Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Iphone Security Apple

Mysterious $15,000 'GrayKey' Promises To Unlock iPhone X For The Feds ( 106

Thomas Fox-Brewster, reporting for Forbes: Just a week after Forbes reported on the claim of Israeli U.S. government manufacturer Cellebrite that it could unlock the latest Apple iPhone models, another service has emerged promising much the same. Except this time it comes from an unkown entity, an obscure American startup named Grayshift, which appears to be run by long-time U.S. intelligence agency contractors and an ex-Apple security engineer. In recent weeks, its marketing materials have been disseminated around private online police and forensics groups, offering a $15,000 iPhone unlock tool named GrayKey, which permits 300 uses. That's for the online mode that requires constant connectivity at the customer end, whilst an offline version costs $30,000. The latter comes with unlimited uses. Another ad showed Grayshift claiming to be able to unlock iPhones running iOS 10 and 11, with iOS 9 support coming soon. It also claims to work on the latest Apple hardware, up to the iPhone 8 and X models released just last year. In a post from one private Google group, handed to Forbes by a source who asked to remain anonymous, the writer indicated they'd been demoed the technology and that it had opened an iPhone X.

Mysterious $15,000 'GrayKey' Promises To Unlock iPhone X For The Feds

Comments Filter:
  • Please pass me the popcorn...

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      No. "Popcorn" has been removed by Apple from the AppStore.

    • Being that this service is being labeled "Mysterious". I expect they are opening up the phone, tapping into the storage media. Downloading all the data. The brute forcing it until they get in. Being most people just use a 4 digit pin. That means 9999 possible combination. If they use a password, then we have the brute force password hacking algorithms.

      Such a process I would expect the 30k to be a reasonable price. Taking account opening an iPhone without breaking it, skills to tap into a soldered SD Driv

      • At least according to the description.

      • by mlyle ( 148697 )

        The data on the phone is encrypted with much longer keys than your PIN.

        Your credential is presented to the secure enclave, which ratelimits attempts and locks out on too many failures. If it is correct then it releases appropriate keys.

      • by AmiMoJo ( 196126 )

        My guess is that they found a way to bypass the usual limits on PIN guesses somehow, allowing them to try all possibilities quickly. And it sounds like they do it entirely in software.

        Maybe something like they found a way to crash the secure processor, so they can reset it before it counts the attempt as failed. Timing reveals if it is going to accept it reject the pin early.

      • The problem is most phones combine the pin with a device unique code from the security coprocessor.

        You either need to exploit the boot-loader, or have key to sign your own boot loader with.

    • And the winner is: actual security! Apple and other vendors should fix vulnerabilities like this. What, do we want the tools outlawed and security research with it? Now there is an issue if these companies are hiding the vulnerabilities from the vendor, but it's quite possible that they are problems that Apple knows about but are tricky to fix (e.g. electronic or physical design or manufacturing issues). Timing/heating/monitoring attacks can be very hard to defend against. You know if it only costs $15
  • We just need the galactic key to unlock it... really easy.
  • I don't see this as being usable on current hardware for very long.
  • by Anonymous Coward

    Could Apple go after him for undermining their current products?

    • Apple just spent 30.000$ I guess.

  • LOL maybe Apple will issue a DMCA takedown notice against that company and the government for reverse-engineering iPhones.
    All kidding aside Apple will I'm sure just treat this like any other exploit uncovered and change their product to prevent it. Then they'll create a new tool. Welcome to the endless game of Security Whack-a-Mole.
    • by mark-t ( 151149 )

      It'll suck for the people who spent the $15k or $30k on the product, only to have it stop working not long afterwards.

      I'd hopw that $15k/$30k would include upgrades for a long enough time to be worthwhile, otherwise it's a money sink.

      • by Anonymous Coward

        It will be a government entity using its citizen's tax dollars to pay for it, so they won't care. Other people's money.

    • law enforcement use can by pass the dmca

    • Maybe app developers should consider doing their own encryption for data stored? This could be fairly simple, depending on the persistence of the data. If the data doesn't leave the device, create two nonces, stuff one in KeyChain, have an app PIN or PW unlock the other part, XOR it for the working key. That way, the OS (which is normally secure) maintains security, but the app still has stuff secured by the separate added PIN/passphrase.

