SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 88: GrayKey’s Anatomy

Posted on May 10, 2018

How do you unlock your iPhone when you need to use it? Apple gives us a ton of options when it comes to keeping our information safe from prying eyes and unwanted intruders, from PINs to our fingerprints and our faces. Apple’s commitment to empowering users to take control of their privacy and security, though, has sometimes been the source of very public friction between the tech giant and law enforcement agencies such as the FBI. When Apple won’t help by providing a backdoor into user data, what option do the authorities have?

The answer: they’ll look for help from third parties. Over the past couple months, we’ve been hearing more about a mysterious little box whose creators say can unlock a slew of iPhones all the way up to the most current versions of iOS — and all the police need to do is plug your device into the box. Known as GrayKey, this intriguing hardware device is the subject of our show for today as we take a closer look at the facts surrounding its development. On our list for today:

  • How we got here
  • Where did GrayKey come from?
  • The basics of how GrayKey works
  • What’s Apple doing about it?

With that in mind, here’s what’s on our checklist for today:

It’s notable that from all outward appearances, GrayKey’s developers focus seemingly exclusively on law enforcement customers who are willing to pay the device’s hefty price tag. When you consider that the developers must be sitting on a massive security flaw in iOS, there are many other routes they could have gone to start — the decision to focus on “legitimate” sales to US law enforcement agencies is an interesting one. Before we dive into where the GrayKey came from and how it works, though, it might be helpful to start with a quick refresher on why something like this would need to exist in the first place.

How we got here

The events that took place in San Bernardino in 2016, when two individuals went on a violent rampage, are by now well known. The struggle in the aftermath between Apple and the FBI over an iPhone owned by one of the suspects is a subject we’ve covered on The Checklist more than once before. Why does this story keep coming up? It’s the first clear and visible example we have from recent years of the divide that exists between Apple’s commitment to user security and law enforcement’s need to investigate crimes.

To recap, the government possessed an iPhone used by one of the terrorists in the attack, and they believed it could potentially contain important evidence relevant to the investigation. However, it was protected with a numerical PIN, and the suspect had enabled the setting to wipe the phone’s data after ten failed attempts. The FBI asked Apple for a way to disable the latter feature, so they could attempt to brute force their way past the PIN. Apple refused, and the FBI took them to court.

Ultimately, the case didn’t proceed, as the FBI claimd they paid a third party to help them defeat the protection on the device. A subsequent court case has since ruled the FBI neither needs to disclose how much they paid for the service nor who provided the service in the first place. Though the immediate legal conflict was resolved, these events kicked off a lively public debate about balancing privacy and security that continues to this day. While many individuals in the government and politics, from sitting senators to former FBI directors, have called for a “backdoor” or other concessions from tech companies in this area, few have been willing to budge. Any backdoor, Apple, and others contend, is an undesirable and total compromise of security for the user.

That’s why forensic software and hardware such as the GrayKey we’ll discuss today is gaining in popularity with officials. These forensic options are nothing new; there have been products on the market for some time meant to help researchers and investigators gather data they otherwise couldn’t access. Products such as Elcomsoft’s Phone Breaker and others are already out there, and in some cases available to the general public with fewer features or greater restrictions on their use. Another player in this arena is Israeli company Cellebrite, the business which many in the security world have speculated were the ones to help the FBI.

With millions of smartphones out there and an increasing focus on encouraging users to lock down their devices with passwords and encryption, for better or worse the market for these tools has grown too. However, none of these are exactly perfect solutions. Getting past a PIN is tricky enough, but iOS also forces a longer waiting time between each failed attempt. GrayKey seems to be able to solve both these problems for investigators — but who are the people behind this hardware? We don’t have a whole lot of answers to that question, but what we do know paints an intriguing portrait.

Where did GrayKey come from?

The appeal of the GrayKey is that it is meant to be a small, easy to use device that allows law enforcement to gain access to a locked iPhone relatively quickly and reliably. Created by a company based out of Atlanta known as Grayshift, the entire project is shrouded in a thick layer of secrecy. Plug either the name of the device or the name of the company into Google, and you’ll end up on a slick website with an extensive amount of form fields to fill out. It politely asks you to enter this broad spread of personal information to explain your organizational affiliation and your purpose for wishing to receive more information about the product.

This effort is ostensibly in place to screen out any potential nefarious users or bad actors who would want to use this device to access stolen phones or data outside of a law enforcement context. Other companies aren’t always as discerning — you can visit the Elcomsoft or Cellebrite’s page any time to investigate what it takes to buy their software tools and services. From what we can tell, though, Grayshift is so far serious about only working with the proper authorities.

Founded in 2016, one of the primary figures in Grayshift we know about is a man named David Miles, a cybersecurity engineer with an impressive pedigree that includes a job history with IBM. Based on LinkedIn pages available publicly, there are also some individuals who previously worked as Apple engineers associated with the project.

Altogether, Grayshift employs 50 or fewer individuals, making it a small and very tight-knit operation. All customers face a requirement to become a party to non-disclosure agreements about the company’s operations and services. As a result, what we do know about the business and the device it makes comes from an anonymous source that leaked the information to researchers at Malwarebytes.

