'Press X To Apply Fourth Amendment:' Documents Show How GrayKey Brute Forces IOS Passwords
from the device-helpfully-backlit-to-combat-going-darkness dept
Consecutive FBI directors (James Comey, and Chris Wray) have declared a small scale war on encryption. Both of these directors relied on inflated numbers to make their case — an error chalked up to software rather than rhetorical convenience. (The FBI has refused to hand over a correct count of encrypted devices in its possession for more than three years at this point.)
The FBI’s narrative keeps getting interrupted by inconvenient facts. Proclamations that the criminal world is “going dark” are often followed by the announcement of new exploits that give law enforcement the ability to decrypt phones and access their contents.
Grayshift is one of the vendors selling phone-cracking tech to law enforcement agencies. The company has an ex-Apple security engineer on staff and has been duking it out with the device manufacturer for the past few years. It seems to be able to find exploits faster than Apple can patch them, leading to a tech arms race that law enforcement appears to be able to win from time to time.
Joseph Cox at Motherboard has obtained more documents about Grayshift’s phone-cracking device, GrayKey. Apple prides itself on providing secure devices. But it appears GrayKey is still capable of bypassing iOS security features, enabling investigators to brute force device passwords. And it can still do this even if the targeted device is on the verge of battery death.
The instructions describe the various conditions it claims allow a GrayKey connection: the device being turned off (known as Before First Unlock, or BFU); the phone is turned on (After First Unlock, or AFU); the device having a damaged display, and when the phone has low battery.
“GrayKey known to install agent with 2 to 3% battery life,” the document reads, referring to the “brute force agent” GrayKey installs on the phone in order to unlock the device.
This suggests the agent doesn’t demand too much from the processor when installing. It also suggests GrayKey’s devices are portable, allowing cops to attempt to access phone contents while away from the office with limited options for charging seized devices.
The device includes a 1.5-billion word dictionary that can be utilized during brute force attacks to guess alphanumeric passwords. The instructions obtained by Motherboard also indicate the device has the power to extract metadata from “inaccessible” files — something it can apparently do even if the device is still in a locked state.
And Grayshift truly cares about your rights, Joe and Judy Criminal Suspect.
“Prior to connecting any Apple mobile device to GrayKey, determine if proper search authority has been established for the requested Apple mobile device,” the document reads.
Yeaaaaaahhhhh… that should do it. Grayshift has no way of enforcing this so cops are on the honor system. And we’ve all seen how great cops are at keeping themselves honest. This little nod towards Supreme Court precedent and Fourth Amendment doesn’t even ask for something like a supervisor’s passcode prior to operation to help ensure all the proper paperwork is in order. Left to their own devices, cops are bound to illegally access suspects’ devices.
And if brute forcing doesn’t work, there’s another built-in option — one covered here previously. GrayKey can surreptitiously install a very targeted keylogger that records the passcode when it’s entered by the phone’s owner. Cops can get their largesse on and give suspects back their devices so they can copy down phone numbers or let people know where they’re at. And when suspects unlock their devices to this, cops are CC’ed by Grayshift’s malware.
The battle between government contractors and device makers continues. And as long as it remains a battle in which neither party has proven to be able to hold a lead, it’s disingenuous to claim — as Chris Wray and James Comey have — that encryption is a barrier impossible to overcome.