
GrayKey iPhone unlocker poses serious security concerns - conductor
https://blog.malwarebytes.com/security-world/2018/03/graykey-iphone-unlocker-poses-serious-security-concerns/
======
thisacctforreal
Passphrases are always going to be the strongest, but you can have more than 6
digits in your pincode.

Select "Custom Alphanumeric Code" in Passcode Options[1], but only enter
digits using the keyboard. iOS will display a pin pad on the lock screen that
will accept any number of digits[2].

I picked this up from the delicious iOS 11 security whitepaper[3].

[1] [https://i.imgur.com/KEEC71B.png](https://i.imgur.com/KEEC71B.png) [2]
[https://i.imgur.com/YrgQA5s.png](https://i.imgur.com/YrgQA5s.png) [3]
[https://www.apple.com/business/docs/iOS_Security_Guide.pdf](https://www.apple.com/business/docs/iOS_Security_Guide.pdf)

~~~
Twisell
This is plainly brilliant. Just done that and the interface seems to not give
any clue about the expected number of digits. Meaning that an attacker have no
mean to even estimat the time needed to unlock. One could only figure out that
complexity of password increased after failing all attempts with less digits
(which will already take a lot of time).

But of course alphanumerical would be even safer.

~~~
nerdponx
I love it, but the XKCD wrench comic is fresh in my mind. When I was mugged,
they just made me unlock the phone right there on the street.

~~~
jostylr
It would be nice to have a panic code that one could type in, making it look
unlocked, hiding apps a user could mark as secret, and optionally sending a
security/tracking alert. This could also thwart a cracking device by making it
look cracked at a shorter code, but giving no actually useful info.

~~~
martin_bech
Many fingerprint systems have this for access. A "Duress" Finger. If you use
that finger, the system can be set up for a silent alarm, full on alarm,
lockdown or whatever configuration you need.

------
abalone
If this actually works there has to be some huge, embarrassing vuln in Apple's
Secure Enclave Processor on par with the "CTS Labs" AMD secure coprocessor
hoopla that hit the news just this week.[1][2]

The SEP is supposed to enforce a time delay between passcode attempts to
prevent this sort of brute forcing. The timer could be defeated in older
models by cutting power at just the right time, but Apple's whitepaper says
it's supposed to survive restarts now.[3]

Based on the screenshots it looks like it can load custom firmware on the
iPhone. That's bad.

[1] [https://www.anandtech.com/show/12525/security-researchers-
pu...](https://www.anandtech.com/show/12525/security-researchers-publish-
ryzen-flaws-gave-amd-24-hours-to-respond)

[2] HN discussion:
[https://news.ycombinator.com/item?id=16597626](https://news.ycombinator.com/item?id=16597626)

[3] p15:
[https://images.apple.com/business/docs/iOS_Security_Guide.pd...](https://images.apple.com/business/docs/iOS_Security_Guide.pdf)

~~~
dheera
Time delays only provide a false sense of security. In theory I could always
cut open the casing and just plug wires straight into the EMMC or whatever you
have in there. Your time delay UI is useless if I just bypass your UI and wire
straight into the hardware.

Of course that's non-trivial EE work, but the point is it's possible, for
someone with enough money and the right equipment. What _would_ make it
intractable is to ditch the idea that a 4 digit pin is protecting you from
anything. There's simply not enough entropy in that.

Time delays are useful protection when over a network. But not when the
attacker has physical console access, e.g. to a phone. At that point proper
cryptography and mathematics is the only good protection.

~~~
abalone
You misunderstand the SEP. It contains an externally unreadable private key
baked in at manufacturing time that encrypts protected data. Your "wires"
would read garbage. The iOS security white paper is worth a read.

Perhaps a nation-state actor could shave down the processor and read that key
with a SEM or some crazy thing, but that's literally how far the design is
_supposed_ to have pushed iOS security. Which is what makes this hack so
embarrassingly bad (if confirmed).

~~~
bufferoverflow
SEMs are not _that_ expensive. The cheap ones on eBay are $12-14K. The more
expensive Chinese ones are closer to $200K.

A security company can easily afford either.

