Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

iPhone hacking tool GrayKey techniques outlined in leaked instructions

Leaked instructions for GrayShift's GrayKey iPhone unlocking device have surfaced, giving an idea of what the device intended for law enforcement officials can do, and how it works.

GrayShift's GrayKey is an infamous device used to unlock and pull data from iPhones and iPads owned by suspects, as part of an investigation by law enforcement officials. While the device is known to exist, and has even been photographed as part of FCC filings, a release of details from written instructions for the device provides a better idea of the device's capabilities.

The device effectively functions by performing a brute-force attack against the iPhone's passcode, which is used to secure the smartphone. While not entirely perfect, the system has been known to successfully gain entry into a secured iPhone using its methods.

The instructions, supposedly written by the San Diego Police Department and obtained by Motherboard, initially ask users to "determine if proper search authority has been established for the requested Apple mobile device." It then goes on to explain ways the GrayKey can be used, such as Before First Unlock (BFU), when the phone is already on (After First Unlock, AFU,) or if it has a damaged screen or low battery.

Leaked instructions for GrayKey [via Motherboard] Leaked instructions for GrayKey [via Motherboard]

The device can install an agent to a device with 2 to 3% battery life remaining, the instructions reveal. The agent is used for the brute force attack, but continuous power is required until the passcode itself is discovered.

Users can elect to have data collected in various ways, such as extracting metadata for inaccessible files, and "immediate extraction" once unlocked.

In guidance on brute-forcing an alphanumeric passcode, analysts have to perform extra actions, such as loading a wordlist used to try against the password. A default wordlist is provided titled "crackstation-human-only.txt, which consists of around 1.5 billion words and passwords, though other wordlists can also be used.

Once the agent has been installed, the iPhone is placed into Airplane mode, and could be disconnected from GrayKey at that time.

There is also mention of HideUI, an agent that can be used to secretly record a user's passcode, if law enforcement hands it back to the suspect.

Tools like GrayKey have become an important element of police investigations around the world, as law enforcement attempt to get around the core security of operating systems to see a suspect's data. It was allegedly used by the FBI in late 2019 to gain access to a locked iPhone 11 Pro Max as part of a high-profile investigation.

Keep up with everything Apple in the weekly AppleInsider Podcast — and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.

If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.

AppleInsider is also bringing you the best Apple-related deals for Amazon Prime Day 2021. There are bargains before, during, and even after Prime Day on June 21 and 22 — with every deal at your fingertips throughout the event.



8 Comments

hackintoisier 5 Years · 86 comments

Without the existence of other app stores, it sure sounds like the security model of the iPhone is already gravely threatened by this device.  

FileMakerFeller 6 Years · 1561 comments

But we're safe because only law enforcement will have access to this device :eyeroll:

davidw 17 Years · 2119 comments

Without the existence of other app stores, it sure sounds like the security model of the iPhone is already gravely threatened by this device.  

You need to get your hearing check. You're going deaf. 

First of all, this device probably cost in the 10's of 1000's of dollars and not that easily available. Second, in order for hackers to use this device to access the data in an iPhone, they need to physically have possession of the iPhone. And third, it works by trying to guess the pass code using "brute force". An iPhone with a random 10 alphanumeric pass code will probably take over 1M years for this device to guess it.  

https://www.password-depot.de/en/know-how/brute-force-attacks.htm

On the other hand, if a hacker can convince an iPhone owner to unknowingly download malware, by clicking on a link, the hacker can have access to the iPhone data without even being in the same country where the iPhone is or having to know the passcode.    

A hacker can easily send out millions of phishing e-mail, knowing that more than a few will click on the link that will download the malware. This device can only try to access the data on an iPhone the is plugged into it, one iPhone at a time. Do the math.

As long as the iPhone owners still have possession of their iPhone and they use a strong passcode, this device in not a security threat at all.  

dewme 10 Years · 5775 comments

Does this hacking tool assume device owners turn the max attempts feature off?

I’ve always assumed that brute force hacking tools would run into the 10-try limit as well as the imposed delay between attempts, unless of course they found a way to bypass the logic that tracks the retry count.

Without a limit on the number of attempts and an escalating wait period between attempts, pretty much any passcode is hackable given enough time.

Mmmm??? 

gatorguy 13 Years · 24627 comments

davidw said:
Without the existence of other app stores, it sure sounds like the security model of the iPhone is already gravely threatened by this device.  
You need to get your hearing check. You're going deaf. 

First of all, this device probably cost in the 10's of 1000's of dollars and not that easily available. Second, in order for hackers to use this device to access the data in an iPhone, they need to physically have possession of the iPhone. And third, it works by trying to guess the pass code using "brute force". An iPhone with a random 10 alphanumeric pass code will probably take over 1M years for this device to guess it.  

https://www.password-depot.de/en/know-how/brute-force-attacks.htm

On the other hand, if a hacker can convince an iPhone owner to unknowingly download malware, by clicking on a link, the hacker can have access to the iPhone data without even being in the same country where the iPhone is or having to know the passcode.    

A hacker can easily send out millions of phishing e-mail, knowing that more than a few will click on the link that will download the malware. This device can only try to access the data on an iPhone the is plugged into it, one iPhone at a time. Do the math.

As long as the iPhone owners still have possession of their iPhone and they use a strong passcode, this device in not a security threat at all.  

FWIW I get far more fishing expeditions targeting my iPhone and AppleID than I do for my Pixels. Heck, I get phone calls on my Android phone purportedly from Apple security teams telling me my Apple account has been hacked and they're here to help. LOL

 Another fun fact: In over 11 years of using Android devices for hours a day I've encountered exactly the same number of malware events as I have on my Apple gear. ZERO.