Maker of 'GrayKey' iPhone Unlocking Box Suffers 'Brief' Data Breach, Receives Money Demands

[Piggie]

I still struggle with this whole issue.
And feel a LOT of people here, and in general are being VERY two faced, because they are not affected.

Take your son or daughter, being held by a know murderer.
They are going to kill them (send you some body parts for starters) as they have a record of following thru on their threat.
Naturally, you would give up anything to save your child, even your home.

They find the murderers phone, which would probably give the location so your son/daughter can be saved.

I'm assuming everyone would then say, no it's fine, let them die. Privacy of data is far more important than this one individual.

It's funny and very telling how people's views change when something directly affects them

 

[usarioclave]

It’s not that this revealed any data but that these devices are vulnerable to being hacked with ease. Especially if they are targeted.

This is a big deal as it potentially allows the method used to be stolen by a malicious actor for nefarious uses. Though how much more nefarious you can get than law enforcement is debatable.

This shows no such thing. Getting to the local GUI of a device that's open to the public internet and doing a "view source" does not mean that it's vulnerable to anything.

 

[Baumi]

My guess is a lot, because government agencies are stupid and love to waste tax dollars.

Also, I'm not sure how much this would actually affect the current "legitimate" use of the boxes. They won't stop working because of this, and if the all the police are interested in is being able to brute force the passcodes, then it won't make much of a difference to their use case whether other parties are able to do the same.

 

[pdaholic]

You know, when you see that message about entering your passcode you can often just hit cancel and try Face ID again. I only enter my passcode the once a week required by Apple for the most part. There is no reason you should be having to enter your passcode that often unless you are doing something very odd.

I have to agree with the other guy, I’m having to type in my passcode frequently, and I long for the simplicity of Touch I.d. During the day I wear a surgical mask, Face ID doesn’t work. I get off of work and spend time outdoors, and face ID often fails in the sunlight. In the evenings I’m resting on my side, I pick my phone up and Face ID fails if it doesn’t catch my face in the right position. Sure, I can hit cancel and try it again, just that Touch ID was so consistent and worked every time. I still love my X, but Face ID...not so much.

 

[Marshall73]

It is functionally indistinguishable from a backdoor. It is essentially a backdoor Apple built unintentionally into iOS/iPhone that was so far only available to government agencies. Until one of the parties which had the 'key' to this backdoor got hacked ...

As a 'backdoor' its not very good is it? If you have a strong password it could take centuries to crack via this method. A proper backdoor gives immediate access as it bypasses protection. An example would be Apple holding copies of all encryption keys and supplying these to the government.
[doublepost=1524649966][/doublepost]

I still struggle with this whole issue.
And feel a LOT of people here, and in general are being VERY two faced, because they are not affected.

Take your son or daughter, being held by a know murderer.
They are going to kill them (send you some body parts for starters) as they have a record of following thru on their threat.
Naturally, you would give up anything to save your child, even your home.

They find the murderers phone, which would probably give the location so your son/daughter can be saved.

I'm assuming everyone would then say, no it's fine, let them die. Privacy of data is far more important than this one individual.

It's funny and very telling how people's views change when something directly affects them

Ok, so lets say the police don't get anywhere from the materials used to mail the body parts, or from the messages sent by the killer you think that if they had the killers phone (which, if he has been covering his tracks on the previous interactions with the victims family, is probably a burner phone). If the killer slipped up and dropped his smart phone which he has been using the whole time whilst kidnapping and dismembering the victim, the police could access cell registration records from the carrier to triangulate regular spots they visited, all without unlocking the phone. Which would provide more info unless he had a note in the phone that said "this is the address of the torture room". By your logic im amazed the police were able to catch any criminals before the invention of smart phones.

 

[manu chao]

As a 'backdoor' its not very good is it? If you have a strong password it could take centuries to crack via this method. A proper backdoor gives immediate access as it bypasses protection. An example would be Apple holding copies of all encryption keys and supplying these to the government.

