Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mysterious $15,000 'GrayKey' Promises To Unlock iPhone X For The Feds (forbes.com)

Posted by msmash on from the security-woes dept.

Thomas Fox-Brewster, reporting for Forbes: Just a week after Forbes reported on the claim of Israeli U.S. government manufacturer Cellebrite that it could unlock the latest Apple iPhone models, another service has emerged promising much the same. Except this time it comes from an unkown entity, an obscure American startup named Grayshift, which appears to be run by long-time U.S. intelligence agency contractors and an ex-Apple security engineer. In recent weeks, its marketing materials have been disseminated around private online police and forensics groups, offering a $15,000 iPhone unlock tool named GrayKey, which permits 300 uses. That's for the online mode that requires constant connectivity at the customer end, whilst an offline version costs $30,000. The latter comes with unlimited uses. Another ad showed Grayshift claiming to be able to unlock iPhones running iOS 10 and 11, with iOS 9 support coming soon. It also claims to work on the latest Apple hardware, up to the iPhone 8 and X models released just last year. In a post from one private Google group, handed to Forbes by a source who asked to remain anonymous, the writer indicated they'd been demoed the technology and that it had opened an iPhone X.

71 of 106 comments (clear)

  1. Let the arms race begin! by Bruce66423 · · Score: 1

    Please pass me the popcorn...

    1. Re:Let the arms race begin! by Anonymous Coward · · Score: 2, Insightful

      No. "Popcorn" has been removed by Apple from the AppStore.

    2. Re:Let the arms race begin! by jellomizer · · Score: 1

      Being that this service is being labeled "Mysterious". I expect they are opening up the phone, tapping into the storage media. Downloading all the data. The brute forcing it until they get in. Being most people just use a 4 digit pin. That means 9999 possible combination. If they use a password, then we have the brute force password hacking algorithms.

      Such a process I would expect the 30k to be a reasonable price. Taking account opening an iPhone without breaking it, skills to tap into a soldered SD Drive, Putting the data onto high speed server(s), Putting the phone back to the way it was before. And doing the hack.

      Not impossible, and really there isn't much Apple can do at these particular points. There gets to a point where enough effort will allow someone to get into a device that was built by man.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:Let the arms race begin! by rot26 · · Score: 1

      OH NO YOU DIH UHNT

      --



      To ensure perfect aim, shoot first and call whatever you hit the target
    4. Re:Let the arms race begin! by mlyle · · Score: 1

      The data on the phone is encrypted with much longer keys than your PIN.

      Your credential is presented to the secure enclave, which ratelimits attempts and locks out on too many failures. If it is correct then it releases appropriate keys.

    5. Re: Let the arms race begin! by RichardCulverhouse · · Score: 1

      Uh? Was that some obscure foreign language you just used... ?!

    6. Re:Let the arms race begin! by Hallux-F-Sinister · · Score: 1

      GPL'ed software isn't allowed in the Apple iOS Appstore, or at least it didn't used to be, which was, (I was told,) why Firefox was for so long absent therefrom. Still waiting for LibreOffice for iPad though. :(

      --
      Our reign has gone on long enough. Indeed. Summon the meteors.
    7. Re:Let the arms race begin! by Hallux-F-Sinister · · Score: 1

      Rot 26 only works in your elitist, snobbish 26-character alphabets, you insensitive clod! If you have either MORE, or FEWER characters in your alphabet, or have anything even more exotic or foreign, such as an ab-jad or syllabary, then it really mucks stuff up.

      --
      Our reign has gone on long enough. Indeed. Summon the meteors.
    8. Re:Let the arms race begin! by rot26 · · Score: 1

      stereotypical-black-girl-talk? It's millenialspeak, I'm sad to say. You're not paying attention.

      --



      To ensure perfect aim, shoot first and call whatever you hit the target
    9. Re:Let the arms race begin! by sexconker · · Score: 1

      Correct.

      This is either something that makes use of a massive vulnerability in Apple's implementation, or it's the tried-and-true method of freezing/resetting the unlock attempt counter so you can brute forcing the password.

    10. Re:Let the arms race begin! by tlhIngan · · Score: 1

      GPL'ed software isn't allowed in the Apple iOS Appstore, or at least it didn't used to be, which was, (I was told,) why Firefox was for so long absent therefrom. Still waiting for LibreOffice for iPad though. :(

      GPLv3 software isn't allowed in the app store because that's a violation of the GPLv3 license (anti-tivoization - since the app store keys are not revealed, it is therefore incompatible with the GPLv3).

