Archive for GrayShift

Grayshift Has iOS Spyware That Can Capture Your Passcode….. But There’s A Catch

Posted in Commentary with tags on May 20, 2020 by itnerd

If you’ve been following this blog for a while, you’re likely aware of Grayshift which is a company that makes iPhone cracking tools for law enforcement. Now the catch with any of these sorts of tools is that they brut force the passcode to get into the iPhone in question. That’s great if you are dealing with a 4 digit passcode which would take minutes to crack, or a six digit one which would take hours. But if you’re dealing with an alphanumeric passcode, that may be next to impossible to crack. So, for those scenarios where the passcode is difficult to crack, Grayshift has another approach that was previously unknown to the public:

Software called Hide UI, created by Grayshift, a company that makes iPhone-cracking devices for law enforcement, can track a suspect’s passcode when it’s entered into a phone, according to two people in law enforcement, who asked not to be named out of fear of violating non-disclosure agreements.

The spyware, a term for software that surreptitiously tracks users, has been available for about a year but this is the first time details of its existence have been reported, in part because of the non-disclosure agreements police departments sign when they buy a device from Grayshift known as GrayKey.

Those NDAs have helped keep Hide UI a secret. Because of the lack of public scrutiny of the feature as well as its covert behavior, defense attorneys, forensic experts and civil liberties advocates are concerned that Hide UI could be used without giving owners the due process of law, such as a warrant.

So the use of this software would go something like this:

In order for this feature to work, law enforcement officials must install the covert software and then set up a scenario to put a seized device back into the hands of the suspect, said the people familiar with the system, who did not wish to be identified for fear of violating their NDA with Grayshift and having access to the device revoked.

For example, a law enforcement official could tell the suspect they can call their lawyer or take some phone numbers off the device. Once the suspect has done this, even if they lock their phone again, Hide UI will have stored the passcode in a text file that can be extracted the next time the phone is plugged into the GrayKey device. Law enforcement can then use the passcode to unlock the phone and extract all the data stored on it.

Well, the suspect would have to be pretty dumb to fall for this. Especially now that the existence of this spyware is out there. And you have to wonder how legal this method of grabbing data off an iPhone is. But I am a computer nerd and not a lawyer. One thing is for sure, now that this is out there, you can bet that Apple will try to devise countermeasures to this so that whatever success this tool has in terms of helping to get into iPhones is short lived.

GrayShift Pwned…. Some Code Leaked And An Extortion Attempt Was Made

Posted in Commentary with tags on April 25, 2018 by itnerd

You might remember that I have previously covered Graykey which is made by a company called GrayShift and is the iPhone unlocking device that all the cool law enforcement types are using at the moment. Well, it seems that they’ve had a bit of a leak of some of their IP as part of an extortion attempt by parties unknown. Motherboard has the details:

Last week, an unknown party quietly leaked portions of GrayKey code onto the internet, and demanded over $15,000 from Grayshift—ironically, the price of an entry-level GrayKey—in order to stop publishing the material. The code itself does not appear to be particularly sensitive, but Grayshift confirmed to Motherboard the brief data leak that led to the extortion attempt.

“Mr. David Miles,” the extortionists’ first message, published on Thursday, reads, addressing a co-founder of Grayshift. “This is addressed to you and any other people interested in keeping GrayKey product secure and not available to the wide [sic] public.”

And:

Indeed, Grayshift told Motherboard in a statement “Due [to] a network misconfiguration at a customer site, a GrayKey unit’s UI was exposed to the internet for a brief period of time earlier this month.” 

“During this time, someone accessed the HTML/Javascript that makes up our UI. No sensitive IP or data was exposed, as the GrayKey was being validation tested at the time. We have since implemented changes to help our customers prevent unauthorized access,” the statement added.

So the company says that this isn’t a big deal. But the fact that GrayShift got pwned at all has to get your attention. As well as the attention of their customers. You can bet that either the people responsible for this, or someone else will take another shot at the company. And maybe they will get much further and that may spell trouble for the GrayShift.