It's not a perfect backdoor for sure, but for all practical purposes it behaves like a backdoor for all phones that only have a six-digit (or shorter) passcode. The point is not to say that Apple put in a backdoor, the point is to say that if one entity has a way to get into iPhones, we are just one hack away from somebody else being able to get in.

 

[AnthonyHarris]

Lets hope that the 'loophole' this thing exploits is filled before it gets any further out of the box.

 

[shplock]

More like someone with good abilities looking for a quick penny.

Tim Cook by any chance ? LOL. Seriously though it might be someone at Apple.
[doublepost=1524654925][/doublepost]

This is dumb. Someone did a ‘view source’ on the GrayKey UI. That’s not a data breach or any kind of security issue.

That is not what seems to have happened.
[doublepost=1524655047][/doublepost]

It's not a backdoor, and the vulnerability has nothing to do with the government. Apple screwed up.

I am not sure they are saying that is what happened but rather that it should not happen based upon this situation that itself relies upon flaws in IOS that are exploited by a (it seems)an ex Apple engineer.
[doublepost=1524655125][/doublepost]

You mean the company that has left their product open to this vulnerability in the first place?

The venerability was exploited by as I see it a former Apple engineer who helped to create some of IOS security in the first place. Sort of like lock maker hired to become lock picker! So hardly Apple's fault.

 

[tito2020]

I'd say ironic, but any company gets hacked these days.

to be honest this is old technology they will never reveal how to unlock an iphone this is just a work around

 

[shplock]

There is no way I’m doing this. Not on an iPhone X. I’d have done this with Touch ID but Face ID isn’t good enough yet. I’d have to be inputting this more complex password so many times during the day. Like every time my iPhone X is flat on my desk and I want to check something real quick. Or every time it doesn’t recognize my face, which is a few times per day. Having to input both alphabet cases, numbers, and symbols each time I need to unlock would be awful. I already hate having to tap out a simple six digit code on the large keypad!

Firstly I own an iPhone X and I can say it hardly ever fails to recognise my face, because you know..your using it wrong lol. Seriously though it had a few times to start with where it failed but over time it got better at seeing my face. Next, if it fails to see your face then I just press the side button to lock the screen, wait a couple of seconds and then press it again and hey presto it unlocks. or you can hold the bottom bar on the screen and drag it up slightly just a tad then let go so that it drops down again and that makes IOS try to unlock the phone.
That helps a lot. As to the big point, I have an alphanumeric passcode that is 16 digits long and I would rather do this then use 4 numbers as you seem to want to use because i do to want anyone hacking my iPhone. if it is an inconvenience for me then it will be a pain in the bum for any hacker etc.

 

[960design]

Karma?

Irony? The hacker is hacked. Reads like a Mystery Science Theater 3000 movie plot, minus the funny.
[doublepost=1524658188][/doublepost]

It's not a backdoor, and the vulnerability has nothing to do with the government. Apple screwed up.

I missed something. What did Apple screw up?

 

[DNichter]

You mean the company that has left their product open to this vulnerability in the first place?

No software is 100% secure, but Apple has shown to care the most when it comes to security and privacy. I am sure they are working to fix the vulnerability.

 

[RedKite]

And there we have it. The one and only reason computers et al need rock solid security..... the fact bad dudes can break in too.

Come on Apple and get with the security update that renders these boxes useless.

 

[dtich]

Firstly I own an iPhone X and I can say it hardly ever fails to recognise my face, because you know..your using it wrong lol. Seriously though it had a few times to start with where it failed but over time it got better at seeing my face. Next, if it fails to see your face then I just press the side button to lock the screen, wait a couple of seconds and then press it again and hey presto it unlocks. or you can hold the bottom bar on the screen and drag it up slightly just a tad then let go so that it drops down again and that makes IOS try to unlock the phone.
That helps a lot. As to the big point, I have an alphanumeric passcode that is 16 digits long and I would rather do this then use 4 numbers as you seem to want to use because i do to want anyone hacking my iPhone. if it is an inconvenience for me then it will be a pain in the bum for any hacker etc.

