The widely used GreyKey tool is seemingly obsolete after the privacy-protecting iOS 12 update
Employees at GreyKey, an app law enforcement agencies use to access iPhones without the owners’ permission, have said that the latest version of iOS blocks their app from accessing data.
Forbes‘ Thomas Brewster spoke with sources at GreyKey’s parent company GreyShift, who confirmed that the update specifically blocks the GreyKey app, and they cannot figure out why.
Now, if a phone has the latest iOS update, GreyKey is only able to perform a “partial extraction,” limiting its efficacy to useless scraps of unencrypted files and some metadata.
This presents a grave dilemma for GreyShift’s business of securing contracts with law enforcement and federal agencies like Immigration and Customs Enforcement (ICE).
When police have asked Apple for help accessing into iPhones, Apple has sided with consumer privacy.
After the 2015 San Bernardino terrorist attacks, Apple declined a judge’s order to give “technical assistance” to the FBI to access a suspect’s device.
Back in April, a Motherboard investigation revealed GreyShift contracts with State Police forces in Maryland and Indiana, and additional ties to the State Department and Drug Enforcement Agency (DEA).
The app uses a method known as “brute force” entry: automated password guesses that keep going until one works.
GreyShift is part of a growing industry working to thwart Apple’s privacy efforts.
Earlier this year, an Israeli company called Cellebrite possibly aided a Department of Homeland Security (DHS) raid on an iPhone X.
And earlier this month, the FBI opened a suspect’s phone using an iPhone X’s Face ID—the first known instance of the feature being used in a law enforcement investigation.
Apple, it seems, isn’t just going to take this lying down.
Apple’s latest iteration of iOS has reportedly turned the GrayKey hacking device into an expensive doorstop.
Law enforcement around the world has taken to using GrayKey to break into locked iPhones but it appears Apple has finally gotten ahead of the device’s crafty manufacturers. For now.
Forbes’ Thomas Brewster has been on top of the GrayKey saga from the beginning.
On Wednesday, he cited sources from the forensic community who’ve told him that Apple’s efforts to keep bad actors and law enforcement from cracking into its users’ phones have paid off.
According to the report, the $15,000 tool made by a shadowy company called Grayshift is now only capable of performing a “partial extraction” of data.
It can pull a few unencrypted files and some metadata that’s virtually worthless.
One source that went on the record for Forbes, Captain John Sherwin of the Rochester Police Department in Minnesota, confirmed that the release of iOS 12 has hobbled GrayKey’s ability to unlock a phone.
“That’s a fairly accurate assessment as to what we have experienced,” he told Forbes.
It’s still unclear what exact change could have been made to shut GrayKey out.
Previous reporting has told us that the tool uses a workaround to brute force its way in by guessing a users’ password until it gets it right.
Apple has protections in place to stop that kind of tactic and GrayShift’s methods are a closely held secret. Not much is known about the company.
In March, Forbes reported that GrayShift counts at least one ex-Apple security engineer as part of its team.
You can’t even view its website without a login given to members of law enforcement, though there have been indications that it works with private entities in some capacity as well.
With iOS 12, Apple implemented a highly-anticipated change called “USB Restricted Mode.”
This shuts off lightning port access on the iPhone if it hasn’t been unlocked by a user in the last hour.
This was widely believed to be Apple’s solution to foil companies like GrayShift and Cellebrite but we don’t know for certain if that did the trick.
Apple did not return our request for comment.
Whether it’s the solution or not, you might want to double-check that your phone is set up for USB Restricted Mode.
You’ll need to be updated to iOS 12 and go to Settings > FaceID and Passcode.
Scroll down to the bottom of the page and you want your settings to look like this:
There’s no word on whether GrayShift’s competitors have hit a wall in their efforts to subvert Apple’s security.
This is a big money business and we can expect that whoever loses their cash cow will be working overtime to figure out another workaround.