So how does the company make its money? Grayshift offers the GrayKey device in two formats with different price points. The first format comes in with a price tag of $15,000 and allows for an unknown, but finite number of device unlocks. This version also requires an always-on Internet connection to work, presumably to communicate with Grayshift’s owner servers for authentication and other security purposes. As a final restriction, this unit suffers from “geofencing” restrictions. In other words, once the device is set up on a network — say, in a police department’s forensics lab — it cannot be moved later for use in another location.

However, Grayshift also provides a higher-end version for more intensive forensic usage. Coming at a cool $30,000, this version allows the police to skip the Internet connection in favor of a token-based authentication system; it also removes the geofencing restrictions and any limits on the number of devices that the GrayKey can unlock. That’s all we know about the company and its business model for now. What about how this gadget functions?

The basics of how GrayKey works

At first glance, the GrayKey is simple enough and looks almost like something someone put together in their garage. It is a small box with a simple indicator LED on the front and two short lightning cables poking out of the housing side by side. Though it may look humble, it has the power to begin the process of unlocking two devices at once after a user connects them to the device.

Once connected, the internal software in GrayKey goes to work, using an unknown and closely held exploit their engineers uncovered. At the time the device’s existence initially came to light, it was known to function on iOS devices up to 11.2.5; so far, there’s nothing to suggest it doesn’t still work on everything up to and including the latest releases. Since this exploit is the foundation of their business model and thus a closely guarded secret, we have no way of knowing exactly what’s going on when someone plugs an iPhone into a GrayKey. Based on the way the devices behave after disconnecting from the unit, though — it takes only a few minutes before the software works it magic — it’s likely that it relies on some deep and serious flaw that allows for jailbreak-style access to root permissions.

Whatever the GrayKey dumps onto the iPhone, it goes to work right away at cracking the password. How long this takes boils down to the complexity of the PIN the phone’s user chose. A 4-digit PIN might only take a few minutes to break; for a six-digit PIN, that time could stretch out to a few days. Whether the device has success with alphanumeric passwords isn’t clear based on what we know, but we do know that GrayShift claims it can tap into phones that a user disabled through Find My iPhone.

After the cracking software finishes its job, the iPhone displays a black screen filled with text, including the cracked passcode and some diagnostic info. The forensic user would then reconnect the iPhone to the GrayKey, allowing it to extract and dump all the data residing inside the phone. Users then use a web-based app to sift through the data, which includes everything from contacts and messages to call data and the other passwords lurking inside its Keychain. From all appearances, this would be a tool that law enforcement would find highly useful, and Apple would likely find to be abhorrent.

Some have speculated that Grayshift has achieved such success by figuring out a novel way to interface with the Secure Enclave to bypass the time limits and lock-outs generally imposed by the system. That doesn’t mean they’ve breached the Secure Enclave. However, they have figured out how to convince the system that its attempts are a legitimate user action, and thus has been able to succeed where others have failed.

What’s Apple doing about it?

So what steps is Apple taking? With the amount of effort they put into keeping iOS rock solid against intruders, the existence of a device such as the GrayKey (and other unlocking services that have sprung up recently) can’t be something the Cupertino company takes lightly. So far, though, Apple hasn’t made any definite public statements about this device or any other similar products. They haven’t addressed the GrayKey itself or the existence of any underlying security holes that make its operation possible. That could mean they haven’t identified the precise methods used yet, or the development of a fix could be an extraordinarily complicated undertaking.

For that reason, it’s hard to speculate on what stage Apple’s response is in; without knowing the actual method at work, it’s difficult to patch and difficult to discuss! It’s a sure bet, though, that the company has a team (or perhaps teams) working on breaking the issue down. Maybe they’ll even try to acquire one of the devices themselves to tear it down and examine its inner workings. That would certainly put Grayshift’s efforts at screening their customers to the test — although, with strict NDAs in place, it’s impossible to know who the company’s customers are and where these devices see the most use.

However, Apple has taken a step forward in protecting users from these devices with the most recent release of iOS, version 11.3. Now, the phone begins an internal timer that resets every time you unlock the phone with your PIN, thumbprint, or face. If seven days elapses between valid unlocks, then your phone will disable its lightning port altogether. In other words, if the police can’t acquire and test your phone within seven days of the last time you use it, hooking the device up to a GrayKey or any other phone breaker won’t work. The data simply won’t flow over the connection anymore. So far, this has been the most visible response by Apple.

Will we see more in the near term? We’ll have to keep a close eye on this story as it develops, as we have with many other stories so far this year. Could this be the start of a security “arms race” between forensic investigators and tech companies? Only time will tell, but we’ll watch for developments as Apple is unlikely to sit idly by while others access their hardware.

That covers everything we know about GrayKey and Grayshift to date, though it’s certainly possible we’ll hear more at some point this year. Will another anonymous source leak more info about how this tool works — or will we hear about it slipping into the hands of someone who shouldn’t have access to its power? Of course, it could all be a moot point if Apple comes out with a permanent fix that closes off whatever loophole Grayshift uses to power its devices. As always, if we hear something, we’ll be sure to bring the news to you with an update.

Join our mailing list for the latest security news and deals