Law enforcement uses ‘GrayKey’ box to unlock iPhones

“In 2017, a company by the name of ‘Grayshift’ created a device called ‘GrayKey’ that successfully unlocked iPhones without knowing the passcode,” Peter Cao reports for 9to5Mac. “Based in Atlanta, Georgia, the company employs less than 50 employees, and up until this point it was unknown whether ‘GrayKey’ was a service or product. However, MalwareBytes has been able to get their hands on some photos of the device, and notes that the ‘website is protected by a portal that screens for law enforcement affiliation.'”

“The site says GrayKey is a device used in-house at local law enforcement labs and offices, vastly different than Cellebrite, the company behind the unlocking of the iPhone 5c in the San Bernardino case,” Cao reports. “It can take anywhere between 2 hours and 3 days depending on the length and complexity of the passcode.”

“It comes in two options: $15,000 and $30,000, with the former will requiring an internet connection and will geofence to that location, meaning it will not work outside of the original network,” Cao reports. “The $30,000 option will not require an internet connection and will allow unlimited attempts on unlimited devices, presumably until the security hole is patched.”

Read more, and see the photos (hint: it’s a gray box), in the full article here.

MacDailyNews Take: Needless to say, if they haven’t already, Apple should get their hands on these boxes and patch whatever security hole(s) the boxes are exploiting.

Obviously, the very existence of this MalwareBytes report proves the folly of “backdoors” that are only for the good guys.

There have been people that suggest that we should have a back door. But the reality is if you put a back door in, that back door’s for everybody, for good guys and bad guys. — Apple CEO Tim Cook, December 2015

This is not about this phone. This is about the future. And so I do see it as a precedent that should not be done in this country or in any country. This is about civil liberties and is about people’s abilities to protect themselves. If we take encryption away… the only people that would be affected are the good people, not the bad people. Apple doesn’t own encryption. Encryption is readily available in every country in the world, as a matter of fact, the U.S. government sponsors and funs encryption in many cases. And so, if we limit it in some way, the people that we’ll hurt are the good people, not the bad people; they will find it anyway. — Apple CEO Tim Cook, February 2016

As we wrote back in March 2016: “Encryption is either on or off. This is a binary issue. There is no in-between. You either have encryption or you do not.”

Tim Cook’s refusal to create iPhone backdoor for FBI vindicated by ‘WannaCry’ ransomware attack on Windows PCs – May 15, 2017
The Microsoft Tax: Rapidly replicating Windows PC worm spreads as experts try to limit damage; Macintosh unaffected – May 15, 2017
The Microsoft Tax: Leaked NSA malware hijacks Windows PCs worldwide; Macintosh unaffected – May 13, 2017
Bungling Microsoft singlehandedly proves that ‘backdoors’ are a stupid idea – August 10, 2016
U.S. Congressman Ted Lieu says strong encryption without backdoors is a ‘national security priority’ – April 29, 2016
iPhone backdoors would pose a threat, French privacy chief warns – April 8, 2016
The U.S. government’s fight with Apple could backfire big time – March 14, 2016
Obama pushes for iPhone back door; Congressman Issa blasts Obama’s ‘fundamental lack of understanding’ – March 12, 2016
U.S. Attorney General Loretta Lynch backs U.S. government overreach on The Late Show with Stephen Colbert – March 11, 2016
Former CIA Director: FBI wants to dictate iPhone’s operating system – March 11, 2016
FBI warns it could demand Apple’s iPhone code and secret electronic signature – March 10, 2016
California Democrat Diane Feinstein backs U.S. government overreach over Apple – March 10, 2016
Snowden: U.S. government’s claim it can’t unlock San Bernardino iPhone is ‘bullshit’ – March 10, 2016
Apple could easily lock rights-trampling governments out of future iPhones – February 20, 2016
Apple CEO Tim Cook lashes out at Obama administration over encryption, bemoans White House lack of leadership – January 13, 2016
Obama administration demands master encryption keys from firms in order to conduct electronic surveillance against Internet users – July 24, 2013


      1. You don’t think spies—Russian or otherwise—use encrypted devices? We are talking about intelligence services that recently launched an attack with a weapon of mass destruction on one of our closest NATO allies. An attack on one is an attack on all, remember.

      2. I disagree, botty. We need to be working harder to investigate the Russian attacks. The Republicans in Congress, especially Nunes in the House, apparently have no interest in the truth. In fact, they support the Trump Administration in routinely peddling lies and intentionally misrepresenting the evidence and reports.