      If the data has to be backed up, it could be encrypted with a nonce

      • >. create two nonces, stuff one in KeyChain, have an app PIN or PW unlock the other part, XOR it for the working key. ...
        > If the data has to be backed up, it could be encrypted with a nonce

        The key to your whole scheme is the nonce. And you don't know what a nonce is. So I'll answer your question:
        > Maybe app developers should consider doing their own encryption?

        App developers should develop apps. Cryptographers, who not only know what a nonce is, but can rattle off the top three most common probl

        • The perfect is the enemy of the good here.

          Having one's own encryption layer is better than nothing, especially if the phone's encryption may not be secure. Yes, an app developer might have to take the time to realize using AES in ECB mode is not a good thing, but that is better than nothing.

          • If you think a file is encrypted, and therefore it's safe to back it up to an open S3 bucket, it would have been much better to not make it look encrypted and make it obvious that it's not protected.

            Whether weak encryption is better than none very much depends on many factors. Very often, it's "better" in the short term, but two years later someone does something that exposes the data because it looks like it's safe. They forget or never knew that the encryption isn't good encryption.

  • OK, 15 grand is a lot for the average individual, but for law enforcement etc. it's peanuts.
    Did I not read hear about that Israeli firm charging 100 k a pop?
    This is really discounting hard - 50 bucks per phone cracked, (if that's what they're doing).

  • by thedarb ( 181754 ) on Monday March 05, 2018 @02:33PM (#56211395) Homepage

    This is completely against the publics own interest and should be considered treason, IMHO.

    • I don't think that word means what you think it means.

    • Maybe you should read a fucking dictionary.

  • Someone suggested that this is a brute-force attack (and TFA even hints at that). I don't buy that, because a brute-force attack involving opening up the phone would be nothing really new. I expect they are exploiting a vulnerability.

    So sure, Apple immediately spent $30k for a license, so that they can analyze it. The fascinating question will be: Does the exploit rely on a hardware flaw or a software flaw? If the latter, it will quickly be patched. If this is ultimately relying on some weakness in the hard

    • Is the iPhone X really number 10, though? Because there's no iPhone 9 right now.

      I'm thinking this is like they went from Mac OS 9 to Mac OS X, the iPhone X represents a new line of iPhones.

      In any case, I'm waiting for the iPhone XXX. They'll have to allow VR porn and 3D hentai apps on it!

    • Someone suggested that this is a brute-force attack (and TFA even hints at that). I don't buy that, because a brute-force attack involving opening up the phone would be nothing really new. I expect they are exploiting a vulnerability.

      Apple does the maximum number of wrong attempts before deleting the contents of the phone thing. So I'm pretty sure the vulnerability is being able to stop that from happening (and likely adding the code to do to the brute forcing). The brute force code is to unlock. By default, iOS has a 4-digit pin to unlock. That's really easy to brute-force in no time at all if you can the software input the numbers and get around the maximum number of retries thing, so no reason to even try something other than brute-

    • by bartle ( 447377 )

      In order for John Irving to unlock her iPhone, he enters a 6 digit PIN. Maybe Lorian Bartle uses an alphanumeric password. John and Lorian did not choose strong passwords, knowing they have to enter it every time they boot up the phone, so either phone is easily crack-able by coping the encrypted contents of their phones onto a powerful computer and brute forcing every possible password.

      Apple prevents this by generating a random element that, combined with John or Lorian's passcode, makes up the encryption

  • These tools need better names like Password Corer or Security Peeler. Let us have some humor with the fruit phone.
  • disgruntled apple cyber security employee maybe, stole a gen key before retirement? Anyone related to Felt work there lately?
  • This might exploit some spectre or meltdown like vulnerability to get the encryption keys that are located in an until now safe part of the processor chip.

  • ....or it's secure for no one.

  • This cheap? *lol*
    ...and Apple believers will still assert that their phones are safe. When it comes to dumbing down people, religion is certainly the most effective.

Why did the Roman Empire collapse? What is the Latin for office automation?