if someone has an x, and doesn't know that upon a non-recognition you can swipe up or just off-the-screen momentarily and re-try the faceid, (sometimes it even retries just by shaking it a moment) -- then, yeah, you are using it wrong. take a second to understand your $900 handheld computer with amazing security before bitching about how it doesn't recognize your face in bright sun or when you're on your side -- laughable.

for the small handful of times my face didn't get recognized (usually i have the phone held way too low, like by my waist, accidentally - quick swipe and lift higher and i'm in, time elapsed: about 600ms...) there are ten, no, a hundred times that many instances where the phone performed miraculously, recognizing me in bright flashing dance lights; in a hat and sunglasses; in many hats and many sunglasses, regular glasses, scarf, no scarf...; in the rain; in the snow; so quickly in a cab, in a store, in an elevator, on the steps; in pitch-black in the bathroom; from like 6 feet away and way off to the side; i could go on for days...... the thing is amazing. as usual.

to bit*h about the couple times you got it to mess up is... well, your life is what you make it. don't forget on default settings it's looking for you to direct your eyes at the camera to unlock, so gotta glance its way at the same time. this can be turned off if desired. i found it poses no hindrance to quick functioning and accurate usage while upping the level of security and timeliness quite a bit. thanks to first touch- and now face-id i've had a 12 digit alpha passcode for a few years now, and the revelation of brute force type boxes like graykey loses me not one minute of sleep -- sure fellas, have at it. knock yourself out. i'll be over here.

 

[H3LL5P4WN]

Apple should take this company over, with extreme hostility, then fire and blacklist all of the employees. And if "law" enforcement won't give the boxes back, they should all be remote bricked.

 

[thisisnotmyname]

Thanks to this leak though we now have a digital fingerprint to find other exposed boxes. Someone more skilled can start working on a real exploit.
[doublepost=1524660036][/doublepost]

I still struggle with this whole issue.
And feel a LOT of people here, and in general are being VERY two faced, because they are not affected.

Take your son or daughter, being held by a know murderer.
They are going to kill them (send you some body parts for starters) as they have a record of following thru on their threat.
Naturally, you would give up anything to save your child, even your home.

They find the murderers phone, which would probably give the location so your son/daughter can be saved.

I'm assuming everyone would then say, no it's fine, let them die. Privacy of data is far more important than this one individual.

It's funny and very telling how people's views change when something directly affects them

or you know, they just serve a warrant to their carrier and get their tower location history. Problem solved.

 

[ravenstar]

I still struggle with this whole issue.
And feel a LOT of people here, and in general are being VERY two faced, because they are not affected.

Take your son or daughter, being held by a know murderer.
They are going to kill them (send you some body parts for starters) as they have a record of following thru on their threat.
Naturally, you would give up anything to save your child, even your home.

They find the murderers phone, which would probably give the location so your son/daughter can be saved.

I'm assuming everyone would then say, no it's fine, let them die. Privacy of data is far more important than this one individual.

It's funny and very telling how people's views change when something directly affects them

Any sane person of course would want every avenue pursued to find the murderer, but the problem with your scenario is that it's entirely hypothetical. It may make for great TV drama, but this situation (a cell phone being the only key to solving a crime) is extremely unlikely to ever occur. Should a company be forced to compromise the security of millions of devices on the off chance that maybe someday one of those devices might possibly be the key to solving a crime? Or does it make much more sense to make those devices as resistant as possible to the attacks on them that happen daily?

Emotions make very poor counsel for such decisions.

 

[tridley68]

Serves them Right very glad someone bit back keep up the good work whoever you are.

 

[pl1984]

There appears to be a misconception as to how this device works. From the little we know it appears to be nothing more than a brute force tool. This is backed by the suggestion to use longer, more complex passcodes to secure your phone. Brute force does not require a backdoor nor does it require a vulnerability.

On a different train of thought the government doesn't really care if hackers get the keys to any backdoor. Making such an argument to them is useless. They want access and while they'll tell you they care they really don't.

As for user privacy I think most people really don't care and, for the most part, their need for security is more along the lines of "casual" security. I use encryption to secure certain things (like banking and tax documents) and I certainly don't broadcast my personal information (i.e. Facebook / Twitter / Instagram / etc.) But I don't have anything that anyone with any hacking skills would really want.