        The Trump Administration (illegally) refused to implement the new sanctions passed almost unanimously be Congress last year. Apparently, the “threat” of those sanctions was deemed sufficient, even though that was not Trump’s call to make. But I guess that the threat was insufficient, wasn’t it?? No Trump is finally beginning to do what he should have done – was legally obligated to do – months ago. Putin-loving Trump is jeopardizing this country, and the Republicans of old would not have tolerated such behavior. Unfortunately, the “new” radical right Republican Party has ditched the parts of its platform that actually made sense and have become an “ends justified the means” group who will say or do anything for power and money. Sickening. Traitorous.

        The Trump Administration is filled with corruption, incompetence, and lies. Trump claimed that he would “drain the swamp.” What he failed to disclose is that he would replace it with a seething cesspool of his own making. Never trust a New York developer billionaire with delusions of grandeur.

          1. In fairness, every President inherits a mess somewhere; Trump simply inherited more than most. Obama was supposed to have cleaned up Bush’s mess; now Trump will have to clean up after TWO other presidents.

    1. Don’t forget that it’s about a year since Jonathan Zdziarski joined Apple. He is one of the world’s leading experts on IOS security and forensics. As soon as his expertise about hardening IOS reaches consumers, iPhones will become even more secure.

      1. I’ll take that kind of reminder any time alanaudio, thanks. I’m glad Apple sees the need for people to maintain their personal security. Yes it will be nasty when some take advantage of it but the benefits far outweigh the disadvantages.

      2. If he has final say I’m sure iOS will become much more secure. Otherwise he may have to fight management to change features he finds unsecure but are essential to how easy products are to use, eat into the profit margins, and/or possibly reduce cloud services.

  1. This is a good thing for the rest of us. Our privacy is much better protected by having a secure phone with no back door with the authorities needing to use a third party device like this to get into the iPhones of criminals.

    Devices like this are expensive, only available to law enforcement officials, take hours or days to do their job and require physical possession of the iPhone. Therefore they will be used for important cases, but are not practical to use for trivial investigations.

    Without these third party devices, certain politicians would try to press for a law requiring manufacturers to introduce a back door. There is the danger that a back door would be used by the bad guys and possibly remotely too.

    Something you never seem to read about is devices like this for Android phones, or reports of thousands of Android phones in storage waiting to be cracked. One explanations could be that the authorities already have a handy back door into Android.

    1. It’s also possible that criminals believe the hype about Android being totally unsecure and tend to use Apple products as a result. Background checks to allow use of ‘secure’ phones in the future?

  2. Obviously, the very existence of this MalwareBytes report proves the folly of “backdoors” that are only for the good guys.

    “Good guys” in quotes! Thank you MDN! Government must enable the positive endeavors of its citizens. Becoming bogged down with real, imaginary or propaganda invented ‘bad guys’ is a form of governmental disease. The Fourth Amendment to the US Constitution wins. It’s what is good for the citizenry. Poking back doors into everything and eviscerating citizen privacy with BIG BROTHERism is the blatant demolition of the rights of We The People. My government must deal it.

    IOW: Hey! #MyStupidGovernment! Stop being stupid and do your actual jobs! It’s NOT oppression.

    1. WordPress is apparently ticked off with my posting too many URLs today. Therefore, I am not being allowed to paste the URL for the second article from Thomas Reed over at Malwarebytes. Thomas is the Director of Mac and Mobile Security. You can access the URL to Thomas’ article over at the 9-to-5 article MDN links above. Here’s a quote from that article:

      Two iPhones can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device, but are not yet cracked. Some time later, the phones will display a black screen with the passcode, among other information. The exact length of time varies, taking about two hours in the observations of our source. It can take up to three days or longer for six-digit passcodes, according to Grayshift documents, and the time needed for longer passphrases is not mentioned. Even disabled phones can be unlocked, according to Grayshift.

      1. Interesting. So the GrayKey device somehow inserts software (or uses something already in iOs/iPhone) activates it, and then the iPhone works on cracking itself over a few hours to days? If true, only about 2 minutes of physical access for every 2 iPhones is all that is needed to start the ‘cracking’ process and law enforcement can work on the next 2 iPhones in their backlog.

  3. I just dont get why people side with criminals. Who of you would break the law to the point your iphone would need to be opened? That would be a killing/ muder homicide l, child porn or trafficing people / drugs or terrorism case. Why would you want those people protected? Ill open my phone to anyone. I have nothing to hide. Maybe its your prom your embarased about.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.