GrayKey adds to iPhone-unlock arsenal. How strong are your PINs?

Law enforcement has a new option for unlocking a suspect’s iPhone. An American startup called Grayshift is offering a service it’s calling GrayKey.

It joins Cellebrite, a similar service, out of Israel, revealed last week. But Grayshift is at least homegrown and is thought to employ one Braden Thomas, an ex-Apple security engineer.

Except Thomas left Apple more than five years ago, so I’m not sure exactly how relevant his past employment is. In this week’s Security Blogwatch, we dump our NAND.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Inogon, not Inogen

State of Security Operations 2018: Go Inside World SOCs

Unleashed and unlocked

What’s the craic? Thomas Fox-Brewster cunningly breaks the story—Mysterious $15,000 'GrayKey' Promises To Unlock iPhone X For The Feds:

$15,000 … permits 300 uses [and] requires constant connectivity at the customer end, whilst an offline version costs $30,000 [and] comes with unlimited uses.

Marketing materials have been disseminated around private online police and forensics groups. [They] showed Grayshift claiming to be able to unlock iPhones running iOS 10 and 11, with iOS 9 support coming soon. It also claims to work on the latest Apple hardware.

It claims GrayKey works on disabled iPhones and can extract the full file system. … Apple declined to comment.

The company was co-founded in Atlanta … by David Miles, who previously worked at Endgame, a company that reportedly developed hacking tools for U.S. government agencies. … One source [said] Grayshift also counted amongst its ranks former staff of cybersecurity firm Optiv. … Two cybersecurity industry sources … claimed Optiv had previously developed … zero-day exploits for the U.S. government.

Two former employees from Optiv are listed on LinkedIn as working at secret companies in Atlanta from September 2016, the same month Miles is listed as founding Grayshift. They include Justin Fisher, also previously of Endgame, and Braden Thomas, who'd previously worked at Apple for six years as a security engineer.

Well, yes, but those “six years” were 2006-12, so here in 2018, how relevant is his background? Still, we should never let tedious facts get in the way of a good story, amirite?

This “ex-Apple” angle gets a rise out of Don Reisinger—A Former Apple Security Engineer's Company Will Unlock Your iPhone X:

Shadowy companies are standard fare in the security world, where hacking … requires significant behind-the-scenes work.

Law enforcement can oftentimes be left in the dark if officials don’t have a way to break into an iPhone to spy on data. … Officials have decried the security protections in iPhones and other handsets, but Apple and rights advocates argue every individual has a right to privacy.

If Grayshift has indeed found a way to unlock iPhones, the company could stand to generate significant revenue selling the exploit to law enforcement. … The revelation comes just days after another security company, Cellebrite, announced that it could unlock the latest Apple handsets.

And then there were two? Chris Barylick notes Grayshift becomes second firm to offer iPhone unlocking tool:

GrayKey is advertised as being able to … brute-force passcodes in spite of Apple’s safeguards against the technique. … It’s thought that the firm’s practices are similar to those used by Cellebrite, which targets the Secure Enclave technology used in every iPhone since the iPhone 5s.

[But] GrayKey doesn’t require sending devices into a lab, [so] Apple should be able to obtain a copy and reverse-engineer it to discover how it works and fix relevant security holes.

It’s as if JC Torres is towering over us in Rio: [You’re fired—Ed.]

Apple has always prided itself and its products for being on the side of protecting customers’ privacy, even when that goes against the demands of the government. [So] it has become a huge target, not just for government scrutiny and criticism but also for hackers who love a good challenge.

It’s definitely a huge claim to be able to do something that so few have been successful in doing, even with government “persuasion.” … At this point, it is still unknown whether Grayshift really has the creds to back up its claims.

But is it even possible to brute-force an iPhone? Jdb8167 says yes:

With physical access, you have to assume that a brute force crack is possible. So, if this concerns you, use a strong passcode or passphrase. I use a 12 digit passcode. If these devices can do 20 attempts per second (50 ms/attempt) then it will take 1500+ years.

Since it is unlikely that they can clone the Secure Enclave, that is about as good as it is going to get. The 50 ms is enforced by the SE and is unlikely to be hackable.

Interesting insight. And here be JBDragon’s:

If you're using TouchID or FaceID, use a really LONG and complicated password. Most of the time you won't be using it to unlock your phone anyway.

They'll be there, for a very long, long, long time, YEARS and YEARS and won't be able to break into your phone by brute force. This is not a very good way to break into a iPhone, or whatever else with real good security.

The only way you're ever getting in is with a weak front door. As in a Weak passcode.

Wait. Pause. I thought iPhones would wipe themselves after so many failed attempts? Here’s Daniel Horký:

You know that "erase your data after 10 failed passcode attempts" does not work in Recovery Mode. You can brute force it there.

And (ahem) sexconker suggests a broader stratagem:

This is either something that makes use of a massive vulnerability in Apple's implementation, or it's the tried-and-true method of freezing/resetting the unlock attempt counter so you can brute forcing the password.

But what of this Braden Thomas guy? Heed the word of TrekkieGod:

The part that gets me thinking is that the firm is run by an ex-Apple security researcher. If he gets to do the above … through a private key he swiped from Apple … or a backdoor he coded in himself, then he's in serious legal trouble.

Still, $15,000 is pretty spendy, no? No, says Rolf Gutmann:

I do not trust this. 15k is way too cheap. At Zerodium you pay 1,000k plus for [zero days] in this area. Can be a new pentester trying to cash-in on-large to top a one-shot BugBountyFee.

But what does this mean to app developers? ctilsie242 suggestifies:

Maybe app developers should consider doing their own encryption? … This could be fairly simple, depending on the persistence of the data. If the data doesn't leave the device, create two nonces, stuff one in KeyChain, have an app PIN or PW unlock the other part, XOR it for the working key.

If the data has to be backed up, it could be encrypted with a nonce, and a HMAC of the nonce and the PIN/PW used to secure it if it backed up to iCloud or if it goes to iCloud directly as a file. … OpenSSL is available on iOS, so this shouldn't be too much of a stretch.

Meanwhile, raymorris just rolls his eyes:

The key to your whole scheme is the nonce. And you don't know what a nonce is. So I'll answer your question:

App developers should develop apps. Cryptographers, who not only know what a nonce is, but can rattle off the top three most common problems when using a nonce, should do cryptography.

Secure encryption is such a difficult problem that people who … spend their entire careers doing it still can't reliably do right. It's that difficult.


The moral of the story? If Grayshift and Cellebrite can, so can hackers. Make sure your users have strong PINs.

And finally …

What the heck is a moiré effect beacon?

 

 

 

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: pxhere (cc0)

Topics: Security