'GrayKey' iPhone Unlocking Box Used by Law Enforcement Shown Off in Photos

[skinned66]

In order to exhaust all guesses in my 12-digit passcode search space it would take 35 years at 1,000 guesses per second. If I switched to an actual password it would be even worse. Sure this device would work for a lot of phones but it's definitely not a silver bullet.

 

[Robert.Walter]

Is this MFi certified?

If not, I’ll be very disappointed.

 

[barkomatic]

I have it set to erase after 5. So they’d better guess wisely.

My impression is that the device is able to defeat that somehow.

Don't ruin my joke, damn you!

Oh sorry, I didn't catch that.

 

[Dave-Z]

They completely missed an opportunity to call it Blue box.

 

[diddl14]

Just setup the phone to erase itself after 10 wrong attempts. Problem solved..

 

[JRobinsonJr]

So, when you have wet hands or dry cracked fingertips (TouchId) or FaceID refuses to open your iPhone you have input that difficult password each and every time, 6 digit should be good to go.

Yeah... no. 6 digits only has 10^6 (1 million) possible combinations. That's almost trivial to break. Even as slow as 10/second it would only take an average of (1M*600/minute)/2 = about 14 hours to crack.

The vast majority of people really don't have anything to worry about... for 2 reasons (1) The chances of your phone getting picked up by law enforcement is slim. (2) The chance that particular law enforcement entity HAS a GreyKey is slim.

That said, this should still give us all cause for concern and I sincerely hope Apple is figuring out how to eliminate this threat... because that's exactly what it is.

 

[yadmonkey]

The vast majority of people really don't have anything to worry about... for 2 reasons (1) The chances of your phone getting picked up by law enforcement is slim.

I disagree with your logic. Misuse of such technology affects everyone. For just one example, let's say the government is doing something evil (unthinkable, I know) and they use this tech to find/silence/discredit a whistleblower. That hurts everyone.

 

[Tech198]

everyone screams round with like a chicken with his head cut-off in fear of a backlash

This is a product out for 'law enforcement' The fact its now known to the public shouldn't make things worse..... There are plenty of other stuff the public may not know about but the "not knowing" doesn't freak us out that bad, until its IS known.

Apple has its hands tied on this one, because its a chicken & egg game.. To say we must have 100% privacy on iOS with no way to get in if the law must just siding the fact we don't wanna know if the same issues happen to us, would you feel good knowing no one can solve your case?

The table turn. Apple security is a good idea, but there needs to be a business for these things.. Apple can refuse, but that shouldn't mean no one else can't do it.

 

[deanthedev]

"MalwareBytes worries that the portable version of the GrayKey could easily fall into the wrong hands."

What's to worry about? That would never happen...*cough* eternalblue *cough*

$30.000 is peanuts for Apple, they just buy one and before you know it iOS is patched, if not already.

It's one or the other. If this company only sells to law enforcement then Apple won't be able to get one. It also means criminals won't be able to get one either. If these are easy for regular people (or criminals) to get, then Apple will also be able to get one and it'll be patched.

You can't have your cake and eat it too (worry that everyone and their dog will be cracking open iPhone AND that Apple won't be able to patch it).

 

[sidewinder3000]

This is why you don't use 6-digit passcodes but instead a complex alphanumeric one.

Thanks for pointing this out. I had no idea there were other options! Easy to miss. Just changed my p/w to an alphanumeric. No f***ing box is gonna crack this puppy now.

 

[Albright]

It also means criminals won't be able to get one either.

Yes, prohibitions are always effective in stopping criminals from obtaining the things being prohibited.

 

[mcdspncr]

Law enforcement is getting on board with #donglelife All kidding aside, Apple please fix this and put these guys outa business!

 

[Tech198]

Just setup the phone to erase itself after 10 wrong attempts. Problem solved..

Just turn it on for starters Settings>> ToughID & Passcode >> Erase Data

 

[Apple_Robert]

Yeah... no. 6 digits only has 10^6 (1 million) possible combinations. That's almost trivial to break. Even as slow as 10/second it would only take an average of (1M*600/minute)/2 = about 14 hours to crack.

The vast majority of people really don't have anything to worry about... for 2 reasons (1) The chances of your phone getting picked up by law enforcement is slim. (2) The chance that particular law enforcement entity HAS a GreyKey is slim.

That said, this should still give us all cause for concern and I sincerely hope Apple is figuring out how to eliminate this threat... because that's exactly what it is.

Speaking of digits...1984.

 

[dogslobber]

I trust the government to know they won’t take advantage of it.

 

[itsmilo]

I don’t understand how it is even legal for law enforcement to use such questionably „hacking“ options by questionable sources to obtain „evidence“.

Isn’t this like a deep cut into ones privacy?

Lets say „mom sent u a text that she only got xy days to live“. Isn’t the police or whatever breaking the 3rd parties right of privacy by obtaining this information without her consent?

that’s like breaking into ones house telling the owner to strip naked right at the spot by using a tank to gain access to the building

 

[Scottsdale]

If I designed and made this, I would sell it for much higher prices to law enforcement.

