Law enforcement agencies are snatching up hardware to throw at their piles of locked iPhones and the acquired hardware actually seems to be working. Though this may be good news for law enforcement, it could spell the death of iOS security.
GrayShift Introduces GrayKey
For law enforcement, Christmas came late this year but boy did it come!
GrayShift is a digital forensics company which is promising ‘lawful’ iOS unlocks for local, state, and federal law enforcement agencies.
Current iOS Security Options
If you currently have an iPhone or other device that runs iOS or have had one before, then you are probably familiar with the security options that were available to you but let us review them.
1. 4 Digit Pins
This option is familiar to most who started out early enough in iOS where this was the default option. A four digit pin is incredibly insecure because it is, simply put, too short. It would not take too long to try every combination especially if there was not a limit to the maximum number of attempts (this is 10 on iOS) and if there was not a waiting time between each attempt. That is 10,000 total combinations which is not great.
2. 6 Digit Pin
A substantial improvement on the total number of possible pins, a six digit pin will give us a total of 1,000,000 possible combinations. This is significantly better considering we only have to remember two extra numbers for 10 times the security. This is, considered by many, the minimum security standard that everyone should use on any device, iPhone or not.
3. Complex Passcode
Complex passcodes are not default on iOS. The reason might not be the most obvious but likely due to the reality that most people do not want to have to remember long passwords on their device every time they want to check a text message. While this option may not be the most user friendly, it is in fact the most secure. Even a six character password is must longer than a 6 digit pin and thus would take longer to brute force. Since there are 77 possible characters that are acceptable on iOS for the complex password, your six character password possibilities are at 208.4 billion (77^6).
That is a staggering number… even adding a single character to it will result in over16,048.5 billion (77^7) permutations. If you can handle having to type our your password each time, then we recommend checking out how to Set a Complex iPhone Password.
Almost forgot about GrayShift? Well, don’t because here is the thing. Remember that feature that makes you wait after you type in the wrong password or the one that limits you to 10 attempts before locking you out? Well… there is an exploit for it which allows GrayShift to bypass this limitation.
According to Matthew Green, the estimated iOS passcode cracking times, which assumes random decimal passcode and an exploit that breaks SEP throttling, which many speculate that GrayKey is able to achieve. Four digits would worst case take approx. 13 min to break, six digits, about 22.2 hours, eight digits around 92.5 days, and ten digits could take as long as 9259 days.
Well, there is more…
GrayKey, A Plug and Hack Solution
As portrayed in the article image, GrayKey, is a compact device with two extruding lighting cables for iOS devices. Apparently, it supports pretty much every iOS device Apple has ever made.
- iPhone 5s
- iPhone 6 & 6 Plus
- iPhone SE
- iPhone 6s & 6s Plus
- iPhone 7 & 7 Plus
- iPhone 8 & 8 Plus
- iPhone X
- iPad Air & iPad Air 2
- iPad Mini, 2, 3, 4
- iPad (2017)
- iPad Pro (1st & 2nd gen)
- iPod Touch (5th & 6th gen)
All that law enforcement needs to do to unlock the devices that are locked is plug them in. After a few minutes, during which the GreyKey box is installing proprietary software on the target device, the phone can be unplugged. Once the operation is complete, which will take longer depending on the length and complexity of the password, the device will simply display the password for the law enforcement to see, and probably use to get into the device.
Bellow is how the process might look:
Cause for Serious Concerns
GrayShift claims that it only will give GrayKey access to local, state, federal law enforcement and will verify any agency that wants to get a hold of the device. If you must know, agencies can either pay &15,000 per 300 devices or pay one large sum $30,000 for unlimited unlocks.
That breaks down to $50 per device; what a steal?! … Literally!
What is next for Apple?
Well, the ball is back in Apples court. It is now up to Apple and other ethical hackers to figure out what vulnerability is being used and patch it as quickly as possible. The dangers of having a vulnerability in the wild that is weaponized and used so willingly by law enforcement means that with each day that passes and each user who, whether they act on behalf of law enforcement or not, gains access to the device, the greater the likelihood that the device is stolen, private interests gain access to these capabilities, the very vulnerabilities that are exploited are discovered and used by other nation states or enemies of the U.S. to gain access to intellectual property or private communications of senators, or between other important leaders.
It is in the best interest of consumers and Apple that this vulnerability is found and patched as quickly as possible, as the benefits such tools do not justify the risks they create.