For $15,000, GrayKey promises to crack iPhone passcodes for police

This palm-sized box can break your iPhone's password, giving police full access to a device's file system -- messages, photos, call logs, browsing history, keychain and user passwords, and more.
Written by Zack Whittaker, Contributor

Federal judge: FBI doesn't have to reveal details of iPhone hacking tool

A little-known Atlanta, Ga.-based tech outfit appeared seemingly out of nowhere this month with a bold claim -- that it can crack the passcodes on even the most recent iPhones, a feat managed by only a select few.

Grayshift wasn't widely known until Forbes blew the lid on the company earlier this month -- likely because the company's main clientele are police departments and local law enforcement divisions.

The company is founded by Justin Fisher (whose LinkedIn profile currently only shows he works at a "private company") and Braden Thomas, a former Apple security engineer, who spent six years at the technology giant from 2006.

But little is publicly known about the company, including its flagship product, GrayKey, a $15,000 unlock tool that promises in marketing materials to be able to obtain the passwords on iPhone 5s devices and newer. The box is said to be able to tap into even the latest iPhone 8 and iPhone X handsets, running the latest iOS 11 software.


iPhone password cracking device GrayKey. (Image: Malwarebytes; used with permission)

That has to hurt the iPhone's security reputation. Apple has long been seen as a champion of strong device security, including rolling out zero-knowledge device encryption so that even the company can't be forced to unlock a person's phone.

The box, small enough to fit in your hand, uses an unknown exploit to guess the device's password again and again -- known as brute-forcing -- and to gain access to the iPhone's encrypted contents.

Apple's Secure Enclave makes it difficult to brute-force the password on an iPhone by limiting how many times a user can attempt a password unlock. Bypassing that rate limit can vastly speed up the unlocking process.

Security firm Malwarebytes also obtained information on the device and wrote-up a technical post on the technology. Once the box has determined the password, it displays the code on the iPhone screen. Four-digit passcodes can take minutes to a few hours, but six-digit passcodes -- now the default on iPhones -- can take three days or longer to crack. But that's still a significantly shorter amount of time than other known phone-cracking techniques.

That password gives the GrayKey operator full access to the device's file system (messages, photos, call logs, browsing history, keychain and user passwords -- everything).

How to completely erase any device

It's a similar technique that rival firm Cellebrite, an Israeli phone-cracking company, uses to gain access to devices, when hired by law enforcement.

But the price of the box, which is significantly cheaper than Cellebrite's technology, has police departments around the US scrambling to buy the technology.

According to marketing materials posted by Forbes, police can buy one of two devices. The $15,000-a-year license unlocks 300 devices and requires an internet connection to enforce that limit. That internet connection also locks the device to the network, preventing anyone from using the device on any other network.

By comparison, police usually spend about $1,500 on each device unlocked by Cellebrite. In one case last year, in the wake of the San Bernardino shooting, the FBI spent about $1 million on breaking into an iPhone used by one of the killers.

According to documents obtained by Motherboard, several local police departments in Indiana have already inquired and bought the technology. In our own findings, several local New York police departments have spent tens of thousands on GrayKey's technology.

The company also offers a $30,000 standalone unit that has no phone-cracking limits. It's that more expensive box that has security experts worried.

Law enforcement agencies have long argued that they need access to devices, when they have obtained a lawful search warrant, to help with their investigations. But security experts have also said in response that if there's a way in that allows police access to encrypted data, hackers could also get that same access and use it for their own gain.

The exact nature of how the GrayBox exploit works isn't known -- or for that matter, if it even works. It's also not known what protections are put into the device to stop unauthorized access of the technology.

"We don't know whether sales are limited to US law enforcement, or if it is also selling in other parts of the world," said Malwarebytes' Thomas Reed in a blog post.

"Regardless of that, it's highly likely that these devices will ultimately end up in the hands of agents of an oppressive regime, whether directly from GrayShift or indirectly through the black market."

Editorial standards