Monday, March 19, 2018

GrayKey iPhone Unlocker

Thomas Reed (via MacRumors, Hacker News, Matt Odell, Reddit):

According to Forbes, the GrayKey iPhone unlocker device is marketed for in-house use at law enforcement offices or labs. This is drastically different from Cellebrite’s overall business model, in that it puts complete control of the process in the hands of law enforcement.


Two iPhones can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device, but are not yet cracked. Some time later, the phones will display a black screen with the passcode, among other information. The exact length of time varies, taking about two hours in the observations of our source. It can take up to three days or longer for six-digit passcodes, according to Grayshift documents, and the time needed for longer passphrases is not mentioned. Even disabled phones can be unlocked, according to Grayshift.

After the device is unlocked, the full contents of the filesystem are downloaded to the GrayKey device. From there, they can be accessed through a web-based interface on a connected computer, and downloaded for analysis. The full, unencrypted contents of the keychain are also available for download.


The rising wait times and the phone erase function are built into the operating system. The operating system asks the Secure Enclave to do an unlock function, and when it returns an incorrect result the operating system won’t accept another attempt for a given time, and once 10 attempts are reached, sends a message to the Secure Enclave to purge its keys.

Based on the article, they have broken the chain of trust and are able to load their own operating system which can interact with the Secure Enclave directly and therefore doesn’t need to worry about those limits. It also looks like they haven’t penetrated the Secure Enclave itself, so the deliberate 80 ms minimum guess time within the Enclave itself is still intact (it takes them ~240 ms per guess based on the numbers they provide), which is good news - not everything is broken, just the weakest passwords (4-6 digit numeric)

This is basically what Apple admitted they could build for the FBI, but refused to comply and won in court saying they didn’t have to make this for them. This company either got ahold of Apple’s authentication keys to sign their “operating system” so the phone thinks it is legit and coming from Apple, or more likely they found a bug in the secure boot chain which lets them load and run their unsigned system.

Previously: Cellebrite Can Now Unlock Recent iPhones.

Update (2018-04-14): Juli Clover:

GrayShift’s recently publicized “GrayKey” box designed to crack locked iPhones is seeing wide adoption among police forces and federal agencies across the United States according to a recent investigation by Motherboard.

1 Comment RSS · Twitter

[…] Previously: Cellebrite Can Now Unlock Recent iPhones, GrayKey iPhone Unlocker. […]

Leave a Comment