
FBI unlocked iPhone 11 Pro via GrayKey, raising more doubts about Pensacola case - miles
https://ww.9to5mac.com/2020/01/15/fbi-pensacola-iphone-11-pro/
======
reaperducer
For those who want to read the original journalism and not a blog's re-hash of
someone else's hard work:

[https://www.forbes.com/sites/thomasbrewster/2020/01/15/the-f...](https://www.forbes.com/sites/thomasbrewster/2020/01/15/the-
fbi-got-data-from-a-locked-iphone-11-pro-max--so-why-is-it-demanding-apple-
unlock-older-phones/)

~~~
eganist
I'll take the blog re-hash so long as Forbes insists on trying to force me to
accept their (compromised once-monthly) ad network, but the effort in digging
up and reposting the link is well-spent generally, so thanks.

(to be clear: if Forbes handled their ads on their own or used ad networks
that invest in the security of their platform, I'd actually probably bite the
bullet, but if I visit the site on mobile and end up being redirected to
another "your phone is infected!" ad exploiting their current provider... I'll
keep steering clear without ublock enabled.)

~~~
camiat
[https://i.imgur.com/dmgV13H.png](https://i.imgur.com/dmgV13H.png)

Image copy of the article for the interested.

------
ec109685
GrayKey can’t unlock long passcodes:
[https://appleinsider.com/articles/18/04/16/researcher-
estima...](https://appleinsider.com/articles/18/04/16/researcher-estimates-
graykey-can-unlock-a-6-digit-iphone-passcode-in-11-hours-heres-how-to-protect-
yourself)

~~~
jaclaz
Also - besides its name and the company name - there is nothing AFAIK
connecting it to "black/gray market", at least initially those were offered
only to LEO and only in US and Canada.

And the "long been used" is IMHO a tad bit exaggerated, it came out in the
first months of 2018, and - set aside the FBI and whatever other US three or
four letter government agencies, it is not likely that US$ 15,000 or US$
30,000 is something that any police department has in a drawer and can spend
instantly, more probably it has taken at least a few months for everyone to
get the expense authorized:

[https://www.forbes.com/sites/thomasbrewster/2018/03/05/apple...](https://www.forbes.com/sites/thomasbrewster/2018/03/05/apple-
iphone-x-graykey-hack/#3111d4ce2950)

No idea on volumes of sale or how many departments got one, in either the
"online" or "offline" version, but by now - if it was "widely" used - I
presume we would have a lot of evidence based on unlocked iPhones in trials.

~~~
jackhack
>it is not likely that US$ 15,000 or US$ 30,000 is something that any police
department has in a drawer

I wish that were true. Police in any small town in America could start at
lunchtime and have that amount by nightfall. Let me introduce you to "civil
asset forfeiture" ( [https://www.heritage.org/research/reports/2014/03/civil-
asse...](https://www.heritage.org/research/reports/2014/03/civil-asset-
forfeiture-7-things-you-should-know) )

There are state and federal version of this, and a "sharing" program to share
the loot. It's pure corruption in blatant violation of the US Constitution,
but it's good for government/police business (e.g. buys a lot of helicopters,
tactical/swat equipment, training, etc.) so it persists.

~~~
Hamuko
As a non-American, it's almost unbelievable that the police can basically rob
you in the so-called land of the free and home of the brave.

~~~
drummer
Worldwide problem.

"The idea that the State originated to serve any kind of social purpose is
completely unhistorical. It originated in conquest and confiscation - that is
to say, in crime. It originated for the purpose of maintaining the division of
society into an owning-and-exploiting class and a propertyless dependent class
- that is, for a criminal purpose." \-- Albert J. Nock

------
boutad
Once again, it seems that it was an excuse to weaken the security of all
iPhone users rather than getting information from a specific device. In the
case of San Bernandino the FBI was able to use Cellebrite to crack the
attacker iPhone without Apple creating backdoors.

~~~
saurik
In that case, Apple already had a backdoor, or they wouldn't have been able to
comply in the first place: the device in question did not yet have the "secure
enclave" enforcement of pin code back-off and supported firmware updates by
Apple without the user's pin code. Apple spending the time to make a firmware
--which incidentally anyone with Apple's private firmware signing key (the
real back door) could easily have done (as we seriously already have had
custom firmwares for ssh bootstrap and pin code brute force in the
community)--isn't them "creating" a backdoor, it is them "using" a backdoor.
Thankfully, it is my understanding that Apple decided to fix both of these
issues in subsequent devices, and so while there are clearly still bugs there
hopefully are no longer any obvious backdoors.