Having said that I am not against strong encryption which lacks a backdoor. I fully support an individuals right to privacy and anonymity. The above statement was merely to say that most people would be fine with a minimal level of security. It was not intended to argue against strong encryption.

Finally I find it coincidental "they" got "hacked" soon after the device becoming known to the world.

 

[ravenstar]

There appears to be a misconception as to how this device works. From the little we know it appears to be nothing more than a brute force tool. This is backed by the suggestion to use longer, more complex passcodes to secure your phone. Brute force does not require a backdoor nor does it require a vulnerability.

I don't think it's quite so clear cut. Yes, it's a brute force attack on the password, but the software is being installed on a locked device without a passcode, and this software appears to be bypassing some of the security built into the OS that enforces increasing delays between failed password attempts and erases a device after too many failed attempts. Those are both vulnerabilities without which this device couldn't work.

As for user privacy I think most people really don't care and, for the most part, their need for security is more along the lines of "casual" security. I use encryption to secure certain things (like banking and tax documents) and I certainly don't broadcast my personal information (i.e. Facebook / Twitter / Instagram / etc.) But I don't have anything that anyone with any hacking skills would really want.

I think many people don't care about privacy and security until they realize too late that they should have. That's why it's so important for manufacturers to care about it ahead of time. For example, many of us probably don't think anyone would be interested in our data because we haven't figured out some way it could be used against us. If someone does figure out a nefarious use of our data, we'll probably only find out after it's happened, and then it's too late and we'll be left to pick up the pieces. It's much easier to take precautions now than after the fact.

 

[sidewinder3000]

O, the irony! The company that made its name hacking another device is itself hacked.

This confirms why creating unbreakable encryption with no backdoor is so critical for true security/privacy. Because nobody has yet designed an antivirus for Murphy’s Law.

 

[pl1984]

I don't think it's quite so clear cut. Yes, it's a brute force attack on the password, but the software is being installed on a locked device without a passcode, and this software appears to be bypassing some of the security built into the OS that enforces increasing delays between failed password attempts and erases a device after too many failed attempts. Those are both vulnerabilities without which this device couldn't work.

This assumes the tool is using the same method to submit passcodes as Apple originally intended. With physical access to the device it's possible the device works directly on the encrypted contents. An analogy would be attempting to hack a passcode through a web interface across a network as opposed to hacking it by having the encrypted password file.

I think many people don't care about privacy and security until they realize too late that they should have. That's why it's so important for manufacturers to care about it ahead of time. For example, many of us probably don't think anyone would be interested in our data because we haven't figured out some way it could be used against us. If someone does figure out a nefarious use of our data, we'll probably only find out after it's happened, and then it's too late and we'll be left to pick up the pieces. It's much easier to take precautions now than after the fact.

My point was that a basic level of privacy is probably sufficient for the majority of people. Those who require privacy from a state actor are, IMO, the exception.

 

[OldSchoolMacGuy]

Karma?

For what? They provide a tool to law enforcement and law enforcement only, which is used once a warrant is obtained. No rights are being violated and they're doing nothing illegal.

Remember that the vast majority of the cases these things are used on are crimes against children. Sick people who have taken horrid photos of children and done even worse to them.

Do you really believe it's wrong to access their phones in order to obtain evidence (once a warrant has already been obtained from a judge) in order to put these people away where they can't hurt more kids?

 

[pl1984]

For what? They provide a tool to law enforcement and law enforcement only, which is used once a warrant is obtained. No rights are being violated and they're doing nothing illegal.

Remember that the vast majority of the cases these things are used on are crimes against children. Sick people who have taken horrid photos of children and done even worse to them.

Do you really believe it's wrong to access their phones in order to obtain evidence (once a warrant has already been obtained from a judge) in order to put these people away where they can't hurt more kids?

You can't say that a) law enforcement wouldn't misuse this tool and b) the vast majority of the cases for which this device is used are crimes against children.

 

[mytdave]

Making an Internet connected version is just plain stupid.