~~~
matthewmacleod
I don't think the acquisition of a SEM is the barrier to performing this kind
of attack. It's still _extremely hard_

~~~
abalone
I think I read somewhere that some secure coprocessors incorporate physical
defenses that will destroy keys if you try to shave them down or physically
tamper. So yeah. Hard.

------
userbinator
_However, it does mean that an iPhone’s security cannot be ensured if it falls
into a third party’s hands._

That was and will always continue to be true. Even secure cryptoprocessors of
the type used in smartcards and HSMs can be cracked with enough determination
and time. There are companies in China who will read and clone them for
surprisingly little money.

It has always amused me somewhat how scared (or the impression that articles
like this give) some people are of governments, while at the same time
completely accepting and trusting to being herded and controlled by the
companies they purchase these locked-down computers from. Anything you truly
want to keep secret should be encrypted by systems you have knowledge of, with
a key that only you know, or even better --- not leaving your brain at all.

 _Unfortunately, the IP-Box 2 became widely available and was almost
exclusively used illegitimately, rather than in law enforcement_

If by "illegitimately" you mean third-party repair shops... I know Apple
doesn't like that, but the whole *-box series are aimed at the mobile repair
industry (a huge business in China), not law enforcement.

~~~
SlowRobotAhead
>or even better --- not leaving your brain at all.

The faintest of ink will outlast the best of memory, or something like that.

~~~
Zhenya
"A dull pencil is better than the sharpest mind."

Thats the way I've always heard it.

~~~
eltoozero
I’ll have to write that down so I don’t forget it.

~~~
StavrosK
Make sure you use a dull pencil, we have no data about how others types
compare with minds.

------
jsizzle
Is it just me or does the price point seem extremely low? They have a device
that should be in high demand globally, and maybe one competitor. And they are
charging 15-30k, for basically unlimited usage?? You can't tell me federal law
enforcement wouldn't pay at minimum ten times that amount for metered usage...

~~~
ashman5
I bet they realize the lifespan of this device is very short and are trying to
maximize ROI short-term.

~~~
lostapathy
That was my thought as well - but on the flip side, by dealing in quantity
they are a lot more likely to have one leak and be reverse engineered, and
thus have Apple render them all useless.

It's certainly an interesting problem of profit maximization!

~~~
SlowRobotAhead
Unless the vulnerability is in the CPU/DMA/whatever and not easily patched.
Everyone assumes that Apple has no idea what it is, maybe they are keenly
aware and it’s just not fixable.

------
shawnz
> The cheaper model isn’t much of a danger if stolen—unless it’s stolen prior
> to setup—but at 4″x 4″x 2″, the unlimited model could be pocketed fairly
> easily, along with its token, if stored nearby. Once off-site, it would
> continue to work.

Presumably even the cheaper model could be reverse engineered to reveal the
exploit used. But once it becomes known, it would be patched.

------
incresp
Can Apple sue the makers of this program under DMCA anti-circumvention acts?

~~~
saagarjha
I believe jailbreaking is a protected category for which an exception is made.

~~~
coldcode
I find it hard to believe the jailbreaking for profit is a protected category.

~~~
jessedhillon
> (e) Law Enforcement, Intelligence, and Other Government Activities.— This
> section does not prohibit any lawfully authorized investigative, protective,
> information security, or intelligence activity of an officer, agent, or
> employee of the United States, a State, or a political subdivision of a
> State, or a person acting pursuant to a contract with the United States, a
> State, or a political subdivision of a State.

------
NotSammyHagar
I hate this stuff. I want to secure my device and not have the govt or
companies steal it, I want to control my device. Still, it's fascinating to
learn about.

Did no one think, when they take someone's phone for 5 minutes at the border,
they could be doing this to your phone.

~~~
djrogers
Well, as the article makes it clear it takes from hours to days to crack, no -
they’re not doing this in 5 minutes at the border.

~~~
tonyztan
They can routinely keep you at the border for a few hours though.

------
nobeliefs
Can GreyKey or anything else really bypass the unlock attempt counter of an
iPhone set to erase itself after 10 unsuccessful attempts? Have they found a
way to replace the firmware that executes that erase procedure? In that case,
only password complexity can save you. But no evidence is shown that proves
they can accomplish this.

------
rphlx
Humans being abysmal PIN and password generators, a decent fraction of phones
can probably be unlocked within 5 attempts by just trying 123456, 123123,
111111, 654321, 000000. Unless/until the phone forces the user to _learn_
rather than _select_ a PIN that's probably going to remain the biggest vuln.

~~~
Tempest1981
I think iOS warns you if you choose one of these. But it may not stop you.

------
verroq
How much bounty would Apple pay, say if somebody steals one and sends it to
them? Is it illegal to them to make such an offer?

~~~
djrogers
The ‘offer’ isn’t illegal - going through with it would be though, for both
sides. Grand theft and receiving stolen goods. Both not great, plus you’d be
actively acting against the law enforcement system which would ensure a
zealous prosecution.

~~~
sgc
Of course it is. You can't broadcast a bounty on someone's life, or their
property, or any other illegal act. It is solicitation.

