Apple appears to have blocked GrayKey iPhone hacking tool
Apple has apparently been able to permanently block de-encryption technology from a mysterious Atlanta-based company whose blackbox device was embraced by government agencies to bypass iPhone passcodes.
Atlanta-based Grayshift is one of two companies that claimed it could thwart Apple iPhone passcode security through brute-force attacks.
The blackbox technology purportedly worked, as Grayshift’s technology was snapped up by regional law enforcement and won contracts with Immigration and Customs Enforcement (ICE) and the U.S. Secret Service.
Another vendor, Israel-based Cellebrite, also discovered a way to unlock encrypted iPhones running iOS 11 and marketed its product to law enforcement and private forensics firms around the world. According to a police warrant obtained by Forbes, the U.S. Department of Homeland Security tested the technology.
Multiple sources familiar with the GrayKey have told Forbes that the device can no longer break the passcodes of any iPhone running iOS 12 or above.
iOS 12 was released by Apple last month.
All GrayShift customers sign very strict non-disclosure agreements, as any leaked information could help Apple close the vulnerabilities they are using, whether they find them themselves or buy zero-day flaws in Darknet, said Vladimir Katalov, CEO of Russian forensic tech provider ElcomSoft. GrayShift’s technology – the GrayKey blackbox – seems to fully support devices running iOS up to 11.4.1, he said.
“Honestly, we are not absolutely sure that the hole has been completely closed; or maybe they will still find a workaround, or developbuy another way,” Katalov said . “So that is [a] cat and mouse game that is still ongoing. Now…, GrayShift will probably spend even more efforts to hide their findings from the media.
“That is probably good for law enforcement, but definitely bad for the community, as it leaves some doors still open,” Katalov added. “That’s only a question of time when GrayKey will become available to some criminals.”
Grayshift’s GrayKey de-encrypting device – a 4-in. x 4-in. box with two iPhone-compatible Lightning cables – was first discovered by Motherboard; it reviewed police department public records and emails obtained from federal agencies that revealed purchases of the device. The GrayKey box could apparently unlock an iPhone in about two hours if the owner used a four-digit passcode and three days or longer if a six-digit passcode was used.
Grayshift competitor Israel-based Cellebrite also sold its Universal Forensic Extraction Device (UFED) to law enforcement agencies as a service, including a $558,000 contract signed with ICE in August, according to a Freedom of Information Act request filed by the Electronic Privacy Information Center (EPIC).
A request for comment today from Apple was not immediately returned.
The UFED Cloud Analyzer tool can unlock, decrypt, and extract phone data, including “real-time mobile data … call logs, contacts, calendar, SMS, MMS, media files, apps data, chats, passwords,” according to the FOIA request.
The technology can also purportedly extract private information without a passcode from private cloud-based accounts, such as those used by , Gmail, iCloud, Dropbox, and WhatsApp.
“I should note that Cellebrite… [has] about the same skills, but do not offer the product; [they] only provide the service – authorized parties can send their devices to them and get them back unlocked (on success, of course; and after paying several thousand bucks),” Katalov said. “But there is another issue there – whether you can trust them.”
In February, reports surfaced that Cellebrite had discovered a way to unlock encrypted iPhones running iOS 11 and was marketing the product to law enforcement and private forensics firms around the world. According to a police warrant obtained by Forbes, the U.S. Department of Homeland Security had been testing the technology. It was not immediately clear if the iOS 12 changes affect the Cellebrite technology.
Earlier this year, Grayshift emerged as a different company that had developed an inexpensive black box that could unlock any iPhone; Motherboard reported that local and regional U.S. police departments and the federal government had been purchasing the technology.
Grayshift reportedly hired a former Apple security engineer.
If the devices didn’t work, police wouldn’t be buying them
Nate Cardozo, a senior staff attorney with the Electronic Frontier Foundation (EFF), a non-profit digital rights group, said earlier this year he believed the reports that the iPhone’s encryption had been cracked. Otherwise, law enforcement agencies wouldn’t be purchasing the hacking technology.
“The FBI huffed and puffed and said couldn’t get into the iPhone, and then we found out that’s not true…the literal night before the court hearing [to decide the case],” Cardozo said.
He was referring to the investigation of San Bernardino gunman Syed Rizwan Farook. The FBI initially maintained it was unable to crack the passcode on an iPhone used by Farook.
The Justice Department petitioned the courts to force Apple to comply with an order to unlock the device; a judge granted the request, but delayed making a final decision until hearing arguments from both sides. The evening before a court hearing to decide the matter, the agency announced it had gotten help from an outside group.
The FBI’s attempts to get Apple to help with unencrypting the iPhone were rebuffed. Apple maintained that to break into one iPhone would weaken security for all others.
The news that two iPhone unencrypting methods were widely available to government agencies did not surprise analysts, who said it was inevitable.
“Basically, this is a cat and mouse scenario, as is all security. Something gets broken, the vendor fixes it, then people learn how to break in again,” said Jack Gold, principal analyst with J. Gold Associates. “I have no doubt that new techniques for breaking the encryption are already being worked on.
“The idea is to make it as hard as possible by adding layers of encryption or long keys to encode, decode. But a determined decoder can crack it, given enough tools and enough time,” Gold said.
The GrayKey box retails for $15,000. That model is geofenced to a specific location, requiring an internet connection that enables up to 300 unlocks. There is also a $30,000 GrayKey model that can be used independent of internet connectivity and offers an unlimited number of device unlocks, according to Motherboard.
Conversely, Cellebrite charges $5,000 to unlock a single iPhone, according to Malwarebytes.
EFF’s Cardozo said consumers shouldn’t be overly concerned about iPhone-cracking technology because law enforcement agencies must still obtain a court-issued warrant to unlock a device.
But those concerned about privacy rights should realize that once cracking technology becomes available, it’s reasonable to believe law enforcement agencies won’t be the only ones to gain access to it.
“If you believe the only people with access to GrayKey or Cellebrite are the cops, I’ve got a bridge to sell you,” Cardozo said.
Apple’s early efforts to limit law enforcement access
Apple took its own steps to further limit unauthorized access to locked iOS devices. In its beta release of iOS 11.3, Apple introduced a feature known as USB Restricted Mode.
Security software vendor Elcomsoft first discovered the new feature, which was buried deep within the beta release documentation. The feature was apparently cut from iOS 11.3 before it was released publicly.
The documentation described the new feature as a way “to improve security.”
“For a locked iOS device to communicate with USB accessories you must connect an accessory via Lightning connector to the device while unlocked — or enter your device passcode while connected — at least once a week.”
If an iOS device is not unlocked after seven days, an iPhone’s or iPad’s Lightning port turns into nothing more than a charging port, locking out any data connection at the USB-interface level, according to Elcomsoft’s description.
“Its effect on passcode unlocking techniques developed by Cellebrite and Grayshift is yet to be seen,” Elcomsoft explained in its blog post.
Just this week, Apple CEO Tim Cook reiterated the company’s efforts to protect user privacy at a conference of European privacy commissioners in Brussels.