FBI Refuses to Say Whether It Bought iPhone Unlocking Tech 'GrayKey'

It seems safe to assume that they <i>did</i> purchase it -- or that they will, in the near future (perhaps they haven&#x27;t <i>technically</i> &quot;purchased&quot; it yet if, for example, the PO or payment hasn&#x27;t yet completed).<p>I mean, $30,000 for the &quot;unlimited&quot; one-year license? Seriously, why <i>wouldn&#x27;t</i> they purchase it. If local and state police agencies have bought this device, I think we can all safely assumed the FBI has as well.<p>Hell, I wouldn&#x27;t be surprised to hear that the FBI <i>recommended</i> the purchase of this device to local and&#x2F;or state agencies.

Law enforcement using a throw away account here. Why is this such a mystery? Of course they have it. We&#x27;re all scrambling to find the 15 grand to get a license. (its 15K for a web based license, 30K for a standalone license) Cold cases are being re-opened because we can now access devices we have shelved. I guess I&#x27;m just confused why it&#x27;s such a big deal?

My guess is that Apple will find a way to secure their own copy of GrayKey using a shell company and reverse engineer the exploit. Like others have said, it&#x27;s a cat and mouse game.<p>This seems to be a software exploit if it requires not opening up the iPhone. There are more sophisticated hardware techniques (one was &quot;decapping&quot; the chip and reading the data out so you can try passcodes elsewhere), but I believe Apple&#x27;s also finding mitigations for those as well.

Since the DMCA prohibits the circumvention of Access Controls, couldn&#x27;t Apple litigate the heck out of the GreyKey?

According to the iOS Security whitepaper[0];<p>Each device has a unique 256-bit AES key called the &quot;UID&quot;, and a programmable &quot;device group ID&quot; called the &quot;GID&quot;.<p>The UID is &quot;fused&quot; and the GID &quot;compiled&quot; into the Application Processor and Secure Enclave during manufacturing, but no software or firmware can access them. The firmware can only see results of encryption and decryption, and the keys are accessible only to the AES engine&#x27;s silicon. They are not available via JTAG or other debugging interfaces.<p>On some later chips the Secure Enclave generates the UID itself.<p>Apart from the UID and GID, the Secure Enclave can also generate new keys using a RNG. See also: Krypton[1].<p>(see page 12)<p>Passcodes are &quot;entangled&quot; with the device&#x27;s UID, so brute-force attempts must be done using the Secure Enclave (or with an electron microscope?).<p>Each attempt has an iteration count calibrated for 80ms, which would mean an average of ~11 hours to brute force a 6-digit pin[2].<p>iOS also has longer delays for multiple attempts; 1 minute after 5 attempts, 5 minutes after 6, 15 minutes from 7-8, and 1 hour for each attempt after 9. The paper later mentions that devices with the Secure Enclave will enforce the longer delays, including after reboots, but this doesn&#x27;t seem to to be the case for GrayKey.<p>(see page 15)<p>GrayKey claims to crack an iPhone (with 4-digit pincode?) in around ~2 hours, but more than 3 days for 6-digit pincodes. Which might work out to ~1s per guess?[3].<p>If you use a alphanumeric passcode, or a custom numeric code, you likely don&#x27;t have to worry about these unlockers.<p>A random 10-digit pin will take an average of 12 years 6 months to crack[4].<p>[0] <a href="https:&#x2F;&#x2F;www.apple.com&#x2F;business&#x2F;docs&#x2F;iOS_Security_Guide.pdf" rel="nofollow">https:&#x2F;&#x2F;www.apple.com&#x2F;business&#x2F;docs&#x2F;iOS_Security_Guide.pdf</a><p>[1] <a href="https:&#x2F;&#x2F;krypt.co" rel="nofollow">https:&#x2F;&#x2F;krypt.co</a><p>[2] 6-digit pin, 80ms&#x2F;guess: 1e6 * 80 &#x2F; 1000 &#x2F; 60 &#x2F; 60 &#x2F; 2 = 11h 7m<p>[3] 4-digit pin, 1s&#x2F;guess: 1e4 * 1000 &#x2F; 1000 &#x2F; 60 &#x2F; 60 &#x2F; 2 = 1h 23m<p>[3] 6-digit pin, 1s&#x2F;guess: 1e6 * 1000 &#x2F; 1000 &#x2F; 60 &#x2F; 60 &#x2F; 2 = 5d 18h 53m<p>[4] 10-digit pin, 80ms&#x2F;guess: 1e10 * 80 &#x2F; 1000 &#x2F; 60 &#x2F; 60 &#x2F; 24 &#x2F; 365 &#x2F; 2 = 12Y 8M 6d

This is strange... I posted here a theory on how this might work and the post has dissapeared completely while showing zero points in my comments page. Just a single downvote wouldnt make it not show, correct?<p>Does HN censor potential security disclosures?<p>All I said was it was probably using techniques like voltage and timing analysis for instance as described here:<p><a href="https:&#x2F;&#x2F;www.coursera.org&#x2F;learn&#x2F;hardware-security&#x2F;lecture&#x2F;2UgeK&#x2F;power-analysis" rel="nofollow">https:&#x2F;&#x2F;www.coursera.org&#x2F;learn&#x2F;hardware-security&#x2F;lecture&#x2F;2Ug...</a>

What&#x27;s up with these stories? It&#x27;s been known for awhile now that the fbi and other _american_ agencies have backdoors into every cellphone: <a href="https:&#x2F;&#x2F;wikileaks.org&#x2F;ciav7p1&#x2F;#ANALYSIS" rel="nofollow">https:&#x2F;&#x2F;wikileaks.org&#x2F;ciav7p1&#x2F;#ANALYSIS</a>

How it can be solved:<p>Apple, announces $10 million bounty to reveal exploit. I guess within hours they&#x27;ll have it, probably from GrayKey engineers (might be hard to claim given NDAs).

Is anyone selling a charging dock modeled after this yet?

Dear Apple staff reading this: the continued silence of Apple on this matter is making me lose trust in the safety of my iPhone. I want to know what iOS version protects me against the exploit used by the GrayKey, if indeed I am, or I want to know I’m not if I am not.

I don&#x27;t really care whether or not the FBI bought this device or another. What I want to know is what&#x27;s Apple&#x27;s response to all of this?<p>iOS11 seems to have almost purposeful security weakenesses. I&#x27;m willing to give Apple the benefit of the doubt here, but only if they fix whatever flaws these guys and Cellebrite are using to break into iOS11 iPhones.<p>Both those decryption devices seem to rely on iOS11 so it must a new change, which means it shouldn&#x27;t be too hard for Apple to figure out which one of its recent changes caused this weakness in security.