Slashdot Mirror

← Back to Stories (view on slashdot.org)

State Department Seemingly Buys $15,000 iPhone Cracking Tech GrayKey (vice.com)

Posted by BeauHD on from the only-a-matter-of-time dept.

An anonymous reader quotes a report from Motherboard: Grayshift, a company that offers to unlock modern iPhones for as little as $50 each, has caused a buzz across law enforcement agencies, with local police already putting down cash for the much sought-after tech. Now, it appears a section of the U.S. State Department has also purchased the iPhone cracking tool, judging by procurement records reviewed by Motherboard. Grayshift's iPhone product, dubbed GrayKey, can unlock devices running versions of Apple's latest mobile operating system iOS 11, according to marketing material obtained by Forbes. An online version of GrayKey which allows 300 unlocks costs $15,000 (which boils down to $50 per device), and an offline capability with unlimited uses is $30,000. According to a recent post from cybersecurity firm Malwarebytes, which obtained leaked details on GrayKey, the product itself is a small, four inch by four inch box, and two iPhones can be connected at once via lightning cables. Malwarebytes adds that the time it takes to unlock a device varies depending on the strength of the user's passcode: it may be hours or days. Notably, Grayshift includes an ex-Apple engineer on its staff, Forbes reported.

On March 6, the State Department ordered an item from Grayshift for just over $15,000, according to a purchase order listing available on the U.S. government's public federal procurement data system. The listing is sparse on details, putting the order under the generic label of "computer and computer peripheral equipment." But Motherboard confirmed that the Grayshift in the State Department listing is the same as the one selling iPhone cracking tech: the phone number of the vendor in both the purchase order and documents Motherboard previously obtained detailing a GrayKey purchase by Indiana State Police is the same. The "funding office" for the Grayshift purchase was the Bureau of Diplomatic Security, according to the procurement records. The Bureau acts as the law enforcement and security arm of the State Department, bearing "the core responsibility for providing a safe environment for the conduct of U.S. foreign policy," the State Department website reads.

10 of 79 comments (clear)

  1. Re: Strength of passcode? by Anonymous Coward · · Score: 3, Informative

    iOS allows indeterminant length pass phrases, you simply need to change a setting

  2. Apple will buy one... by InvalidsYnc · · Score: 4, Insightful

    ...and then it will use it to determine how it is cracking the login, and then they will fix it, and the security will be even stronger for Apple. Sounds like a good deal. :P

  3. IOS or Security Enclave by Dorianny · · Score: 4, Interesting

    Its obvious that they must have found an exploit that allows them to bypass the number-of-attempts security mechanism. I wonder if this is handled in IOS or if it is a more serious Security Enclave bug.

    1. Re:IOS or Security Enclave by Anonymous Coward · · Score: 3, Insightful

      Besides the Israeli and Russians who had it out years before. Service was easy in Thailand. A backdoor exploit must be non obvious. using the port not the screen is still obvious.Placing a logic analyzer in series with the connections is still obvious. It makes sense to impose a scramble box, then send to a 2nd iPhone. My bet is a memory dump occurs, and then is brute forced. And likely a 2nd round needed to find the salt, then a transformation. This would prevent simple replay attacks, and simple copycats.

  4. Re:Strength of passcode? by kilfarsnar · · Score: 4, Informative

    What does it mean for a passcode to be particularly strong or weak when the passcode must be all digits and must be some fixed number of digits long?

    It means that for the passcode to be stronger it needs to be longer. There is not a fixed number of digits, and the phone can be set to require you to tap OK after typing the passcode, so the number of digits cannot be determined.

    --
    "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
  5. Re:Strength of passcode? by Anubis+IV · · Score: 3, Informative

    I take it you’re unaware that alphanumeric passcodes have been supported since iOS 4? In iOS 11, you just need to tap the rather obviously named Passcode Options button when you go to change your passcode to bring up the options for formats other than the six-digit default.

  6. Re:apple will just drop lightning cables in next p by Opportunist · · Score: 5, Funny

    Has to? HAS TO? Challenge Accepted!

    --signed, Tim Cook.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Re:Strength of passcode? by registrations_suck · · Score: 5, Informative

    Change your passcode.

    On the "Enter your new passcode" screen, there is a link called "Passcode Options". Click that.

    You then have three choices to choose from:
    1). Custom Alphanumeric Code
    2). Custom Numeric Code
    3). 4-Digit Numeric Code

  8. Re:Strength of passcode? by mark-t · · Score: 3, Interesting

    I've known people who've spent 10 to 15 minutes dealing with the security checkpoints simply because they had their device set to fingerprint unlock, even though they didn't have anything in particular on the phone that security would have been interested in.

    That's why, about 30 minutes or so before I'm going through a security checkpoint where my belongings may be searched, I will unlock my phone so that it does not require any kind of password to turn on and navigate the home screen and applications. When they've asked to see the phone, I've simply handed it to them, they turned it on, saw that they had access to everything, and immediately handed it back without even trying to find anything or asking me any questions.

    It seems that simply having a device that is locked at all gives them enough reason to want to search it, while having a device that is not leaves them giving the device back right away with no questions asked.

    This also has the advantage that I will not be put in the position of even being asked for my password at all. Even though I may not legally have to tell them my passwords, I think that not cooperating with them, or even creating the appearance that I don't want to cooperate with them has some non-zero potential of making my life a whole lot more complicated than it needs to be, so unlocking the device beforehand so that it requires no such passcode avoids the matter entirely.

    --
    File under 'M' for 'Manic ranting'
  9. Re:Strength of passcode? by Solandri · · Score: 4, Insightful

    In Android you can just create a second user without a password and login to it. It'll have access to your installed apps (free ones and ones which are authorized for that account), but not your data (unless rooted and you have a file browser with root privileges). Unless you actually check for user accounts, it'll look just like a plain single-account unlocked phone.