------
ams6110
> An iPhone typically contains all manner of sensitive information: account
> credentials, names and phone numbers, email messages, text messages, banking
> account information, even credit card numbers or social security numbers.
> All of this information, even the most seemingly innocuous, has value on the
> black market

My phone has no banking information, credit card information, Social Security
numbers, or email accounts that can be used to recover or reset access to any
online service. Why? Because I don't trust my phone.

But aside from all that, all that information is already on the black market.
There have been so many breaches, Equifax just to name one, to think
otherwise.

~~~
laggyluke
If you're not trusting your phone, is there a different kind of computing
device that you trust?

------
mschuster91
I wonder: Apple has hundreds of billions in overseas cash. Why don't they go
after Cellebrite and Grayshift and offer the owners something to the tune of
1-2 billion US$ in hard cash? Given the reputation hit once this knowledge
becomes widespread, a couple billion dollars are pocket change.

~~~
nocobot
I don't think this becoming common knowledge would have a noticeable impact on
sales.

Few people imagine themselves to ever be in a position where they would want
to protect the info on their phones from LE.

------
Buge
>The cheaper model isn’t much of a danger if stolen—unless it’s stolen prior
to setup—but at 4″x 4″x 2″, the unlimited model could be pocketed fairly
easily, along with its token, if stored nearby. Once off-site, it would
continue to work. Such a device could fetch a high price on the black market,
giving thieves the ability to unlock and resell stolen phones, as well as
access to the high-value data on those phones.

If this gets stolen and put on the black market, that would be a good thing.
Because then Apple can buy one, figure out what vulnerabilities it's using,
and patch them.

------
closeparen
This seems at odds with Apple’s claims about holding the device encryption
keys in a secure coprocessor that only releases them in response to a valid
passcode, and self-destructs the keys if too many passcodes are tried.

~~~
djrogers
It’s not at odds with it - it’s pretty obviously using a vulnerability to run
a crack against the passcode. Once the passcode is found, that is used to
unlock the phone and this the Secure Enclave.

~~~
matthewmacleod
I agree it’s not at odds with it, but it’s not even that simple - the passcode
is enforced by the Secure Enclave itself. It’s not a case of “try passcodes
until you find the right one then tell the SEP” - it has to be exploiting a
vulnerability in the SEP itself, assuming what we know of the design and
attack is true.

~~~
rphlx
Technically, this does not absolutely _have_ to be a SEP vuln. It's possible
that the PIN is being stored (not properly zero'd-after-use) somewhere outside
the SEP, i.e. a pinpad entry buffer or something. Often criminals do not think
of, or are unable to, turn off their phone when being arrested. Furthermore
the iPhone battery is not removable and some portions of its DRAM - in theory
anyway - could persist even when the phone is "off". Apple has (or at least -
prior to public outrage - had) a fairly loose definition of "off" for other
aspects of the system, such as bluetooth.

------
uselpa
Would pair-locking prevent this kind of attack?

------
jokoon
I thought iPhone were electronically secure, it seems they are not. I thought
the FBI had to just do some Xray of some chip to read some ROM thing.

Sometimes I wonder if real security is really and theoretically possible, or
if it's just engineers who never manage to achieve it because designers want
things to be usable for consumers.

What ever happens it doesn't seem really secure, consumer oriented device do
exist. I wonder if there are android devices who do a good job at that, and
what's the status of the security of android device in general, I would guess
it's not better.

~~~
ozim
What is real security? Is it absolute security?

Are you willing to pay $500k for a phone? Is there a vendor who is willing to
put R&D investment of $20mil so you can buy one? How much more phones they
would sell? If you would be Ed Snowden would you even trust that company?

Are you going to buy a safe to keep family photos in it?

What does it even mean for you to have absolutely secure phone if you are
going to be hit by a bus tomorrow?

------
joering2
I bet there is lawsuit in works by Apple et al!

I mean if they truly broke and iPhone lock, then it means they had to be
tampering with a true Apple device (not a dummy) in order to make their device
work. Therefore, they violate Apple TOS that I am sure forbids any sort of
backdooring. I doubt they will go after a rouge chinese jailbreaker sitting in
moms basement and trying to make a name for him/herself, but here we have
example of a for-profit incorporated business that makes 100% of their money
by breaking Apple's devices.

On the other hand, if this is all just some sort of marketing gimmick, or that
device never been truly tested on iPhone, then I am sure they can go after
them for attempting to shame iOS/iPhone for users to think their devices are
less secure than they actually are, which could hit their bottom line.

