'GrayKey' iPhone Unlocking Box Used by Law Enforcement Shown Off in Photos

[ActionableMango]

Just setup the phone to erase itself after 10 wrong attempts. Problem solved..

I doubt that would do anything because I don't think this device is simulating password attempts via the unlock screen user interface.

The screen shots show an unusual interface and the article describes installing proprietary software. This means it has some kind of file system access via some sort of jailbreak exploit and is probably doing some sort of brute force attack there instead.

 

[Tech198]

The problem is not that the Greybox exists. The problem is that if the Greybox exists, that means there is an exploit that can be used by others to do the same thing. If that company figured it out, others will also.

Security is an all or none deal. If anyone can get into your phone, everyone can get into your phone.

Anyone who thinks The State should have a backdoor into people’s privacy, should line up first to replace their front door with a screen door and remove the password lock completely from their phone.

And no one can break into your security alarmed house either... If we are trying to make our phones more secure than anything else on the planet, mission accomplished.

 

[SqB]

And no one can break into your security alarmed house either...

Not my point. It is more difficult to break into my security alarmed house with my 4 large dogs. It should be difficult. It will never be impossible. But that doesn’t mean I shouldn’t keep trying to make it more difficult.

 

[Neepman]

Your tax dollars at work. Since I have no issue that Police are allowed to kill without consequence, I certainly have no issue with them cracking a phone.

 

[Nicksd84]

Wut. I thought the iPhone was SECURITY KING!!!!!!

 

[Tech198]

Not my point. It is more difficult to break into my security alarmed house with my 4 large dogs. It should be difficult. It will never be impossible. But that doesn’t mean I shouldn’t keep trying to make it more difficult.

I'm only raising the bar to the point most people would think their phone "privacy is mine, and no one shall get at my phone *ever*." type reason..

I'm just saying, you gotta let that guard down a tad if you want good outcomes. trade-off you may call it.

 

[SqB]

And no one can break into your security alarmed house either... If we are trying to make our phones more secure than anything else on the planet, mission accomplished.

Missed your edit. The problem is that what is difficult today will be trivial tomorrow. Tech companies must continue to quash these exploits wherever they appear.

 

[KGB7]

It's one or the other. If this company only sells to law enforcement then Apple won't be able to get one. It also means criminals won't be able to get one either. If these are easy for regular people (or criminals) to get, then Apple will also be able to get one and it'll be patched.

You can't have your cake and eat it too (worry that everyone and their dog will be cracking open iPhone AND that Apple won't be able to patch it).

Throw enough attorneys at it and Apple will own the company for free for circumventing security.

 

[macfacts]

iOS security lol

 

[techwhiz]

So unacceptable. If Apple doesn’t fix whatever they are doing to break the passcodes they will be losing a ton of trust.

As soon as they figure out what the device does; it will be patched.

 

[CaTOAGU]

I doubt that would do anything because I don't think this device is simulating password attempts via the unlock screen user interface.

The screen shots show an unusual interface and describe installing proprietary software. This means it has some kind of file system access via some sort of jailbreak exploit and is probably doing some sort of brute force attack there instead.

This. The only protection from attacks like this is a long password. Make as time consuming as possible to break in, hopefully to the point they either give up, or the information is contained on the device is no longer useful to them.

 

[Tech198]

Missed your edit. The problem is that what is difficult today will be trivial tomorrow. Tech companies must continue to quash these exploits wherever they appear.

Cat & mouse game.. Doesn't mean i should be favor 100% does it ? Depends on the privacy.

 

[CrystalQuest76]

I am curious if it cracking the iPhone X passcode works to bypass my BofA mobile app?
I am also curious if it bypasses my 1Password manager. That would be concerning since i keep my financial passcodes there along with other stuff i would not want a criminal to get access to.

Just setup the phone to erase itself after 10 wrong attempts. Problem solved..

That may stop the GrayKey if it works around the attempts limit.

 

[ericinboston]

This is why you don't use 6-digit passcodes but instead a complex alphanumeric one.

Right...and I'm not sure if any iOS devices use alphanumeric. I don't use passwords on my devices because given Apple's newer password policy, it will lock me out after a few bad guesses...and lock me out for days/weeks if repeated. Imagine if I went into the bathroom for 2 minutes and my 5 year old started banging away at the passwords. Or if someone is a jerk and purposely guesses wrong 15 times while you run out to your car. I know a few people who were locked out for days due to this stupid policy.

Apple should enable an option that allows unlimited guesses like the iOS versions from a few years ago. However, a)make it alphanumeric and b)make the length be up to 16 or 20 characters.

