New GrayKey iPhone unlocker poses serious concerns

GrayKey iPhone unlocker poses serious security concerns

iPhone unlocker poses serious security concerns

Ever since the case of the GrayKey San Bernadino shooter pitted Apple against the FBI over the unlocking of an iPhone, opinions have been split on providing backdoor access to the iPhone for law enforcement. Some felt that Apple was aiding and abetting a felony by refusing to create a special version of iOS with a backdoor for accessing the phone’s data. Others believed that it’s impossible to give backdoor access to law enforcement without threatening the security of law-abiding citizens. In an interesting twist, the battle ended with the FBI dropping the case after finding a third party who could help. At the time, it was theorized that the third party was Cellebrite. Since then it has become known that Cellebrite— an Israeli company—does provide iPhone unlocking services to law enforcement agencies. Cellebrite, through means currently unknown, provides these services at $5,000 per device,

and for the most part, this involves sending the phones to a Cellebrite facility. (Recently, Cellebrite has begun providing in-house unlocking

services,

but those services are protected heavily by non-disclosure agreements, so little is known about them.) It is theorized, and highly likely, that Cellebrite knows of one or more iOS vulnerabilities that allow them to access the devices. In late 2017, word of a new iPhone unlocker device started to circulate: a device called GrayKey, made by a company named Grayshift. Based in Atlanta, Georgia, Grayshift was founded in 2016 and is a privately-held company with fewer than 50 employees. Little was known publicly about this device—or even whether it was a device or a service—until recently, as the GrayKey website is protected by a portal that screens for law enforcement affiliation. According to Forbes, the GrayKey iPhone unlocker device is marketed for in-house use at law enforcement offices or labs. This is drastically different from Cellebrite’s overall business model, in that it puts complete control of the process in the hands of law enforcement. Thanks to an anonymous source, we now know what this mysterious device looks like, and how it works. And while technology is a good thing for law enforcement, it presents some significant security risks.

How it works

GrayKey is a gray box, four inches wide by four inches deep by two inches tall, with two lightning cables sticking out of the front. 

Two iPhones can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device but are not yet cracked. Sometime later, the phones will display a black screen with the passcode, among other information. The exact length of time varies, taking about two hours in the observations of our source. It can take up to three days or longer for six-digit passcodes, according to Grayshift documents, and the time needed for longer passphrases is not mentioned. Even disabled phones can be unlocked, according to Grayshift. 

GrayKey iPhone passcode unlocker[/caption] After the device is unlocked, the full contents of the filesystem are downloaded to the GrayKey device. From there, they can be accessed through a web-based interface on a connected computer

and downloaded for analysis.

The full, unencrypted contents of the keychain are also available for download. 

The GrayKey device itself comes in two “flavors.” The first, a $15,000 option, requires Internet connectivity to work. However, there is also a $30,000 option. At this price, the device requires no Internet connection whatsoever and has no limit to the number of unlocks. It will work for as long as it works; presumably, until Apple fixes whatever The offline model does require token-based two-factor authentication as a replacement for geofencing for ensuring security. However, as people often write passwords on stickies and put them on their monitors, it’s probably too much to hope that the token will be kept in a separate location when the

Implications

For law enforcement, this is undoubtedly a boon. However, historically, similar stories involving cracking the iPhone haven’t turned out so well. Consider, for example, the case of the IP-Box, a similar device that was once used to access the contents of iPhones running older versions of iOS. The utility of the original IP-Box ended in iOS 8.2, which gave rise to the IP-Box 2. Unfortunately, the IP-Box 2 became widely available and was almost exclusively used illegitimately, rather than in law enforcement. Today, various IP-Boxes can

Anyone who wants such a device can get one.

What happens if the GrayKey becomes commonplace in law enforcement? along with its token, if stored nearby. Once off-site, it would continue to work. Such a device could fetch a high price on the black market, giving thieves the ability to unlock and resell stolen phones, as well as access to the high-value data on those phones.  

It’s unknown, but any of these are possibilities. We also don’t know what kind of security is present on the networked GrayKey device.

Most people probably won’t get too excited about a criminal’s phone or data. However, let’s keep in mind one of the fundamental principles of the US judicial system: suspects are innocent until proven guilty. Should suspects be susceptible to these kinds of searches by law enforcement? Further, not all phones analyzed by law enforcement belong to suspects. In one digital forensics lab in 2014, around one-third of the devices analyzed possible the technician may prefer to use the GrayKey to analyze the device regardless of the availability of the passcode, due to the copious amounts of data it can generate from the device.

but a liability for the police. 

Who should we trust?

Obviously, this can’t be true in all cases, people being people, but let’s start from that assumption. Unfortunately, even if the agents themselves are completely trustworthy, sources in law enforcement have said that the computer systems used by law sensitive data, some of which will come from the phones of innocent US citizens, too insecure systems? or if it is also selling in other parts of the world. Regardless of that, it’s highly likely that these devices will ultimately end up in the hands of agents of an oppressive regime, whether directly from Grayshift or indirectly through the black market. It’s also entirely possible, based on the history of the IP-Box, that Grayshift devices will end up being available to anyone who wants them and can find a way to purchase them, perhaps by then sold for a couple of hundred bucks on eBay.

Conclusion

An iPhone typically contains all manner of sensitive information: account credentials, names, and phone numbers, email messages, text messages, banking account information, even credit card numbers or social security numbers. All of this information, even the most seemingly innocuous, has value on the black market, and can be used to steal your identity, access your online accounts, and steal your money. The existence of the GrayKey isn’t hugely surprising, nor is it a sign that the sky is falling.