Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
This is far beyond irony or karma, this is exactly what we've been screaming the warnings about for years now about why backdoors are an incredibly bad idea.

While I totally agree, there will always be back doors. If it connects to the internet it can be hacked. Even the hack machines can get hacked.
 
  • Like
Reactions: souzadias
Two BTC at their highest would have fetched a hair over $40,000. Why so little? Unless they plan on selling customer data.
 
Security experts recommend alphanumeric passcodes that are at least seven characters long with numbers, upper and lowercase letters, and symbols included.
There is no way I’m doing this. Not on an iPhone X. I’d have done this with Touch ID but Face ID isn’t good enough yet. I’d have to be inputting this more complex password so many times during the day. Like every time my iPhone X is flat on my desk and I want to check something real quick. Or every time it doesn’t recognize my face, which is a few times per day. Having to input both alphabet cases, numbers, and symbols each time I need to unlock would be awful. I already hate having to tap out a simple six digit code on the large keypad!
 
Hahaha they held them for ransom for two bitcoins?
It seems all that leaked was a GUI, and not the code that does the actual exploit or brute-force attack. I think some posters in this thread are making it out to be more serious than it actually is, though it raises some questions about the security of these devices and the company behind them.

Hopefully Apple can find and patch whatever method of access is allowing these devices to brute-force the passcode, even if it must be done at the hardware level.
 
There is no way I’m doing this. Not on an iPhone X. I’d have done this with Touch ID but Face ID isn’t good enough yet. I’d have to be inputting this more complex password so many times during the day. Like every time my iPhone X is flat on my desk and I want to check something real quick. Or every time it doesn’t recognize my face, which is a few times per day. Having to input both alphabet cases, numbers, and symbols each time I need to unlock would be awful. I already hate having to tap out a simple six digit code on the large keypad!
You know, when you see that message about entering your passcode you can often just hit cancel and try Face ID again. I only enter my passcode the once a week required by Apple for the most part. There is no reason you should be having to enter your passcode that often unless you are doing something very odd.
 
Look here, I hacked apple, look how it says secure and I have the code, oh dear, Apple's in trouble now! I want at least 2000 bitcoin to not release all data.
Code:
{"meta":{"l":["/shoppingCart"],"h":{"x-aos-stk":"96f607a8"}},"abs":{"BagBanner":{"b":{"bag-banner":{"id":{"op":"ADD","args":[{"get":"d.id"},"-bag-banner"]},"key":"d.bag-banner","events":[{"on":"load","delay":50,"do":[{"set":"d._visible","to":true}]}]}},"v":[{"id":{"get":"d.id"},"template":"{{#deliveryMessageBannerEnabled}} <div class=\"box--white box--is-rounded box--has-shadow ph10 pv10 mb8\">\n\t<div class=\"icon-shipping as-purchaseinfo-availabilityicons\" style=\"padding: 17px 0 17px 14px;\">\n\t\t<span>\n\t\t\t<img src=\"https://store.storeimages.cdn-apple.com/4974/as-images.apple.com/is/image/AppleInc/aos/published/images/d/el/delivery/message/delivery-message-banner?wid=19&amp;hei=21&amp;fmt=png-alpha&amp;.v=1515024377276\" alt=\"Shipping Information\" width=\"19\" height=\"21\" data-scale-params-2=\"wid=38&amp;hei=42&amp;fmt=png-alpha&amp;.v=1515024377276\" style=\"vertical-align: middle;padding-right: 7px;\" class=\"ir\" /> \n\t\t</span>\n\t\t<span style=\"display: inline-block;vertical-align: middle;max-width: 96%;font-family: 'Myriad Set Pro', 'Helvetica Neue', Helvetica, Arial, sans-serif;font-size: 14px;line-height: 24px;\">\n\t\t\tFree delivery and free returns.\n\t\t</span>\n     </div>\n</div> {{/deliveryMessageBannerEnabled}}"}]}},"shoppingCart":{"d":{"metricId":"db46a1e79fee541c03f194bc9ea7f524","signInEvar1":"Bag | Sign in | ","evar1":"Bag | Continue shopping | ","shopAccessoriesLinkDisplay":"Shop Accessories","automationData":"bagshopaccessorieslink","signInUrl":"https://secure1.store.apple.com/shop/sign_in?c=aHR0cHM6Ly93d3cuYXBwbGUuY29tL3Nob3AvYmFnfDFhb3NjY2QxZjg4ZGZjYjY4YWRhNWZmMmY5ZTY5YWMzNjE0OTYyMjZlOWMz&r=SCDHYHP7CY4H9XK2H&s=aHR0cHM6Ly93d3cuYXBwbGUuY29tL3Nob3AvYmFnfDFhb3NjY2QxZjg4ZGZjYjY4YWRhNWZmMmY5ZTY5YWMzNjE0OTYyMjZlOWMz&t=S99KKATD9FP9FHCP4","hasItems":false,"id":"cart","shopAccessoriesLink":"/shop/accessories/all-accessories","signInMetricId":"a4ac010036a748bc915371440f979586","accessoriesEvar1":"Bag | Shop Accessories |