      GPLv2 software may be allowed even though doing so potentially violates the GPL (because the App Store limits your usage to 5 devices).

      But if it's GPL, go ahead and sideload your software. Apple allows you to (for free) sideload apps onto your device.

    11. Re:Let the arms race begin! by Xylantiel · · Score: 1

      And the winner is: actual security! Apple and other vendors should fix vulnerabilities like this. What, do we want the tools outlawed and security research with it? Now there is an issue if these companies are hiding the vulnerabilities from the vendor, but it's quite possible that they are problems that Apple knows about but are tricky to fix (e.g. electronic or physical design or manufacturing issues). Timing/heating/monitoring attacks can be very hard to defend against. You know if it only costs $15k there is a good chance the black hats can already do it for a sufficiently worthwhile target.

    12. Re:Let the arms race begin! by AmiMoJo · · Score: 1

      My guess is that they found a way to bypass the usual limits on PIN guesses somehow, allowing them to try all possibilities quickly. And it sounds like they do it entirely in software.

      Maybe something like they found a way to crash the secure processor, so they can reset it before it counts the attempt as failed. Timing reveals if it is going to accept it reject the pin early.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re:Let the arms race begin! by diamondmagic · · Score: 1

      Correction: GPL software can be published, it's the GPL per se that doesn't allow GPLed software on app stores.

      Apple couldn't care less, their developer agreement gives them a license to distribute your app, even if the GPL doesn't.

      --
      Wonder what the public key field is for?
    14. Re:Let the arms race begin! by WorBlux · · Score: 1

      The problem is most phones combine the pin with a device unique code from the security coprocessor.

      You either need to exploit the boot-loader, or have key to sign your own boot loader with.

  2. We just need the galactic key by Mysticalfruit · · Score: 1

    We just need the galactic key to unlock it... really easy.

    --
    Yes Francis, the world has gone crazy.
  3. Pirated in 3...2...1... by mark-t · · Score: 1

    I don't see this as being usable on current hardware for very long.

    --
    File under 'M' for 'Manic ranting'
  4. That ex-Apple employee by Anonymous Coward · · Score: 1

    Could Apple go after him for undermining their current products?

    1. Re: That ex-Apple employee by nospam007 · · Score: 1

      Apple just spent 30.000$ I guess.

    2. Re: That ex-Apple employee by BronsCon · · Score: 1

      Judging by the placement of the dollar sign at the end of the number, I'd wager that nospam007 hails from a country where , is the decimal and . is the separator. That's actually most of the world, mind you.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    3. Re: That ex-Apple employee by bioteq · · Score: 1

      Or, he's a programmer who has used Basic and a lot of other languages where '$' denotes a variable of some sort.

      Back in my old days of VB and QB (yeah yeah.) I got super used to putting the '$' at the end and, to this day, still do at times. As for the period vs comma? I cannot attest for that one.

    4. Re: That ex-Apple employee by BronsCon · · Score: 1

      My theory explains all three. Most countries in the world use the . and , in exactly the opposite manner that we do in the US, so what we would write as $1,000.00 might be $1.000,00 elsewhere. Likewise, many countries that use a comma as a radix point also put their currency mark at the end of the number. Further evidence in favor of my theory is that the non-limited version of the device being discussed sells for $30,000, not $30.00.

      Of course, nospam007 would have to confirm one way or the other, but I'm partial to theories that explain all of the unknowns, in the absence of concrete proof.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    5. Re:That ex-Apple employee by mccalli · · Score: 1

      IMHO, should do both. I'm not normally into suing people who find ways round things, but in this case it's an ex-employee with privileged knowledge. Pour encourager les autres.

    6. Re: That ex-Apple employee by q4Fry · · Score: 1

      All true, but $30k is still nothing to Apple.

    7. Re: That ex-Apple employee by bioteq · · Score: 1

      Well, after doing the Right Thing(TM) (AKA: cyber-stalking) and slogging through his known Slashdot posts, it would seem that he rarely (but at times, does) puts the currency symbol at the end of the currency amount. He also sometimes does not use the transposed '.' and ',' but, most of the time he does, especially on amounts greater than 100k.

      I did find mention of Euthanasia being legal in his country so I definitely assume you are correct, BronsCon; he's a foreigner.

      I hereby concede defeat.