Also, with Apple lying to customers about updates and the whole iPhone 6s and 7 fiasco by slowing them down to a crawl when Battery was less than 80%, I have heard many people say they’re no longer going to update their iPhones. Apple has lost a lot of credibility. It will cause fragmentation, and people will unknowingly be more susceptible to law enforcement hacking their iPhones. It’s a lose-lose - thanks Tim!

May as well say it now, Apple has lost its secure status! It has lost its goodwill. It has lost much trust. And Samsung/Google will benefit.

Personally, I would like to see Apple do a 180 - fix the software for all devices, get rid of worthless code, secure everything, and make our privacy a priority. When Tim Cook gave China the keys to the Kingdom, and stored all user iCloud data/encryption software over there in China, made me think that Apple’s morals only go as far as Tim’s stock options vesting. China was too important to Tim. I prefer he stood firm and not sold in China rather than give them everything.

Furthermore, I say Apple should shift strategy of manufacturing to India - a peaceful country that would use the inflow of our money for good. And that could be what helps Apple sell its future products in India and make it the powerhouse rather than China!

If Americans only knew how bad the inflow of money into China is, and what the government uses it for, it seems like we could just stop allowing business and cash to flow there. Free trade with India and governments that mean no harm to USA.

 

[CaTOAGU]

So, when you have wet hands or dry cracked fingertips (TouchId) or FaceID refuses to open your iPhone you have input that difficult password each and every time, 6 digit should be good to go.

You can have can security or convenience but you can't really have both. Longer passwords are what is required to guard against attacks like this. Even if apple fixed this vulnerability once someone has physical access to your device all bets are off. For the average user it usually doesn't matter that much, this device changes that equation slightly but only if you get arrested. If you're carrying sensitive information on your device that you want to ensure doesn't get taken a longer password is the way to go.

 

[78Bandit]

The "unofficial" back door? I wonder if someone from Apple fed the Graykey guys the information necessary to develop this device.

 

[tjhilder]

Damn it Macrumors! Now I need to change my passcode.

 

[santaliqueur]

$30.000 is peanuts for Apple, they just buy one and before you know it iOS is patched, if not already.

Just for context, Apple made $30,000 every 4.13 seconds in Fiscal Year 2017.
[doublepost=1521150945][/doublepost]

I use 7. Just for the reason that the box to type it doesn’t give away the length of the passcode.

That is pretty smart. So 7+ length passcodes don't have the empty dots while you type?

 

[Tech198]

I don’t understand how it is even legal for law enforcement to use such questionably „hacking“ options by questionable sources to obtain „evidence“.

Isn’t this like a deep cut into ones privacy?

Lets say „mom sent u a text that she only got xy days to live“. Isn’t the police or whatever breaking the 3rd parties right of privacy by obtaining this information without her consent?

that’s like breaking into ones house telling the owner to strip naked right at the spot by using a tank to gain access to the building

The argument would be they are above the law.... Users are the ones that follow the rules.. no one says they don't have to abide by the same set of rules.

 

[SqB]

The problem is not that the Greybox exists. The problem is that if the Greybox exists, that means there is an exploit that can be used by others to do the same thing. If that company figured it out, others will also.

Security is an all or none deal. If anyone can get into your phone, everyone can get into your phone.

Anyone who thinks The State should have a backdoor into people’s privacy, should line up first to replace their front door with a screen door and remove the password lock completely from their phone.

 

[HobeSoundDarryl]

Simplest solution: don't store anything you would not want to fall into anyone else's hands on a tiny mobile device.

Whether this thing is legal or not, whether it's ethical or not, whether we hate it because Apple probably will or we love it because it's able to beat Apple's encryption system... etc, we can't stop it by whining about it in a thread. Easiest defeat of anything like this is to NOT have anything on your phone that you don't want to get out if the wrong people got your phone.

Apple buying one of these and finding a way to defeat it doesn't automatically stop the next one... and there's always a next one. In fact, there's probably multiple versions of THIS one and we're just hearing about this one because it's probably the oldest one.

Earlier today, there was a thread about new Intel chips defeating variants of chip-level exploits. Great right? Until new variants come out that sufficiently differ from those variants to no longer be protected by whatever Intel did. That's the game there: secured:unsecured, secured:unsecured.

Same here. Apple can buy one and adjust the code to beat it... but then the next one rolls out to beat Apple's code. However, if we don't store anything on a mobile device that we would not want the bad guys to be able to see, no exploit would matter anymore.

 

[webbuzz]

A Former Apple Security Engineer's Company Will Unlock Your iPhone X—for $15,000

After receiving the documents, Forbes dug into the people behind Grayshift. Although it was difficult to arrive at conclusions, since the company has remained silent and its employees kept as secretive as possible, the publication believes that at least one former Apple security engineer works at the company. In fact, two former security engineers are listed as principals at Grayshift—a title often used to describe owners. Fortune

Interesting, if true.