GrayKey: The Device That Claims to Unlock Any iPhone
Until early March 2018, almost no one had heard of the company Grayshift. That changed after an article was published in Forbes magazine. Journalists reported on GrayKey devices, which, according to the manufacturer, can be used to unlock any iPhone.
GrayKey’s Capabilities and Pricing
Grayshift was founded by former Apple security specialists Justin Fisher and Braden Thomas, who worked in Cupertino for over six years. The Forbes article revealed few details about how GrayKey works, but did mention that the product is intended for law enforcement agencies. Even the official Grayshift website is only accessible to law enforcement representatives.
According to promotional materials published by journalists, police can purchase GrayKey with an annual license for $15,000, which allows for unlocking up to 300 devices and requires a constant internet connection. There is also a $30,000 option with unlimited unlocks that works offline, meaning this version of GrayKey operates autonomously.
GrayKey vs. Cellebrite
For comparison, the services of the Israeli company Cellebrite, which also works with law enforcement and can unlock Apple devices, are much more expensive. Cellebrite charges $1,500–$5,000 to unlock a single smartphone. Publications like Motherboard and ZDNet have found that police departments in Indiana are already using Grayshift’s solutions, and the New York Police Department has spent tens of thousands of dollars on GrayKey.
How GrayKey Works
Last week, cybersecurity experts from Malwarebytes published more details about GrayKey, including photos of the device. GrayKey is a small box with two short Lightning cables. Experts say you need to connect the phone to GrayKey for about two minutes. After that, the device can be disconnected, although the phone is not yet unlocked. The password and other data will appear on the screen a bit later, once the cracking process is complete. The time required depends on the device model and password complexity, but on average, the process takes about two hours. According to Grayshift’s documentation, it can take more than three days if a six-digit code is used.
What Happens After Unlocking
Once the password is found, the entire file system of the iPhone is copied to GrayKey. All information, including the keychain contents (in unencrypted form), becomes available through a web interface for analysis or download.
Supported Devices and Security Concerns
GrayKey’s developers claim their device can unlock any iPhone model newer than the iPhone 5s (including the iPhone 8 and iPhone X), meaning it can crack iOS up to at least version 11.2.5 (which was likely the latest version when the photos were taken). Of course, Apple’s Secure Enclave technology is supposed to protect devices from such password attacks, but it appears that this protection and the limit on password attempts have been bypassed.
Malwarebytes analysts warn that devices like GrayKey can be extremely dangerous. Previously, devices like IP-Box were used to hack iOS, mainly by criminals rather than law enforcement. Today, such devices can even be bought on Amazon and eBay. Experts fear that GrayKey could meet the same fate, especially since the unlimited license version does not require an internet connection and can be used autonomously.
Unknown Exploits and Potential Risks
Malwarebytes representatives also note that it’s unclear which exploits GrayKey uses, but the hacking process is definitely related to some form of jailbreak. Analysts question what happens if an iPhone that has been hacked is returned to its owner after an investigation. Such a device could be dangerous. It’s not clear whether the changes made by GrayKey can be reversed, and after a jailbreak, it’s likely that remote access to the smartphone could be possible. There is also no information about how data is transferred to GrayKey or how it is stored. Whether encryption is used in this process remains a big question.