Malwarebytes warns of GrayKey iPhone unlocker In a blog from Thomas Reed at Malwarebytes, he has warned of the dangers of a new iPhone unlocker. The device is called GrayKey and is targeted at law enforcement. Reed is concerned that theft of one of these devices, specifically the unlimited model, could be a major advantage for cybercriminals and hackers.

The battle between the FBI and Apple over the San Bernadino shooter was resolved by the Israeli company Cellebrite. It requires phones to be sent to it so that it can extract the data. This latest iPhone unlocker comes from another company who sell the actual device. The GrayKey device is manufactured by a US company called Grayshift and is targeted at law enforcement office and labs.

Reed says that there are two versions of the GrayKey device: He wrote: “The first, a $15,000 option, requires Internet connectivity to work. It is strictly geofenced, meaning that once it is set up, it cannot be used on any other network.

Thomas Reed, Malwarebytes
Thomas Reed, Malwarebytes

“However, there is also a $30,000 option. At this price, the device requires no Internet connection whatsoever and has no limit to the number of unlocks. It will work for as long as it works; presumably, until Apple fixes whatever vulnerabilities the device relies on, at which time updated phones would no longer be unlockable.”

How does GrayKey work?

As with all these devices, confirming details is anything but simple. Reed and Malwarebytes gained access to one via an anonymous source. What they have discovered is covered in the blog. In brief it is:

  • Four inches wide, four inches deep and two inches wide.
  • Has two lightening cables sticking out the front.
  • Will deal with two iPhones at a time and each is connected for just two minutes. During this time it appears to install code onto the device, presumably by rooting it.
  • Once disconnected the iPhones will continue to process the code and eventually display a black screen with the password and time spent discovering the passcode. The longer the passcode the more time is required.
  • Once unlocked, the full contents of the filesystem are downloaded to the GrayKey device. Interestingly Reed doesn’t mention reconnecting the iPhone to the GrayKey. This means the files could be downloaded Over the Air (OTA).
  • Files are accessed using a web-based interface on a computer also connected to the GrayKey device.

Why is Reed worried about this device?

Reed has voiced several concerns over the GrayKey. One of his biggest concerns is the risk of the unlimited version getting stolen. Although it is protected with two-factor authentication, Reed points out that people are often lazy with passwords and even tokens. Once stolen the device would be sold on the black market for a considerable fee.

Another concern is the future state of the device. Law enforcement doesn’t just access seized devices, it is also given access to device by their owners during an investigation. Reed believes that there is a real risk of technicians just resorting to the GrayKey even if the have the passcode. This would provide a significant amount of additional data over and above what the owners had agreed to give up. That data includes passwords to other accounts and credit card data.

The process by which the GrayKey works and how it later acquires all the data is known. Reed is concerned that this could mean the device is left open to attack. This would be a significant issue for those who had provided their devices voluntarilty.

There is also a question about the security on the GrayKey device itself. Reed asks how secure is it? Is the data it gathers encrypted? If the data comes from the device OTA, is that an encrypted connection?

There are several other concerns that Reed has and all of them are reasonable. Greyshift, as expected, are not keen on providing information about how their device works. While there are technical documents available, they are locked down to those in law enforcement. It will be interesting to see how long they stay secure and if they are leaked.

What does this mean?

There is increasing demand from governments and law enforcement for technology companies to make it easier to break encryption. Calls for backdoors into encryption or a superkey have been largely ignored by the tech industry. There are good reasons for this. Any attempt to create a covert access provides a weak point that can be exploited by others.

It is also reasonable that law enforcement is able to get access to devices when it needs to. Those devices hold critical data especially in a terrorism or serious crime context. Squaring the circle between tech companies, customer demand and the requirements of law enforcement is virtually impossible. This creates a market for companies such as Cellebrite and Grayshift.

Unlike Cellebrite who require the device to be sent to them, Grayshift has created a very portable device. It has also chosen to hide how the device works and what it does to phones. Even the details of how data is secured by the GrayKey device would help alleviate some concerns.

For now, iPhone users need to accept that the much vaunted security of their devices is no longer an absolute.


Please enter your comment!
Please enter your name here