    8. Re: That ex-Apple employee by BronsCon · · Score: 1

      Funny, I did the same and came to the opposite conclusion, sort of. I ended up figuring either he was originally from the US and living abroad, or he had immigrated to the US, because he seems to follow both conventions. I didn't see the same message you saw about euthanasia or that would have been a dead giveaway. Either way, it's always fun to sharpen the old analytical skills.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  5. DMCA? by Rick+Schumann · · Score: 1

    LOL maybe Apple will issue a DMCA takedown notice against that company and the government for reverse-engineering iPhones.
    All kidding aside Apple will I'm sure just treat this like any other exploit uncovered and change their product to prevent it. Then they'll create a new tool. Welcome to the endless game of Security Whack-a-Mole.

    1. Re:DMCA? by mark-t · · Score: 2

      It'll suck for the people who spent the $15k or $30k on the product, only to have it stop working not long afterwards.

      I'd hopw that $15k/$30k would include upgrades for a long enough time to be worthwhile, otherwise it's a money sink.

      --
      File under 'M' for 'Manic ranting'
    2. Re:DMCA? by Anonymous Coward · · Score: 1

      It will be a government entity using its citizen's tax dollars to pay for it, so they won't care. Other people's money.

    3. Re:DMCA? by DontBeAMoran · · Score: 1

      AFAIK Apple doesn't allow Bitcoin wallet apps, so your plan is foiled.

      --
      #DeleteFacebook
    4. Re:DMCA? by sexconker · · Score: 1

      Bitcoin wallets are just private keys, and people can and do store them everywhere, no app required.
      Some people are even dumb enough to store them in an unencrypted form.

  6. 15 large for 300 uses? Sounds cheap... by Bearhouse · · Score: 1

    OK, 15 grand is a lot for the average individual, but for law enforcement etc. it's peanuts.
    Did I not read hear about that Israeli firm charging 100 k a pop?
    This is really discounting hard - 50 bucks per phone cracked, (if that's what they're doing).

  7. Should be considered treason. by thedarb · · Score: 2, Interesting

    This is completely against the publics own interest and should be considered treason, IMHO.

    --
    This sig intentionally left blank.
    1. Re:Should be considered treason. by mark-t · · Score: 1

      Definitions mean nothing to the current governing regime.

      We're talking about a government that has chosen to take "national security" to include even things that merely *might* be of signifiicant economic interest... to only one particular industry, I might add.

      --
      File under 'M' for 'Manic ranting'
    2. Re:Should be considered treason. by mschuyler · · Score: 1

      I don't think that word means what you think it means.

      --
      How about a moderation of -1 pedantic.
    3. Re:Should be considered treason. by amiga3D · · Score: 1, Troll

      What's really funny is watching all these people that claim Trump is worse than Hitler, the most evil creature ever, and then they want him to confiscate all private firearms. Pure idiots.

    4. Re:Should be considered treason. by mark-t · · Score: 1

      I used the term "regime" because the fault does not lay on any single person. "administration" would have been an equally applicable term.

      --
      File under 'M' for 'Manic ranting'
    5. Re:Should be considered treason. by DontBeAMoran · · Score: 1

      Depending on who's using them, those private firearms could maybe hold up against a few SWAT teams.

      But there's a lot of SWAT teams. Then there's the army, the navy and the air force.

      After that, there's all the secret organizations you don't know about, some of them probably equipped with alien weapons.

      So yeah, good luck revolting against your government, your puny hand guns will surely let you defend yourself against all of those.

      --
      #DeleteFacebook
    6. Re:Should be considered treason. by thegarbz · · Score: 1

      There's irony in a statement that complains about national security including economic interests when discussing a country that spends quite so much on its military.

      Given how economics are the deciding factors in many wars you may want to reword your statement.

    7. Re:Should be considered treason. by rogoshen1 · · Score: 2

      Despite all the high tech weapons and whatnot, any kind of sustained operation still relies on boots on the ground. And I think you'd be surprised at how quickly the desertion rate would approach 100% if something like that came to pass -- the brainwashing of rank and file grunts is not *that* .. effective

      Also, notice how hard of a time the US has had in pacifying places like Iraq or Afghanistan. It turns out large scale guerrilla-type conflicts are very hard for the US military to handle in a sustained fashion.

      It would be a brutal and painful civil war -- and only a completely base and vile person would hope for it.

    8. Re:Should be considered treason. by mark-t · · Score: 1

      Perhaps you didn't catch that I said it was of economic interest to only one particular (commercial, not government) industry.

