> Grayshift has been shopping its iPhone cracking technology to police forces. The firm, which includes an ex-Apple security engineer on its staff, provided demonstrations to potential customers, according to one email.<p>Wow. That's very sleazy.
That 15k(or 30k) box looks like it is slightly more polished than an arduino case straight from the likes of DigiKey.<p>It wouldn't look out of place in the 80's. The LEDs in particular would fit right in.<p>I would not be surprised to find an actual $1 micro controller driving this. Or to find that out the box wasn't really required at all – and that during development the software ran in a normal laptop, but they needed a physical product to charge the big bucks...
> FBI Director Christopher Wray recently said that law enforcement agencies are “increasingly unable to access” evidence stored on encrypted devices.<p>> Wray is not telling the whole truth.<p>I wish there was some punishment for Government officials for lying to the public. You can be prosecuted for lying to the FBI, so why shouldn't they be prosecuted for lying to you (the voter, who is supposed to have the power in a democracy)
Some more fun information here: <a href="https://blog.malwarebytes.com/security-world/2018/03/graykey-iphone-unlocker-poses-serious-security-concerns/" rel="nofollow">https://blog.malwarebytes.com/security-world/2018/03/graykey...</a><p>It looks like it runs third party code on the device. Only needs to be connected to the black box for two minutes and then unplugged for the remainder of the process.
I've always wondered about the legalities of such things. How is it okay for a company to legally sell a hack of another company's technology? Is it because they only sell to the police? If this is okay, then where is the actual limit? Can they sell hacked access to a company's servers for example?
From the article, it seems to be a passcode bruteforcing tool. They state in the article 3 days or longer for a 6 digit passcode. Which I assume means 3 days for a 4 digit code. That’s about 26 seconds per guess.<p>So if you care about securing against this, use a longer passcode (and alphanumeric) is the message I guess.
I wonder if they have any process in place to prevent Apple buying one of these and figuring out how it works.<p>I would guess Apple already has one. But if they’ve tried to get one, and been foiled somehow, there must be a fascinating cloak-and-dagger story there that we’ll probably never hear...
Absent this whole article is the fact that there are good reasons for criminals to want to crack your phone. These developments just make it more likely your personal information and, frankly, cash can be stolen by anyone who swipes your phone.
I for one am glad I started using 25 character passwords 3-4 years ago. I just wonder how long it will be before that is not good enough either. Surely in my life time. And what's next? 50 character passwords? One hundred characters? 10-factor authentication?
It's probably in Apples best interested to let this firm operate. It might be even a long term strategy for them. It relieves pressure from them and keeps law enforcement happy.
> Malwarebytes’ post says GrayKey can unlock an iPhone in around two hours, or three days or longer for 6 digit passcodes.<p>So couldn't you avoid this by, say, having a longer PIN? Maybe even a password?
I thought the iphone has a delay after a few attempts at the secure enclave level?<p>I wonder if this is doing some sort of timing or voltage related validation of the code without needing to actually submit it. Ie the equivalent of 1234,backspace,5,backspace,6 etc without sending whatever is the equivalent of 'submit'
Most key bits are below; there's much more in the article and in the article's links.<p>> GrayKey can unlock an iPhone in around two hours, or three days or longer for 6 digit passcodes<p>> 'GrayKey' ... can break into iPhones, including the iPhone X running the latest operating system iOS 11.<p>> The device comes in two versions: a $15,000 one which requires online connectivity and allows 300 unlocks (or $50 per phone), and and an offline, $30,000 version which can crack as many iPhones as the customer wants.