~~~
gruez
>Thankfully, it is my understanding that Apple decided to fix both of these
issues in subsequent devices, and so while there are clearly still bugs there
hopefully are no longer any obvious backdoors.

Does this mean. There's a new unpatched exploit out there that greykey is
using?

~~~
nostalgk
From what I can tell, it simply tries to brute force the password (perhaps
with some informed suggestion). It does appear to have access to an exploit
that bypasses/disables the encryption lock that wipes data off the phone after
failed attempts, but it does not appear to utilize an exploit/backdoor to gain
access to the device; it gains access the "legitimate" way.

------
codesuela
The phone was released with iOS 13 which prominently featured enhancements to
USB restricted mode[1] which was supposed to defend against GrayKey/Cellebrite
attacks. Seems like GrayKey can easily bypass that feature. Does not really
inspire much trust in Apples security team as the USB restricted mode was
already a bandaid itself.

[1] [https://blog.elcomsoft.com/2019/09/usb-restricted-mode-in-
io...](https://blog.elcomsoft.com/2019/09/usb-restricted-mode-in-ios-13-apple-
vs-graykey-round-two/)

~~~
londons_explore
Apple's security team has been given the near impossible task of defending a
physical device in the hands of an attacker.

I wouldn't blame them for any lack of success. Perhaps instead blame them for
suggesting to the user physical security is possible at all.

~~~
Thorrez
> the near impossible task of defending a physical device in the hands of an
> attacker.

If you assume the device is off and the user chose a strong password, it's
pretty easy to defend. You simply encrypt the data with a key which is
encrypted with the user's password.

If you want to protect devices that are on, or want to protect devices with
less than stellar passwords, then it becomes harder.

~~~
DagAgren
That is not very strong protection - it lets you perform dictionary attacks at
high speed.

It is often more secure to generate a random, high-entropy key and storing it
in secure storage, which is what the iPhone does.

~~~
Thorrez
If you assume a strong password you don't need to worry about dictionary
attacks.

There are 2 ways to slow down the attacks: key stretching and secure storage.
Key stretching is a good idea.

I recommend not relying fully on secure storage, because I've heard of tons of
hardware vulnerabilities (side channel attacks, undervoltage, electron
microscopes, buggy implementation). I trust math more than a physical object.
In fact it seems impossible to me to build fully secure storage, because if
someone has a delicate enough measurement tool to measure the atoms inside the
storage, the data inside can be extracted. If you store the password (or
hashed password) as well as the key in the secure storage, and have it only
return the key if the input password is correct, you run the risk of someone
finding a bug in the storage to extract the key without the password. Then
you're compromised.

But you build a system so that the secure storage is no worse than regular
crypto. You do the encryption using a combination of the user's password and
the output of the secure storage. That way even if the secure storage is fully
compromised, the password is still needed.

~~~
DagAgren
You can't really assume a strong password, because if you have to type in 12
characters, letters and punctuation marks every time you want to look at your
phone, you're going to give up on the whole thing pretty quickly.