Or not. Wow, some idiot found a graykey over the internet and copied some UI code and tried to make a buck. Well, no, they didn't fall for that.
 
This is exactly why Apple refused to build code/a master key that would allow access to any iPhone: they mentioned specifically that once such a thing is done, it will become a huge target and will eventually be leaked, stolen, compromised, etc.
 
Last edited:
All Apple need to do to thwart this box is make the recommended passcode default entry alphanumeric and a minimum of 8 characters long. That will potentially increase the time to brute force passwords and decrease the worth of this hack device.

My passcode is currently 18 characters long which doesn’t cause me any inconvenience as I very rarely have to input it on my iPhone X apart from after I reboot for updates.
 
There is no way I’m doing this. Not on an iPhone X. I’d have done this with Touch ID but Face ID isn’t good enough yet. I’d have to be inputting this more complex password so many times during the day. Like every time my iPhone X is flat on my desk and I want to check something real quick. Or every time it doesn’t recognize my face, which is a few times per day. Having to input both alphabet cases, numbers, and symbols each time I need to unlock would be awful. I already hate having to tap out a simple six digit code on the large keypad!
I would do a complex password either way. My Mac has a 23-character password, and I type it a few times today, if MacID does not work well/as expected.
 
It's not a backdoor, and the vulnerability has nothing to do with the government. Apple screwed up.
It is functionally indistinguishable from a backdoor. It is essentially a backdoor Apple built unintentionally into iOS/iPhone that was so far only available to government agencies. Until one of the parties which had the 'key' to this backdoor got hacked ...
 
Last edited:
This is dumb. Someone did a ‘view source’ on the GrayKey UI. That’s not a data breach or any kind of security issue.

It’s not that this revealed any data but that these devices are vulnerable to being hacked with ease. Especially if they are targeted.

This is a big deal as it potentially allows the method used to be stolen by a malicious actor for nefarious uses. Though how much more nefarious you can get than law enforcement is debatable.
 
It's not a backdoor, and the vulnerability has nothing to do with the government. Apple screwed up.
You're right (for the first part of your statement), but it's exactly the example needed to show why the backdoor that government agency's have been asking for is a very bad idea.

I just want Apple to fix this bug so the stupid boxes become expensive paperweights.

Users have a right to privacy.
It''s not quite as simple as that. It's an arms race. This isn't an simple bug in the code, it's a sophisticated exploit, that will take some very bright minds to figure out how it's been achieved and then to redesign the code to mitigate against it. Allowing root access to macOS without a password was a bug that should have never slipped past Apple. This is something else. It's difficult to mitigate against something, when you don't know how it's being achieved.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.