      --
      File under 'M' for 'Manic ranting'
    9. Re:Should be considered treason. by gtall · · Score: 1

      Unless he starts a nuclear war. Care to place any bets on his ability to handle a crisis beyond a bimbo explosion?

    10. Re:Should be considered treason. by ArchieBunker · · Score: 1

      Maybe you should read a fucking dictionary.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    11. Re:Should be considered treason. by SvnLyrBrto · · Score: 1

      > Despite all the high tech weapons and whatnot, any
      > kind of sustained operation still relies on boots on
      > the ground. And I think you'd be surprised at how
      > quickly the desertion rate would approach 100% if
      > something like that came to pass -- the brainwashing
      > of rank and file grunts is not *that* .. effective

      I believe the student body of Kent State might have a differing experience on that score.

      --
      Imagine all the people...
    12. Re:Should be considered treason. by amiga3D · · Score: 1

      They had rocks against M-16s. That's not a good idea.

    13. Re:Should be considered treason. by amiga3D · · Score: 1

      Asking troops to slaughter US civilians might get a little dicey. Even SWAT teams might start to balk. It's one thing to go after a bank robber holding hostages. To kill women and kids you need someone like the BATF.

    14. Re:Should be considered treason. by DontBeAMoran · · Score: 1

      Yeah, the fools should have used paper.

      --
      #DeleteFacebook
    15. Re:Should be considered treason. by pi_rules · · Score: 1

      The reserves had M1 Garands, not M-16s.

    16. Re:Should be considered treason. by amiga3D · · Score: 1

      That's actually worse. Better a 5.56 than that big round the M1 fires.

  8. Re:Arrest them for DMCA violation by volodymyrbiryuk · · Score: 2

    You know very well that it applies only to ordinary civilians.

    --
    sudo rm -r -f --no-preserve-root /
  9. law enforcement use can by pass the dmca by Joe_Dragon · · Score: 1

    law enforcement use can by pass the dmca

  10. Maybe app developers need to start encrypting? by ctilsie242 · · Score: 1

    Maybe app developers should consider doing their own encryption for data stored? This could be fairly simple, depending on the persistence of the data. If the data doesn't leave the device, create two nonces, stuff one in KeyChain, have an app PIN or PW unlock the other part, XOR it for the working key. That way, the OS (which is normally secure) maintains security, but the app still has stuff secured by the separate added PIN/passphrase.

    If the data has to be backed up, it could be encrypted with a nonce, and a HMAC of the nonce and the PIN/PW used to secure it if it backed up to iCloud or if it goes to iCloud directly as a file.

    For backups, one can do an architecture similar to Titanium Backup. Prompt for a password, generate a keypair, encrypt the private key with the password, then bundle the encrypted private key with every backup (or perhaps file). This allows backups to be done using the public key, and restores easily done by prompting for the password.

    OpenSSL is available on iOS, so this shouldn't be too much of a stretch.

  11. It's a software solution by Bruce66423 · · Score: 1

    At least according to the description.

  12. Hardware or software? by bradley13 · · Score: 1

    Someone suggested that this is a brute-force attack (and TFA even hints at that). I don't buy that, because a brute-force attack involving opening up the phone would be nothing really new. I expect they are exploiting a vulnerability.

    So sure, Apple immediately spent $30k for a license, so that they can analyze it. The fascinating question will be: Does the exploit rely on a hardware flaw or a software flaw? If the latter, it will quickly be patched. If this is ultimately relying on some weakness in the hardware, it likely won't ever patched for older phones, though the iPhone 11 may be immune.

    --
    Enjoy life! This is not a dress rehearsal.
    1. Re:Hardware or software? by DontBeAMoran · · Score: 1

      Is the iPhone X really number 10, though? Because there's no iPhone 9 right now.

      I'm thinking this is like they went from Mac OS 9 to Mac OS X, the iPhone X represents a new line of iPhones.

      In any case, I'm waiting for the iPhone XXX. They'll have to allow VR porn and 3D hentai apps on it!

      --
      #DeleteFacebook
    2. Re:Hardware or software? by TrekkieGod · · Score: 1

      Someone suggested that this is a brute-force attack (and TFA even hints at that). I don't buy that, because a brute-force attack involving opening up the phone would be nothing really new. I expect they are exploiting a vulnerability.

