Last week it became known that the company GrayShift claimed it had developed a device that could be used to unlock the latest iPhones. Little was known about the device, but Malwarebytes received information from an anonymous source which it shares on its website.
The device is called the GrayKey and it’s a small box with two Lightning cables sticking out of the front. It’s possible to connect two iPhones at once. The smartphones have to be connected to the GrayKey for 2 minutes, after which they have to be disconnected. At that moment the phone isn’t cracked yet. Some time later, the phones will display a black screen with the passcode and some other information.
According to Malwarebytes, it can take two hours but also three days or even longer to get the passcode from the phone, depending on the length of the passcode. Even disabled iPhones can be unlocked with the method. After the phone is unlocked, the contents of the file system are downloaded to the GrayKey device. From there the files can be analyzed through a web-based interface on a connected computer. The full, unencrypted content of the key chain can also be downloaded.
A screenshot on the Malwarebytes website indicates that the GrayKey works with iOS 11.2.5, which is likely the latest iOS version at the time the screenshot was made. According to Forbes, the GrayKey can also unlock iPhones running iOS 10, and support for iOS 9 should be added later. In practice this means that even the latest iPhones, such as the iPhone 8 and iPhone X are not safe for the device.
GrayShift sells two different versions of the GrayKey, the first option costs $15,000 and only works with an internet connection and is limited to the network where it connects the first time. It can’t connect from other networks and is limited to 300 unlocks. The second option costs $30,000, doesn’t require an internet connection and can be used unlimited times.
The company that develops the device, GrayShift, appears to be run intelligence agency contractors from the United States and an ex-Apple security engineer.
It’s unknown what vulnerabilities the GrayShift has found and which are used in the GrayKey. Because the time it takes to retrieve the passkey differs from hours to days, it could be that the tool is brute-forcing the passcode. This means it does repeated guesses until the passcode is found. Normally this is not possible, unless the company has access to the ‘Apple Secure Enclave’, as a security researcher explains to Forbes.
The Secure Enclave is an isolated chip that handles the encryption key on the iPhone. The chip increases the time a new passkey can be guessed based on the number of wrong guesses, after the 9th attempt, an hour has to be waited until the chip accepts a new guess. If that process is broken, it’s possible to guess thousands of passcodes per second. The GrayKey would then continue to guess passcodes till it finds the right one.
Apple hasn’t responded to the new hack, but advises users to keep their OS up-to-date.