To be usable, phones need to allow relatively weak passwords.

~~~
Thorrez
I've had a password like that on my (Android) phone for ~7 years and haven't
given up. I don't use punctuation though, it's not worth the extra taps to get
to the punctuation keyboard for the entropy you gain. I've never had
fingerprint or face ID enabled either.

12 characters gives 62 bits of entropy. That's plenty if proper key
strengthening is in place.

Linus Sebastian says that when his phone got slower to open up, he got
happier, because it caused him to use his phone less, cutting out the useless
stuff. [https://youtu.be/WGZh-xP-q7A?t=305](https://youtu.be/WGZh-
xP-q7A?t=305)

------
nimbius
from the GrayKey website:

>GrayKey is not for everyone. We kindly request that you tell us a bit about
yourself and your organization.

This feels like its begging for DMCA litigation, but its likely Apple already
knows how and why GrayKey works. Keeping GrayKey around serves apple as law
enforcement has (for now) an easy means of hacking _some_ iphones at an entry
cost, while permitting Apple to continue insisting their phones are just too
secure to help hack.

~~~
Jamwinner
TMK, There are multiple independent implementations of the attack their
current gen tech is based on. Any determined actor could hire a greyhat and
have their own system.

------
theshrike79
Basically GrayKey can unlock numeric passcodes by bypassing the cumulative
limits that engage when the wrong code is typed in. The process still takes a
long-ish time.

It can't do anything for FaceID, TouchID or alphanumeric passcodes.

~~~
rahuldottech
Isn't numeric passcode the default fallback to biometrics that millions of
users use? Also, isn't it supposed to be safer than FaceID or TouchID?

Apparently GrayKey can't crack long passwords, since it's essentially brute-
forcing, but almost everyone I know uses a four-digit code.

Also, this is troublesome because in the US, we're told that cops can force
you to hand over your fingerprint but not your passcode. It's a bit
problematic if those passcodes are easy to crack.

~~~
wahern
> Also, this is troublesome because in the US, we're told that cops can force
> you to hand over your fingerprint but not your passcode.

It's not settled law that you can't be compelled to provide a passcode. In
general, the 5th Amendment prohibits compelled testimony that is
_incriminating_. Disclosing a password to your own phone is usually not per se
incriminating. Contrast that with disclosing a password to a device you're
accused of hacking, where showing knowledge of the password is evidence of
guilt. Many (most?) courts haven't yet been prepared to defend such a fine
distinction, and seem to be more comfortable with a simpler rule that
prohibits compelling password disclosure, period. But that could easily
change, especially at the Supreme Court.

~~~
newnewpdro
My understanding is that it's settled law that Americans have the right to
remain silent unconditionally.

~~~
gnopgnip
It is not that straightforward. Generally you cannot be compelled to testify
against yourself. But you can be legally compelled to perform certain actions,
and held in contempt if you fail to do so. Whether or not disclosing a
password is self incrimination, or something you are required to provide is an
actively changing area of the law.

~~~
mcny
> But you can be legally compelled to perform certain actions, and held in
> contempt if you fail to do so.

I anal but isn’t this basically slavery/forced indenture? Could a court of law
compel Apple to write some software? If so, can a court of law require George
RR Martin to write a novel and send him to prison if he declines?

~~~
noirbot
Once you're in the court system of most any country, what things you legally
can and can't do are a lot harder to enforce. You're essentially needing to
fight a well-trained opponent on their home turf with biased referees and no
real downside to them for cheating.

I'd imagine neither of your examples could or would happen given the power
Apple and Martin's representatives have, and how absurd forcing someone to
write a book as part of a court decision would be, but I'm fairly sure you
could find examples of relatively similar things. I could certainly see
something like a contract-related case being resolved by essentially legally
compelling someone to write a book that they said they'd write, or else be
fined/imprisoned.

~~~
mcny
> I could certainly see something like a contract-related case being resolved
> by essentially legally compelling someone to write a book that they said
> they'd write, or else be fined/imprisoned.

Again, I anal so I don't know the law but contracts sound like a strictly
civilian (not government vs not government) court case where there should be
no possibility of imprisonment. If there is it sounds like a bug to me and we
ought to amend the laws so that it is not possible.

------
dandare
> So why are the FBI, President Trump, Attorney General William Barr, and
> others all calling on Apple itself to break iPhone encryption? The most
> obvious possibility...

The most obvious possibility is that Apple can one day succeed and iPhone will
be uncrackable by these tools.

------
baybal2
The box on their website looks really similar to iphone unlock tools sold
around in the unlock industry.

Can it be that Greykey is just a relabeled Chinese unlock box made to crack
the lock screen?

------
freepor
The government is just trying to establish its preferred pecking order —
government, oligarchs, then Soylent Green. Expect more High Publicity cases
especially those involving child victims.

------
masukomi
isn't breaking encryption like this illegal under the DMCA? Wouldn't that mean
that the FBI was actively breaking the law by using it?

