Researchers argue the stand-alone device, aimed at US law enforcement, could present a security risk if it ends up in the wrong hands
A device produced by a small, secretive US company called Grayshift may be capable of unlocking the latest iPhones and the most recent versions of Apple’s iOS software, according researchers.
Apple has gone to great lengths to make iPhones secure, building a hardware-based repository into more recent models that protects biometric login information.
Security researchers believe the few firms capable of unlocking the devices make use of unknown software vulnerabilities to do so. The bugs allow them to bypass the iPhone’s built-in restrictions to enter large numbers of password guesses, researchers have speculated.
Unlike Cellebrite, to which the FBI famously paid more than $1 million (£710,000) to unlock an iPhone belonging to the dead suspect in the San Bernardino shootings, Grayshift allows law enforcement organisations to control the phone unlocking process, security firm Malwarebytes said in a
new technical report.
While Cellebrite generally requires devices to be sent to its labs to be unlocked, Grayshift’s GrayKey is a standalone unit that users operate themselves. A less expensive model, costing $15,000, is locked to the user’s network, while a $30,000 version has no such restrictions.
The more expensive version raises security concerns, as it could potentially fall into the wrong hands, Malwarebytes said.
Grayshift’s service is also considerably less expensive than that of Cellebrite, which charges $5,000 per device unlock, Malwarebytes said.
Little is publicly known about Atlanta, Georgia-based Grayshift, which Malwarebytes said has fewer than 50 staff, because it markets and sells its products directly to law-enforcement agencies.
The company’s website mentions GrayKey, but the only other statement the page displays is a marketing phrase: “The state of the art has a new requirement.” To learn more it’s necessary to log in, or to request access by filling out a form.
How it works
Malwarebytes said Grayshift was founded in 2016 and that it became aware of the firm’s existence late last year. Forbes earlier reported on Grayshift’s unlocking tools.
Citing information provided by an anonymous source, Malwarebytes said GrayKey is a grey box measuring four inches square by two inches deep, with two lightning cables emerging from the front. Two iPhones can be connected at a time.
The devices are connected for about two minutes, after which they’re detached. Some time later, the phone displays a black screen with the device’s passcode and other information. The time that passes ranges from two hours for four-digit passcodes to three days or longer for six-digit codes, according to Malwarebytes’ source.
After the device is unlocked, the full contents of its filesystem are downloaded to the GrayKey device, after which they can be accessed through a web-based interface or downloaded for analysis.
“It’s obvious there is some kind of jailbreak involved,” wrote Malwarebytes researcher Thomas Reed in the report, referring to an exploit that allows greater-than-normal access to a phone’s software.
Malwarebytes published a screen shot showing GrayKey unlocking an iPhone X running iOS 11.2.5, which it said was probably the most up-to-date hardware and software at the time the image was captured.
The firm argued Grayshift’s business model presents security risks, since the pricier GrayKey model has few restrictions on its use.
The $15,000 model can only unlock 300 devices per year, and requires an internet connection that enforces the limit. That device is also locked to the network on which it’s initially set up, and won’t work elsewhere.
But the top-of-the-range version of GrayKey requires only a token-based two-factor login credential to operate and has no limit on the number of phones it can unlock. Malwarebytes said it seemed likely such devices, along with their login credentials, would eventually find their way into the wrong hands.
“It’s probably too much to hope that the token will be kept in a separate location when the GrayKey is not being used,” wrote Reed. “Most likely, it will be stored nearby for easy access.”
He also speculated that such devices could be used by malign governments.
“It’s highly likely that these devices will ultimately end up in the hands of agents of an oppressive regime, whether directly from Grayshift or indirectly through the black market,” he wrote.
GrayKey is another sign that in spite of Apple’s efforts, third parties may be able to access data held on locked iPhones.
“The existence of the GrayKey isn’t hugely surprising, nor is it a sign that the sky is falling,” wrote Reed. “However, it does mean that an iPhone’s security cannot be ensured if it falls into a third party’s hands.”
Local police departments in states including Indiana and New York have bought Grayshift’s technology, according to reports.
What do you know about mobiles past and present? Try our quiz and find out!