Trying to crack a 6-10 DIGIT password will only take a few minutes or hours depending on the length. Cracking a 6-10 ALPHANUMERIC will take days to weeks. Alphanumeric passwords of 16+ would take dozens (or more) years.

Alphanumeric would be 52 letters (upper and lower case in English), 10 digits totaling 62 characters. 62 to the power of 10 would be 839,299,365,868,340,224 combinations for the machine to guess. That's 839 quadrillion guesses. Add in the ability to use some symbols and the password could be 72 characters.

 

[NoBoMac]

some sort of jailbreak exploit and is probably doing some sort of brute force attack there instead.

Yup.

I wonder if there is a backdoor into Secure Enclave via "alternate" device passcode prompt(s). Ie. when on lock screen, you get a prompt that also does the erase when X attempts made vs. the prompt for device password you get when opening things like the "Security" sub-section under Settings. Not that I've tried, but, guessing that once the device is unlocked, the erase function is turned off, and or different semaphore/mailbox communication process with Secure Enclave for that.

 

[emvath]

Imagine buying one and one software update later it doesn't work anymore.

I'm sure greykit can be updated too in order to break whatever the latest iOS is. Just guessing though.

 

[Shirasaki]

So, when you have wet hands or dry cracked fingertips (TouchId) or FaceID refuses to open your iPhone you have input that difficult password each and every time, 6 digit should be good to go.

If the password is a pattern that is easy to remember, or a phrase that is simple to remember, entering such passcode would not be a serious issue. I use a phrase for over 2 years for my Deivce passcode and it is long but also simple to remember. My Mac has an even longer passcode (23 characters).

 

[SqB]

Right...and I'm not sure if any iOS devices use alphanumeric. I don't use passwords on my devices because given Apple's newer password policy, it will lock me out after a few bad guesses...and lock me out for days/weeks if repeated. Imagine if I went into the bathroom for 2 minutes and my 5 year old started banging away at the passwords. Or if someone is a jerk and purposely guesses wrong 15 times while you run out to your car. I know a few people who were locked out for days due to this stupid policy.

Apple should enable an option that allows unlimited guesses like the iOS versions from a few years ago. However, a)make it alphanumeric and b)make the length be up to 16 or 20 characters.

Trying to crack a 6-10 DIGIT password will only take a few minutes or hours depending on the length. Cracking a 6-10 ALPHANUMERIC will take days to weeks. Alphanumeric passwords of 16+ would take dozens (or more) years.

Alphanumeric would be 52 letters (upper and lower case in English), 10 digits totaling 62 characters. 62 to the power of 10 would be 839,299,365,868,340,224 combinations for the machine to guess. That's 839 quadrillion guesses. Add in the ability to use some symbols and the password could be 72 characters.

Umm...yeah you can do this on iOS. Select “passcode options” when typing in a new passcode.

 

[TheTruth101]

LOL... any jealousy girl in high school can break any phone if they please in seconds.

 

[SqB]

Would be best if passcode and touch/face ID could be an “and” instead of an “or”. This is would certainly increase situational security significantly.

 

[npmacuser5]

We do not have unlimited rights. This post an example, only those of certain status get to respond. Even our First Amendment rights are not unlimited. The problem with technology, moves faster then laws and regulations can adapt. There needs to be some clearly defined boundaries for any access requests, but access at some level needs to be there.

 

[CPTmom2wp]

Just a note of appreciation for the tip about using an alphanumeric and/or longer PCode. I had not noticed the passcode options when setting it up. I now have 12 numbers, letters, symbols. Fortunately, Face ID works almost without error or entering that many characters would be too cumbersome.

But despite some good advice here about keeping anything off the phone that you don't want known, I need my sync'd "Contacts"(lots of private info about self, family, and business relationships) when away from home/personal computer. So with the upgraded passcode, that information feels a lot more secure, regardless of the gray box.

 

[supercoolmanchu]

Setting Response: [PsyOp]

Not getting alarmed until I see something more than a lightning cable cut in half, with the two ends running out of a cheap plastic box.

 

[SqB]

We do not have unlimited rights. This post an example, only those of certain status get to respond. Even our First Amendment rights are not unlimited. The problem with technology, moves faster then laws and regulations can adapt. There needs to be some clearly defined boundaries for any access requests, but access at some level needs to be there.

So do I have more rights than you because I studied info security and know how to use (non-Apple) tools that would take thousands of years to crack?

If an exploit exists that one company or agency can use, it exists for everyone. If The State wants to know what I’m up to, they have myriad options to find out. My use of an iPhone should not make their job or any hackers job easier.

 

[mikegoldnj]

How is this legal? This is not just phone owners jailbreaking their own phones.

This is a commercial entity, playing with Apple's IP for profit. Why doesn't Apple sue these guys?