New Documents Shed Light on GrayKey Tool Used to Unlock iPhones
Written instructions on how to use the GrayKey tool are providing new insights into how law enforcement officers unlock Apple iPhones. Motherboard has obtained documents that describe how to unlock iPhones that are turned off or have dead batteries.
The instructions, reportedly written by the San Diego Police Department, are titled “How to Unlock and Extract Data from Apple Mobile Devices Using GrayKey.” The GrayKey tool, developed by Grayshift in Austin, is designed to unlock modern iOS devices and access their contents. iOS devices are encrypted by default and require a passcode to access data, but GrayKey enables brute-force attacks to bypass this protection.
“Before connecting any Apple mobile device to GrayKey, determine whether a proper search warrant has been obtained for the requested Apple mobile device,” the document states.
The instructions outline various conditions that supposedly allow a connection to GrayKey: before first unlock (BFU), after first unlock (AFU), devices with damaged screens, and phones with low battery levels.
Bypassing Alphanumeric Passcodes
One section of the instructions also describes how to crack alphanumeric passcodes. Many iPhone users have passcodes made up of only numbers. Alphanumeric passcodes use both letters and numbers, offering more possible combinations and generally being more resistant to brute-force attacks, especially if random characters are used. However, if the passcode contains real words, it can be easier to crack using wordlists.
The instructions mention that the specialist will have the option to use a default wordlist called “crackstation-human-only.txt,” which is presumably associated with the password security site Crackstation. This archive contains about 1.5 billion words. GrayKey users can also import their own wordlists, but only one list can be loaded at a time.
Additional Features and Security Concerns
As part of the HideUI feature, GrayKey can also install a module that secretly captures the user’s passcode if authorities return the device to its owner.