      Apple does the maximum number of wrong attempts before deleting the contents of the phone thing. So I'm pretty sure the vulnerability is being able to stop that from happening (and likely adding the code to do to the brute forcing). The brute force code is to unlock. By default, iOS has a 4-digit pin to unlock. That's really easy to brute-force in no time at all if you can the software input the numbers and get around the maximum number of retries thing, so no reason to even try something other than brute-forcing.

      The part that gets me thinking is that the firm is run by an ex-apple security researcher. If he gets to do the above by jailbreaking it through a private key he swiped from Apple and took with him, or a backdoor he coded in himself, then he's in serious legal trouble.

      --

      Warning: Opinions known to be heavily biased.

    3. Re:Hardware or software? by bartle · · Score: 1

      In order for John Irving to unlock her iPhone, he enters a 6 digit PIN. Maybe Lorian Bartle uses an alphanumeric password. John and Lorian did not choose strong passwords, knowing they have to enter it every time they boot up the phone, so either phone is easily crack-able by coping the encrypted contents of their phones onto a powerful computer and brute forcing every possible password.

      Apple prevents this by generating a random element that, combined with John or Lorian's passcode, makes up the encryption key. This random element is stored inside Apple's super-special security chip. The exploit that they're selling may be based around extracting or computing this random element which would still necessitate a brute-force approach, but it moves the approach into the realm of the possible.

  13. Re:Right next to the “any key” by DontBeAMoran · · Score: 1

    Instructions unclear, penis stuck in oppai mousepad.

    --
    #DeleteFacebook
  14. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  15. 15K for 300 uses by DontBeAMoran · · Score: 1

    Isn't that the exact same rate as the whores working at Costco?

    --
    #DeleteFacebook
  16. Re:Phew. by DontBeAMoran · · Score: 1

    Grey's mother was a hamster and Key's father smelt of elderberries!

    --
    #DeleteFacebook
  17. Re:15 large for 300 uses? Sounds cheap... by Stan92057 · · Score: 1

    Well, thinking like yours has gotten the US people billions in federal debit. whats a few thousand more lol...

    http://www.usdebtclock.org/

    --
    Jack of all trades,master of none
  18. GrayKey is not Deep Throat by Annie+Ominus · · Score: 1

    disgruntled apple cyber security employee maybe, stole a gen key before retirement? Anyone related to Felt work there lately?

  19. That word doesn't mean what you think it does by raymorris · · Score: 1

    >. create two nonces, stuff one in KeyChain, have an app PIN or PW unlock the other part, XOR it for the working key. ...
    > If the data has to be backed up, it could be encrypted with a nonce

    The key to your whole scheme is the nonce. And you don't know what a nonce is. So I'll answer your question:
    > Maybe app developers should consider doing their own encryption?

    App developers should develop apps. Cryptographers, who not only know what a nonce is, but can rattle off the top three most common problems when using a nonce, should do cryptography. Secure encryption is such a difficult problem that people who get a master's degree and spend their entire careers doing it STILL can't reliably do right. It's *that* difficult.

    1. Re:That word doesn't mean what you think it does by ctilsie242 · · Score: 1

      The perfect is the enemy of the good here.

      Having one's own encryption layer is better than nothing, especially if the phone's encryption may not be secure. Yes, an app developer might have to take the time to realize using AES in ECB mode is not a good thing, but that is better than nothing.

  20. Ah - the joys of capitalistic competition by Bruce66423 · · Score: 1

    Nice point, thank you: embarrass Apple into addressing the issue.

    The interesting question is whether Apple has the right to demand the basis for the attacks from the vendor.

  21. Spectre or meltdown by xluap · · Score: 1

    This might exploit some spectre or meltdown like vulnerability to get the encryption keys that are located in an until now safe part of the processor chip.

  22. Re: Should be $30M for unlimited by Brockmire · · Score: 1

    Only terrorists and gunmen have Apple phones.

  23. It's either secure for everyone by Darkling-MHCN · · Score: 1

    ....or it's secure for no one.

  24. This cheap? *lol* by xxxLCxxx · · Score: 1

    This cheap? *lol*
    ...and Apple believers will still assert that their phones are safe. When it comes to dumbing down people, religion is certainly the most effective.

  25. Maybe. False sense of security is bad by raymorris · · Score: 1

    If you think a file is encrypted, and therefore it's safe to back it up to an open S3 bucket, it would have been much better to not make it look encrypted and make it obvious that it's not protected.

    Whether weak encryption is better than none very much depends on many factors. Very often, it's "better" in the short term, but two years later someone does something that exposes the data because it looks like it's safe. They forget or never knew that the encryption isn't good encryption.