Categories: MobilitySecurity

GrayKey Device ‘Can Unlock Latest iPhones’

A device produced by a small, secretive US company called Grayshift may be capable of unlocking the latest iPhones and the most recent versions of Apple’s iOS software, according researchers.

Apple has gone to great lengths to make iPhones secure, building a hardware-based repository into more recent models that protects biometric login information.

Security researchers believe the few firms capable of unlocking the devices make use of unknown software vulnerabilities to do so. The bugs allow them to bypass the iPhone’s built-in restrictions to enter large numbers of password guesses, researchers have speculated.

Unlike Cellebrite, to which the FBI famously paid more than $1 million (£710,000) to unlock an iPhone belonging to the dead suspect in the San Bernardino shootings, Grayshift allows law enforcement organisations to control the phone unlocking process, security firm Malwarebytes said in a
new technical report

Standalone device

While Cellebrite generally requires devices to be sent to its labs to be unlocked, Grayshift’s GrayKey is a standalone unit that users operate themselves. A less expensive model, costing $15,000, is locked to the user’s network, while a $30,000 version has no such restrictions.

The more expensive version raises security concerns, as it could potentially fall into the wrong hands, Malwarebytes said.

Grayshift’s service is also considerably less expensive than that of Cellebrite, which charges $5,000 per device unlock, Malwarebytes said.

Little is publicly known about Atlanta, Georgia-based Grayshift, which Malwarebytes said has fewer than 50 staff, because it markets and sells its products directly to law-enforcement agencies.

The company’s website mentions GrayKey, but the only other statement the page displays is a marketing phrase: “The state of the art has a new requirement.” To learn more it’s necessary to log in, or to request access by filling out a form.

How it works

Malwarebytes said Grayshift was founded in 2016 and that it became aware of the firm’s existence late last year. Forbes earlier reported on Grayshift’s unlocking tools.

Citing information provided by an anonymous source, Malwarebytes said GrayKey is a grey box measuring four inches square by two inches deep, with two lightning cables emerging from the front. Two iPhones can be connected at a time.

The devices are connected for about two minutes, after which they’re detached. Some time later, the phone displays a black screen with the device’s passcode and other information. The time that passes ranges from two hours for four-digit passcodes to three days or longer for six-digit codes, according to Malwarebytes’ source.

After the device is unlocked, the full contents of its filesystem are downloaded to the GrayKey device, after which they can be accessed through a web-based interface or downloaded for analysis.

“It’s obvious there is some kind of jailbreak involved,” wrote Malwarebytes researcher Thomas Reed in the report, referring to an exploit that allows greater-than-normal access to a phone’s software.

Malwarebytes published a screen shot showing GrayKey unlocking an iPhone X running iOS 11.2.5, which it said was probably the most up-to-date hardware and software at the time the image was captured.

Security risk?

The firm argued Grayshift’s business model presents security risks, since the pricier GrayKey model has few restrictions on its use.

The $15,000 model can only unlock 300 devices per year, and requires an internet connection that enforces the limit. That device is also locked to the network on which it’s initially set up, and won’t work elsewhere.

But the top-of-the-range version of GrayKey requires only a token-based two-factor login credential to operate and has no limit on the number of phones it can unlock. Malwarebytes said it seemed likely such devices, along with their login credentials, would eventually find their way into the wrong hands.

“It’s probably too much to hope that the token will be kept in a separate location when the GrayKey is not being used,” wrote Reed. “Most likely, it will be stored nearby for easy access.”

He also speculated that such devices could be used by malign governments.

“It’s highly likely that these devices will ultimately end up in the hands of agents of an oppressive regime, whether directly from Grayshift or indirectly through the black market,” he wrote.

GrayKey is another sign that in spite of Apple’s efforts, third parties may be able to access data held on locked iPhones.

“The existence of the GrayKey isn’t hugely surprising, nor is it a sign that the sky is falling,” wrote Reed. “However, it does mean that an iPhone’s security cannot be ensured if it falls into a third party’s hands.”

Local police departments in states including Indiana and New York have bought Grayshift’s technology, according to reports.

What do you know about mobiles past and present? Try our quiz and find out!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Marriott Hotels Admits Third Breach – Report

Not again. Marriot Hotels has admitted it has suffered a third data breach, with customer…

3 mins ago

Facebook Demands Old FTC Documents In Antitrust Battle

Fresh development in Meta's battle against US regulator, seeking to force Facebook to divest itself…

5 hours ago

Fate Of Newport Wafer Fab Uncertain, As Government Delays Sale Decision

Government delays decision over whether the UK's largest maker of chips can be purchased by…

5 hours ago

Amazon Faces UK Investigation For Suspected Anti-competitive Practices

Another probe. Busy week for the UK's CMA after it confirms investigation of Amazon over…

23 hours ago

UK Regulator Begin Probe Of Microsoft’s Activision Buyout

The CMA confirms start of investigation into Microsoft's $69 billion purchase of leading gaming holding…

24 hours ago