'Press X To Apply Fourth Amendment:' Documents Show How GrayKey Brute Forces IOS Passwords

from the device-helpfully-backlit-to-combat-going-darkness dept

Consecutive FBI directors (James Comey, and Chris Wray) have declared a small scale war on encryption. Both of these directors relied on inflated numbers to make their case -- an error chalked up to software rather than rhetorical convenience. (The FBI has refused to hand over a correct count of encrypted devices in its possession for more than three years at this point.)

The FBI's narrative keeps getting interrupted by inconvenient facts. Proclamations that the criminal world is "going dark" are often followed by the announcement of new exploits that give law enforcement the ability to decrypt phones and access their contents.

Grayshift is one of the vendors selling phone-cracking tech to law enforcement agencies. The company has an ex-Apple security engineer on staff and has been duking it out with the device manufacturer for the past few years. It seems to be able to find exploits faster than Apple can patch them, leading to a tech arms race that law enforcement appears to be able to win from time to time.

Joseph Cox at Motherboard has obtained more documents about Grayshift's phone-cracking device, GrayKey. Apple prides itself on providing secure devices. But it appears GrayKey is still capable of bypassing iOS security features, enabling investigators to brute force device passwords. And it can still do this even if the targeted device is on the verge of battery death.

The instructions describe the various conditions it claims allow a GrayKey connection: the device being turned off (known as Before First Unlock, or BFU); the phone is turned on (After First Unlock, or AFU); the device having a damaged display, and when the phone has low battery.

"GrayKey known to install agent with 2 to 3% battery life," the document reads, referring to the "brute force agent" GrayKey installs on the phone in order to unlock the device.

This suggests the agent doesn't demand too much from the processor when installing. It also suggests GrayKey's devices are portable, allowing cops to attempt to access phone contents while away from the office with limited options for charging seized devices.

The device includes a 1.5-billion word dictionary that can be utilized during brute force attacks to guess alphanumeric passwords. The instructions obtained by Motherboard also indicate the device has the power to extract metadata from "inaccessible" files -- something it can apparently do even if the device is still in a locked state.

And Grayshift truly cares about your rights, Joe and Judy Criminal Suspect.

"Prior to connecting any Apple mobile device to GrayKey, determine if proper search authority has been established for the requested Apple mobile device," the document reads.

Yeaaaaaahhhhh... that should do it. Grayshift has no way of enforcing this so cops are on the honor system. And we've all seen how great cops are at keeping themselves honest. This little nod towards Supreme Court precedent and Fourth Amendment doesn't even ask for something like a supervisor's passcode prior to operation to help ensure all the proper paperwork is in order. Left to their own devices, cops are bound to illegally access suspects' devices.

And if brute forcing doesn't work, there's another built-in option -- one covered here previously. GrayKey can surreptitiously install a very targeted keylogger that records the passcode when it's entered by the phone's owner. Cops can get their largesse on and give suspects back their devices so they can copy down phone numbers or let people know where they're at. And when suspects unlock their devices to this, cops are CC'ed by Grayshift's malware.

The battle between government contractors and device makers continues. And as long as it remains a battle in which neither party has proven to be able to hold a lead, it's disingenuous to claim -- as Chris Wray and James Comey have -- that encryption is a barrier impossible to overcome.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 4th amendment, cracking, doj, encryption, fbi, going dark, graykey, hacking, ios
Companies: apple, grayshift


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Norahc (profile), 30 Jun 2021 @ 2:39pm

    Why do I get the feeling that instead of pressing X to apply the 4th Amendment, law enforcement would rather press ctrl-x instead?

    link to this | view in thread ]

  2. identicon
    Jimbo, 30 Jun 2021 @ 2:41pm

    Passcodes to erase

    Apple should offer an option to allow immediate erase (trash of the decryption key) upon one of 5 bad passcodes. The device could randomly pick the five self destruct codes whenever a new passcode is set. If one of the five bad codes is entered then the device, without warning, bricks itself. When someone tries to brute force password discovery they are likely to hit a self destruct code before finding the real passcode.

    This would be very safe because someone just messing with a friend’s phone is as unlikely to hit a destruct code as they are to find the actual passcode. And besides, this is the risk a phone owner assumes when they turn on this option.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 30 Jun 2021 @ 3:10pm

    who would have thought that "123456" would unlock the phone, but "1234567" would destroy it?

    link to this | view in thread ]

  4. icon
    That Anonymous Coward (profile), 30 Jun 2021 @ 4:52pm

    Trust us we're the cops!

    falls to the ground laughing hysterically

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 30 Jun 2021 @ 7:34pm

    Re: Passcodes to erase

    Considering they have bypassed every other method Apple has used to prevent brute forcing of passwords, why do you believe this could not be similarly bypassed?

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.