlock iPhones – March 16, 2018
The rumors that this program removes headlines are totally false but fun all the same.
Just out of interest, does anybody know why the GrayKey box has two lightning cables? I haven’t seen any mention of it being used on two devices at once, but there again, they haven’t said much about how it works – for fairly obvious reasons.
Maybe it replicates the data on the phone to an unlocked phone?
That is what I was thinking. So kind of cloning from one “locked” phone to another “unlocked” phone.
Here’s a quote from Thomas Reed @Malwarebytes, who wrote the original discovery article about GrayKey. I’d provide the URL except for the fact that WordPress refuses to let me post further links today. *grumble*
Two iPhones can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device, but are not yet cracked. Some time later, the phones will display a black screen with the passcode, among other information. The exact length of time varies, taking about two hours in the observations of our source. It can take up to three days or longer for six-digit passcodes, according to Grayshift documents, and the time needed for longer passphrases is not mentioned. Even disabled phones can be unlocked, according to Grayshift.
At this juncture, anyone who still thinks Pipeline Timmy “cares about privacy” just ain’t payin’ attention.
“Paying attention” is obviously not enough considering that assessment.
An entirely ridiculous statement. Hardware cracking goes on constantly, especially by government security services. The GrayKey revelation is very recent. Apple has some work to do preventing future models and/or OSes of iPhone/iOS devices from being crackable by anyone.
What other tech company has done more to guarantee customer safety?
Meanwhile, it’s clear that Apple’s attention to security remains inadequate.
Do you truly believe that a company that doesn’t give a rat’s ass about your First Amendment rights are going to concern themselves with your Fourth Amendment rights? Or your Second Amendment rights?
get real.
THIS is the real Tim Cook’s Apple:
Thanks for the chilling reminder, Botman. From the link:
“‘It has to be ingrained in the schools, it has to be ingrained in the public,’ said Mr Cook. “
Mind control from Cook is the most chilling thing he has ever said. Only one thing more chilling, LIBERAL mind control.
The school system in the U.S. is already hostage to the Democrat party and union controlled speech. Same as Hollywood with their preachy Democrat virtue signaling and constant denigration and comedian MOCKING of anything decent or conservative. Same as the mainstream media with their 24/7 Trump takedown cable channels. It’s enough to make you throw up.
Free speech today is only free when Democrats approve it. See political correctness. Free speech does not exist, particularly on college campuses, when conservative speakers like Coulter and Milo are SHUT DOWN. Free speech party my ass!
Bottom line Libtards: you do not CONTROL my freedom of speech and never will … 🖕
Mr Tyrant, you are a dumb ass like your fool mother and father. Most law enforcement are gangsters in costumes. On your ship, there are no life preservers …
Banned Citizen X insulting potty mouth does it again. You insulted my mother and father you have never met? You are lower than worthless SCUM …
The use of these devices and Stingrays without an expressed and limited Court Order should be banned outright.
Agreed. But then again, when a free wheeling independent counsel can raid the president’s attorney private residence violating client privilege and three constitutional amendments, according to Alan Dershowitz, this is not in the same league …
DavGreg,
It is banned (see Fourth Amendment). These searches are being conducted pursuant to judicial warrants (an expressed and limited Court Order) authorizing the search of the contents of a device that is already lawfully in the physical custody of a law enforcement agency. The searches may be unseemly and distressing, but they aren’t unconstitutional or even illegal.
GeoB,
Who you gonna believe? Either:
1. The dozens of professional federal prosecutors working in three independent offices (Special Counsel, Southern District of NY, and Main Justice) who put together the warrant application, and the federal judge who found probable cause to believe that a federal crime had been committed and that the enumerated search items would likely provide proof–admissible proof (i.e., proof that would not be barred by privilege)–of that crime; or
2. A retired law school professor who was having dinner with Mr. Trump this week as a reward for pushing the theory that the American President can lawfully do absolutely anything without any legal consequences.
“A retired law school professor who was having dinner with Mr. Trump this week as a reward for pushing the theory that the American President can lawfully do absolutely anything without any legal consequences.
Allow me to list the implied negative pejoratives:
1: “A retired law school professor.” Ah, would that be a highly respected Harvard law professor with a stellar career and credentials. So are you saying because he is old he is now irrelevant?
2: He has dinner with President Trump? How horrible! How despicable! How dare him!
What the fsck is your point?
Let me guess. As a liberal and demonizer of everything Trump and Republicans do positively, you can’t stand it that a lifelong left wing lawyer has crossed the line to advise a hard working president for everyone’s benefit and the GREATER GOOD.
