appleinsider logo
Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

iPhone unlocking firm Grayshift faces extortion demands after data breach

GrayKey device. | Source: MalwareBytes

Grayshift, the firm responsible for the GrayKey iPhone hacking tool, is in the crosshairs of an extortionist after its product's source code was inadvertently exposed to the internet last week.

An unknown party appears to have snatched GrayKey's source code and leaked a portion of the data online, reports Motherboard. Alongside the code, the hacker or hackers included a message threatening to distribute more of GrayKey unless Grayshift places two Bitcoin, currently worth about $19,000, into a secure account.

The company confirmed the breach, but says no sensitive data was exposed in the incident.

"Due [to] a network misconfiguration at a customer site, a GrayKey unit's UI was exposed to the internet for a brief period of time earlier this month," Grayshift said in a statement. "During this time, someone accessed the HTML/Javascript that makes up our UI. No sensitive IP or data was exposed, as the GrayKey was being validation tested at the time. We have since implemented changes to help our customers prevent unauthorized access."

The anonymous party posted two separate messages requesting payment from Grayshift, each of which included a snippet of code that appears to be associated with GrayKey's user interface. Grayshift maintains the hackers failed to glean code responsible for operating a GrayKey box, or functional code responsible for cracking an iPhone.

GrayKey garnered media attention in March as a cost-effective digital forensics solution designed specifically to unlock password-protected iPhone hardware. Advertised in two "flavors," GrayKey is available as an internet-connected, limited-use unit for $15,000, while an unrestricted standalone version sells for $30,000.

The device itself is a small gray box with two Lightning connectors. Once an iPhone is attached, the device inserts what appears to be jailbreak software that leverages an as-yet-undisclosed zero-day exploit to bypass built-in iOS security protocols.

To thwart brute force attacks, commonly used by automated passcode guessing solutions, Apple employs a mechanism that delays input after incorrect attempts. Specifically, iOS institutes a mandatory pauses after four consecutive attempts, running from one minute for a fifth unsuccessful attempt to one hour for the ninth consecutive error. An additional protection allows iPhone owners to wipe their device on a tenth unsuccessful attempt.

GrayKey is able to bypass each failsafe, including the automated data erase option. The method has proven capable of unlocking devices up to iPhone X running iOS 11.3.

A report earlier this month suggests GrayKey can break a simple four-digit code in a matter of minutes, while a six-digit code — now the standard for iOS — takes an average of 11 hours. Longer ten-digit and alphanumeric codes, however, can take up to 25 years to break.

Boasting a fairly rapid unlocking process on the cheap, GrayKey has enjoyed high demand from a variety of law enforcement agencies. Reports this month suggest Grayshift is selling units to local police departments and federal government agencies including the State Department, while the Secret Service and Drug Enforcement Agency have shown interest in the technology.

There are a number of unanswered questions surrounding GrayKey, some of which touch on security concerns related to a network-attached unlocking tool. As the exact workings of GrayKey remain under lock and key, some wonder whether the device can be remotely accessed or if third parties can intercept data sent from the box to Grayshift servers.

Today's news is troubling not only for Grayshift, but for iPhone owners as well. If the hackers were able to secure GrayKey's source code, as they claim, the information could theoretically be acquired by unscrupulous organizations or individuals. Indeed, the extortionists have set up a secondary address to accept Bitcoin offers from "wild bidders" interested in procuring the alleged code. Of course, this second address could merely be a ploy to push Grayshift into paying the ransom, but the specter of a fully developed iPhone unlocking tool floating in the wild remains.

So far, neither account has received payment, the report said.