~~~
ChrisLomont
Breaking encryption is not illegal under the DMCA except in the cases listed
in the DMCA.

Lots of things are illegal without a warrant or without some other legal
requirement.

The FBI breaking encryption in a legal investigation is not illegal.

~~~
htfu
> Breaking encryption is not illegal under the DMCA except in the cases listed
> in the DMCA.

isn't it the other way around?

~~~
ChrisLomont
No. DMCA makes most breaking of encryption illegal when used to circumvent
copyright. "Most" because it has exemptions even for copyright circumvention.
This is a very limited place to make it illegal.

I can probably think of hundreds of places you can still do it and it's not
illegal. Some examples: in school classes to learn, at home for practice,
researchers attacking each others new algorithms, estate clearance to get dead
person assets released, for interoperability in may cases, for archiving old
things in many cases, and on and on.

In fact, almost any place I can think of where I might break encryption (which
I have done both as a hobby and professionally and as while a PhD student) is
perfectly legal. It becomes illegal when used to do something else illegal,
like violating copyright, or stealing things.

So no, breaking encryption is not illegal as a whole.

Here, break this: Lbh qvqa'g oernx gur ynj.

~~~
htfu
> "Most" because it has exemptions even for copyright circumvention.

Right that was what I meant, that the specific "list" I could think of is
actually of exemptions. Irrelevant nitpick really, sorry.

------
gok
I suppose it's possible that in one case the device had USB Restricted Mode
off, but it was on in the Pensacola case?

------
macinjosh
I fear where this will end up or already ended up is in a place where Apple
gets to say they are pro user privacy, doing everything they can to keep my
data secure, etc. When in reality they could be purposefully not closing
vulnerabilities so they have an out with the police. Until I see Apple
genuinely go after these companies like Cellebrite and GrayKey in court I will
remain skpetical.

------
mlang23
I always considered the "you can't get at the data of an iPhone" a marketing
slogan, not really worth my trust. I am still off the opinion, once you give
up/loose physical access to a device, the game is over. Also, I dont see why
this is such a big deal for so many people. Is the percentage of people that
have the FBI as their adversary really so high? :-)

~~~
csunbird
If FBI can do it, that means any other third party is able to do it too, it is
just a matter of time.

~~~
baobabKoodaa
A phone thief may theoretically spend a few months to unlock your phone, but
in practice they won't.

~~~
have_faith
When an exploit is leaked and turned into software that can run on commodity
hardware then the thief might only have to spend a few minutes.

~~~
faeyanpiraat
Time also helps, because the software on the phone stops getting the fresh
security fixes.

------
me551ah
Completely locking down a physical device and making it unhackable is
downright impossible. If the attacker has physical access to the device and
the ability to regulate network access, then it's only a matter of time before
the device gets hacked.

Right now they are using USB to gain access to the device. There is nothing
stopping an attacker from actually prying open the device and fitting
alternative components that can bypass security. Consoles are cited as an
example of an unhackable device, which is not true. Consoles were designed to
be unhackable by cheap mass-market methods but a determined hacker can still
do it, just that he will have to spend more to do it than the cost of a new
console. The hacker in this scenario is FBI with a lot of money and resources
with the physical device in their custody. I doubt if FBI is going to lose the
ability to hack devices anytime soon.

~~~
minxomat
Lots of iPhone decryption kits, specifically kits which reset the time or
limit on unlocks worked and do work by unsoldering chips and processing them
externally.

~~~
brokenmachine
Is this true? You can buy iphone decryption kits that require desoldering
chips?

