New Grayshift spyware lets police surreptitiously snatch iPhone passcodes

By Mike Peterson

Mobile forensics firm Grayshift is marketing a software tool that can reveal a user's iPhone passcode without cracking the device, according to a new report.

The GrayKey is a device made by a company called Grayshift that can crack the encryption on most iPhones. Credit: Malwarebytes

Grayshift

is known for its flagship GrayKey product, a digital forensics tool that can bypass the encryption on an iPhone. Though it's been tested against even the latest iPhone models, the process it uses can take days, if not weeks to complete.

Now, NBC News reports that Grayshift has developed a tracking software called Hide UI that can reveal an iPhone user's passcode to law enforcement much more quickly.

The Hide UI tool is a piece of spyware that can be installed on an iPhone via GrayKey. Once it's on a user's device, it "hides" itself, but continues to track user input. If a user types in their passcode while Hide UI is active, the software can log it and use it to bypass encryption later.

That, of course, requires the device to be put back in the hands of a user or suspect. Law enforcement officials told NBC that using Hide UI typically entails a bit of social engineering.

Some examples include telling a suspect they can call their lawyer or delete phone contacts. Once they tap their passcode in, Hide UI saves it in a text file the next time the iPhone is plugged into a GrayKey.

According to NBC, Hide UI has been a feature of GrayKey for about a year, but required non-disclosure agreements signed by law enforcement officials have kept its existence concealed until now.

The secrecy surrounding the tool has raised concerns among civil liberties activists and lawyers, specifically the potential for it to be used without a warrant.

Law enforcement officials who spoke with NBC maintained that they've never used Hide UI without a warrant. At least one source also added that the software was "buggy," and it was usually easier to just compel suspects to hand over their passcodes.

Grayshift doesn't publicly list Hide UI as a feature, but does refer to some "advanced features" in its GrayKey marketing materials. NBC reports that Hide UI and other intelligence-gathering tools aren't explained to police departments until they sign NDAs.

In at least one NDA, Grayshift even required law enforcement to notify them if technical details were likely to be revealed through judicial processes. The advanced notice would give Grayshift an opportunity to "obtain a protective order or otherwise oppose the disclosure."

Lance Northcutt, a Chicago-based attorney, called that "pretty shocking," and told NBC that it suggests the interests of Grayshift could be interfering with due process.

News of the Hide UI feature comes just hours after the FBI revealed that it was able to unlock two iPhones belonging to the gunman in the Pensacola mass shooting, even after Justice Department officials called on Apple to help with the process. Before that, U.S. law enforcement entities have long been able to crack iPhones without Apple's help.

Attorney General William Barr maintains that Apple's strong encryption is problematic, and that a "legislative solution" is required for police agencies to be able to do their job. Apple, for its part, has been steadfast in refusing to build a backdoor for law enforcement into its products.