You are the epitome of everything that is wrong in politics today. You should be ashamed of yourself …
My point was that Professor Dershowitz has, throughout his career, tainted his genuinely great reputation as a scholar with an even greater reputation as a publicity hound. Read his book on the O.J. Simpson trial, in which he tries to take credit for the strategy that got Simpson acquitted.
The main theme of that book is, as one reviewer put it, “The whole question of whether Mr. Simpson committed the murders is primarily of interest to the laity and was assuredly not a concern of his as a member of the defense team.” In other words, the Professor is an advocate who will argue whatever version of the facts and law he finds useful to achieve his client’s goal. That’s admirable in a defense lawyer, but disqualifying for a neutral legal expert.
At the moment, Professor Dershowitz has chosen to use his considerable gifts to represent Donald Trump in the court of public opinion (and possibly, some day, in the courts of law). As a retired Harvard Law professor, he has time on his hands. He has chosen to use it as a TV advocate for a seriously flawed legal position (that a sitting President is above the law) that literally not another single lawyer actually believes. He has been rewarded for his service by getting to hobnob with the President of the United States.
I must therefore take his opinion on the Cohn search with a grain of salt, particularly when the warrant application in question was so carefully vetted by so many people (most of them Trump appointees or employees of Trump appointees) before it was presented to a neutral and impartial judge who found probable cause to authorize the search.
All I was saying is that when I’m looking for a reliable legal opinion I trust a well-briefed sitting judge more than a defense lawyer.
All you are saying is demonize the respected professor for helping the wrong team you despise.
Nuff said …
BRAVO DavGreg!
The Fourth Amendment To The US Constitution
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
I’m not so sure I believe that these things can unlock iPhones. If they can, they won’t for long because I think that Apple obviously wouldn’t stand for it. It’d be bad mass media headlines for one thing.
You speak as if you’re convinced Apple doesn’t have backdoors to all its devices and services. Of course they do. Read the user agreement. All Tim says is that Apple doesn’t sell your data for profit. He’s never said Apple doesn’t datamine the hell out of everything you put on icloud. Given Apple’s recent software sloppiness, I would venture a guess that the reason Cook scored a cheap price renting the competition servers for iCloud is because Amazon knew that they could collect some data.
http://money.cnn.com/2016/02/22/technology/apple-privacy-icloud/index.html
Thanks to shoddy attention to software detail and quality, of course Apple wouldn’t be able to keep the backdoors to themselves. This cute little box shows Secure Enclave has been hacked. icloud almost certainly has been breached too. You don’t hold the encryption keys so a distributed hacker network or bad actor within Apple can eventually bypass whatever procedures the sloppy Cook Apple may have.
For those of you who actually believe that your icloud is private and secure, tell us where you store the security and encryption keys such that nobody including Apple cannot access them? you ought to know the answer : on an Apple/Amazon/Google/Microsoft server.
Apple doesn’t guarantee shit about your data security or privacy. If they did, the user agreement would guarantee it.
Well said. Unfortunately…
Well said, perhaps, but based on absolutely no evidence aside from general suspicion. Data stored on iCloud is subject to search with a valid court order. That’s no secret; it always has been. That has nothing to do with whether the data on a device that has not been backed up to iCloud is accessible by anyone.
Tim Cook HAS actually said that Apple does not data mine user-identifiable customer information. Apart from a preference for conspiracy thinking, what is the evidence that he is lying?
These GrayKey devices have nothing to do with that, since
“These GrayKey devices have nothing to do with that, since”
Since?
Yes, these devices “have nothing to do with” your off topic tangents. Please try to keep up …
Wouldn’t be surprised if we find out one day that this backdoor was intentionally put in by Apple.
Under a legal court order and National Security Letter whose disclosure is legally prohibited which would mean that Apple would be prohibited from disclosing it one way or another.
Perhaps these are the same people who staged the fake school shooting in Newtown.
Occam’s Razor, folks: Do not prefer a more complex explanation when a simpler one accounts for all the facts.
Corollary: Do not attribute to malice what can adequately be explained by stupidity.
Perhaps these are the same posters who claim to be conservative while posting liberal …
Apple, Patch it pronto. Once patched, alot of orgs. will be pissed that they spent $15-30K for a useless piece of hardware. That brings smiles to my face.
They still need physical access to the phone. This is a different level of security and privacy than a company providing access to your data remotely.
For those who think security is absolute are being naive. There are alway people trying to steal information to make money. The goal is to make your own personal practices difficult enough so that you are not easy prey. This is more challenging when services like FitnessPal are compromised and passwords are stolen along with email addresses. If you use the same password for multiple accounts then you are at risk for having those other accounts compromised.