Until the beginning of March 2018, almost no one knew about Grayshift. Everything changed after the publication of an article in Forbes magazine. The journalists talked about GrayKey devices, which, according to the manufacturer, can be used to jailbreak any iPhone.
Advertising GrayKey Opportunities
Grayshift was founded by former Apple security professionals Justin Fisher and Braden Thomas, who have worked in Cupertino for over six years. Forbes material did not shed almost any details on the principle of operation of GrayKey devices, but said that the company's products are intended for law enforcement. Even the official Grayshift website is only available to law enforcement officials.
According to advertisements published by journalists, the police can purchase GrayKey with an annual license for $ 15,000, which unlocks 300 devices and requires a constant internet connection. There is also an option for $ 30,000, such a license does not have a limit on the number of unlocks and does not require an Internet connection, that is, this GrayKey variation works autonomously.
GrayKey Licenses
For comparison, the services of the Israeli company Cellebrite, which also works with law enforcement agencies and knows how to "open" Apple gadgets, are much more expensive for the police. So, Cellebrite specialists charge $ 1500-5000 for unlocking one smartphone. Publications Motherboard and ZDNet have established that the solutions are already Grayshift police departments, Indiana, and New York City police and did GrayKey spent on tens of thousands of dollars.
A little more details about GrayKey devices were published last week by specialists from the information security company Malwarebytes. Researchers have released the photos of GrayKey that can be seen in this post. The device is a small box with two short Lightning cables.
Experts say that it takes about two minutes to connect the phone to the GrayKey. After that, the gadget can be disconnected, although it has not yet been jailbroken. The selected password from the device and other data will be displayed on the screen a little later, when the hacking is completed. Cracking time depends on the device model and password complexity, but on average the procedure takes about two hours. According to the Grayshift documentation, it can take more than three days for the selection when it comes to a six-digit code.
Password picked
When the password is found, the entire contents of the iPhone file system are copied to the GrayKey. Then all information, including the contents of the keychain (in unencrypted form), becomes available through the web interface for analysis or download.
The GrayKey developers claim that their device is suitable for unlocking any iPhone older than iPhone 5s (including iPhone 8 and iPhone X), that is, the device is capable of jailbreaking iOS at least up to version 11.2.5 (most likely, this version was the most recent on the moment of taking the photo). Of course, the Secure Enclave technology should protect Apple devices from such password guessing attempts, but, obviously, this protection and the restriction on the number of password attempts were bypassed.
Malwarebytes analysts write that devices like GrayKey can be extremely dangerous. For example, earlier, IP-Box devices were used to hack iOS, which were mainly used by criminals, but not by law enforcement agencies. Nowadays, such devices can even be bought on Amazon and eBay. Experts fear that GrayKey may face the same fate, because the version with an unlimited license does not require an Internet connection and can be used offline.
Malwarebytes representatives also explain that it is not known which exploits GrayKey uses, but the hacking process is definitely associated with some kind of jailbreak. Analysts are wondering what will happen if, after the investigation is completed, the jailbroken iPhone returns to its owner? The fact is that such a gadget can be dangerous. It is not entirely clear if the changes made by GrayKey can be reversed, and after jailbreak the smartphone can probably be accessed remotely. Also, nothing is known about how the data is transferred to the GrayKey, and how it is stored. Whether there is encryption in this process is a big question.
