GrayKey Unlocking Phones Near You

A small 4″x4″x2″ device called GrayKey from Grayshift has been topping the shopping list for law enforcement organizations across the US.  For $15,000 the device can be used to crack iPhone security through GrayKey unlocking on up to 300 devices to access information stored on the device.  For $30,000 that 300 unlock limit is removed, along with some other control measures, so owners can unlock devices to their hearts’ content.

How GrayKey Unlocking Works

Devices are vulnerable even when secured by passwords or fingerprint security, though longer passwords can buy a bit more time.  One review suggests that the current version of the device can crack 4 digit passwords (the typical PIN many people use) in a few hours while a 6 digit PIN suggested from iOS 9 onward would take a few days.

One of the key security features of iOS devices is an attempt by Apple to make password guessing harder by gradually increasing the amount of between password attempts after an incorrect entry.  Mobile cracking devices defeat this security feature which then allows the device to make guesses as fast as they can be thrown at the connected device.

The GrayKey, sporting two lightning cables,  is connected to up to two phones at a time for a few minutes to initiate the cracking procedure, apparently performing whatever steps it needs to disable Apple’s retry throttle.  The subject phones can be disconnected after this initialization period and others can be started while the cracking process continues on the removed phones.

Once a particular phone completes the process of cracking its own password, the device is reconnected to GrayKey which downloads all data on the phone.  This downloaded data is then available for access through a web interface.

The GrayKey unlocking devices may currently be limited to US law enforcement which have a few defined conditions under which they can legally use the cracking device to gain access.  It seems likely, however, that the devices will make their way into other hands over time.  Whether through theft or reverse engineering, such technology is too valuable to criminal elements to remain restricted to ethical hands for long.

 Competition As Risk

A data extraction company based in Israel is reportedly selling similar technology to private forensics firms as well as law enforcement.  While one can hope that they carefully vet their customers, the fact is that more devices in the field means more opportunity for them to get into the wrong hands.

The demand is too great and the potential profit too significant for this to remain a two-horse race for long.  Even this small amount of competition will probably serve to reduce the cost of the devices, further increasing the number of similar devices in circulation.

If you are charged with security of corporate devices or have any high value information on devices under your control, don’t count on minimal security measures to be good enough.  Users generally value convenience over security, even when they have the best of intentions.

What To Do

If you are not comfortable waiting while Apple and others take new technical measures in this war over device security, there some simple measures you can take to make brute force cracking too time consuming to be practical.

Following the basic principle of making unauthorized access more expensive than the value of information, consider the value of data on your device (or severity of the crime one might be accused of, if one is so inclined).  Taking the fixed cost of $15,000 for 300 phones as a benchmark, someone needs to decide that information on your phone is worth about $50 to them plus some time.  This cost per device drops far lower for owners selecting the $30,000 all-you-can-crack option, potentially allowing them to initiate several hundred phones per day.  This means that $50 cost just dropped to well under a dollar per device plus salary for technicians to swap phones every few minutes 24×7.

With such a low cost per device to initiate cracking, and the potential for GrayKey unlocking or similar devices to make their way into unethical hands through a five-finger discount, it may be best to consider time as the best gatekeeper for mobile security.  Much longer passwords, while inconvenient to enter, are beyond the practical reach of this hybrid type of brute force cracking technique.  A ten digit pin, for example, takes current technology ten years or more to crack by brute force methods.  Selecting something much longer, such as a string of words or mnemonic phrase, can be relatively easy for one to remember at lengths which would take millenia to crack by current techniques.