The debate whether law enforcement agencies should be given exclusive access to iOS-powered Apple devices started when the FBI was unable to unlock San Bernardino shooter’s iPhone. Eventually, FBI found other ways to get inside Apple’s secured digital fortress, through an Israel-based company called Cellebrite.
In the latest news, we have come across about a new iPhone unlocking device called GrayKey that can be used by law enforcement guys to harvest passcode of an iPhone and other iOS-powered devices such as iPads and iPods.
GrayKey is developed by a low profile company called Grayshift based in Atlanta, Georgia. The device wasn’t known to many until late 2017. Earlier this month, a Forbes report described the first details of the supposed iPhone unlocking hardware. As per the report, the company is run by an ex-Apple security engineer and longtime US intelligence contractors.
Now, the security firm Malwarebytes has released the leaked images of the so-called black box that compromises iPhone’s security.
Unlocking the passcode of an iPhone using GreyKey is no more than a child’s play. It has two lightning cables hanging out which can be used to connect two iPhones. After a couple of minutes, the iPhones are disconnected. It takes around 2 to 3 hours to crack a 4-digit passcode which is displayed on the screen with other information. For longer 6-passcodes, it could take up to three days.
All the data (including Keychain’s encrypted data) on the compromised iPhone gets stored on the GrayKey device which can be accessed and downloaded on a computer via a web interface. The iPhone hacking device can even unlock the latest Apple flagship iPhone X running iOS 11.2.5. It can’t be said if Apple has managed to fix the loophole(s) in the later versions including iOS 11.2.6.
Apart from being used by the police and other security agencies, there are several implications of GrayKey that may compromise the security of the people and their data. First of all, it’s unclear whether the GrayKey stores iPhone data an encrypted or unencrypted form. And also, if someone can intercept the data while it’s transferred.
GrayKey comes in two options: a $15,000 variant which ones configured can’t be taken to another place as it’s geofenced and requires internet. It can be used up to 300 times. The other costlier option comes with a price tag of $30,000. It works offline and be an unlimited number of times.
If someone manages to get hold of such a device, what they could do is beyond imagination. It could be a boon for people trying to sell stolen iPhones in the gray market. Because you have to do next to nothing and the passcode appears on your screen after waiting for some time. Also, user information such as credit card details, bank accounts, addresses, etc., have a very high value in the black market.
It may not be the case that the security guys and forensic experts would turn rogue one day and start mass unlocking of iPhones, but devices like these raise concerns among the population.
On a positive note, this could be of help to people who end up getting their iPhone locked for 48 years. But that’s a rare scenario. However, one would be a complete fool if they were to take this route, unless, their life depends on that iPhone.