'Press X To Apply Fourth Amendment:' Documents Show How GrayKey Brute Forces IOS Passwords

from the device-helpfully-backlit-to-combat-going-darkness dept

Consecutive FBI directors (James Comey, and Chris Wray) have declared a small scale war on encryption. Both of these directors relied on inflated numbers to make their case — an error chalked up to software rather than rhetorical convenience. (The FBI has refused to hand over a correct count of encrypted devices in its possession for more than three years at this point.)

The FBI’s narrative keeps getting interrupted by inconvenient facts. Proclamations that the criminal world is “going dark” are often followed by the announcement of new exploits that give law enforcement the ability to decrypt phones and access their contents.

Grayshift is one of the vendors selling phone-cracking tech to law enforcement agencies. The company has an ex-Apple security engineer on staff and has been duking it out with the device manufacturer for the past few years. It seems to be able to find exploits faster than Apple can patch them, leading to a tech arms race that law enforcement appears to be able to win from time to time.

Joseph Cox at Motherboard has obtained more documents about Grayshift’s phone-cracking device, GrayKey. Apple prides itself on providing secure devices. But it appears GrayKey is still capable of bypassing iOS security features, enabling investigators to brute force device passwords. And it can still do this even if the targeted device is on the verge of battery death.

The instructions describe the various conditions it claims allow a GrayKey connection: the device being turned off (known as Before First Unlock, or BFU); the phone is turned on (After First Unlock, or AFU); the device having a damaged display, and when the phone has low battery.

“GrayKey known to install agent with 2 to 3% battery life,” the document reads, referring to the “brute force agent” GrayKey installs on the phone in order to unlock the device.

This suggests the agent doesn’t demand too much from the processor when installing. It also suggests GrayKey’s devices are portable, allowing cops to attempt to access phone contents while away from the office with limited options for charging seized devices.

The device includes a 1.5-billion word dictionary that can be utilized during brute force attacks to guess alphanumeric passwords. The instructions obtained by Motherboard also indicate the device has the power to extract metadata from “inaccessible” files — something it can apparently do even if the device is still in a locked state.

And Grayshift truly cares about your rights, Joe and Judy Criminal Suspect.

“Prior to connecting any Apple mobile device to GrayKey, determine if proper search authority has been established for the requested Apple mobile device,” the document reads.

Yeaaaaaahhhhh… that should do it. Grayshift has no way of enforcing this so cops are on the honor system. And we’ve all seen how great cops are at keeping themselves honest. This little nod towards Supreme Court precedent and Fourth Amendment doesn’t even ask for something like a supervisor’s passcode prior to operation to help ensure all the proper paperwork is in order. Left to their own devices, cops are bound to illegally access suspects’ devices.

And if brute forcing doesn’t work, there’s another built-in option — one covered here previously. GrayKey can surreptitiously install a very targeted keylogger that records the passcode when it’s entered by the phone’s owner. Cops can get their largesse on and give suspects back their devices so they can copy down phone numbers or let people know where they’re at. And when suspects unlock their devices to this, cops are CC’ed by Grayshift’s malware.

The battle between government contractors and device makers continues. And as long as it remains a battle in which neither party has proven to be able to hold a lead, it’s disingenuous to claim — as Chris Wray and James Comey have — that encryption is a barrier impossible to overcome.

Filed Under: , , , , , , , ,
Companies: apple, grayshift

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “'Press X To Apply Fourth Amendment:' Documents Show How GrayKey Brute Forces IOS Passwords”

Subscribe: RSS Leave a comment
Jimbo says:

Passcodes to erase

Apple should offer an option to allow immediate erase (trash of the decryption key) upon one of 5 bad passcodes. The device could randomly pick the five self destruct codes whenever a new passcode is set. If one of the five bad codes is entered then the device, without warning, bricks itself. When someone tries to brute force password discovery they are likely to hit a self destruct code before finding the real passcode.

This would be very safe because someone just messing with a friend’s phone is as unlikely to hit a destruct code as they are to find the actual passcode. And besides, this is the risk a phone owner assumes when they turn on this option.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...