
FBI Refuses to Say Whether It Bought iPhone Unlocking Tech 'GrayKey' - _o_
https://motherboard.vice.com/en_us/article/ne99mg/fbi-refuses-graykey-grayshift-iphone-unlock
======
jlgaddis
It seems safe to assume that they _did_ purchase it -- or that they will, in
the near future (perhaps they haven't _technically_ "purchased" it yet if, for
example, the PO or payment hasn't yet completed).

I mean, $30,000 for the "unlimited" one-year license? Seriously, why _wouldn
't_ they purchase it. If local and state police agencies have bought this
device, I think we can all safely assumed the FBI has as well.

Hell, I wouldn't be surprised to hear that the FBI _recommended_ the purchase
of this device to local and/or state agencies.

~~~
onetimemanytime
> _> Hell, I wouldn't be surprised to hear that the FBI recommended the
> purchase of this device to local and/or state agencies._

Like they need any recommendations, they have cases open :). Not all cases are
a middle aged guy, minding his own business that gets his phone searched at
JFK. A lot of crimes are thefts, drugs, sex and evidence is in the phone, they
have search warrants but can't access it. Or couldn't. They are law
enforcement conventions and business that cater to them, so they already know.
Not to mention Twitter, FB forums and so on.

I'm with Apple, trying to make this unbreakable, but if cops figure it out,
and they have warrants, kudos to them. Maybe Apple already does, but they
should be buying all zero-days out there. If they don't sell for $1 million,
offer them $5 million. Or $15 million and still no one at Apple would have to
skip a meal to cut costs [https://finance.yahoo.com/quote/AAPL/key-
statistics?p=AAPL](https://finance.yahoo.com/quote/AAPL/key-statistics?p=AAPL)

------
itsadrop
Law enforcement using a throw away account here. Why is this such a mystery?
Of course they have it. We're all scrambling to find the 15 grand to get a
license. (its 15K for a web based license, 30K for a standalone license) Cold
cases are being re-opened because we can now access devices we have shelved. I
guess I'm just confused why it's such a big deal?

~~~
2bitencryption
> We're all scrambling to find the 15 grand to get a license

Well, there's that part.

Apparently lots of my tax dollars are going towards purchasing a temporary
license for a temporary solution to a permanent problem that isn't really a
problem at all?

Though I must admit, one day those things are going to look great in some
museum. They tell a really interesting story. Hopefully the price tag is
included on the exhibit description.

~~~
velobro
Let's not forget that it isn't just one policy agency wanting to buy these.

It's every single department, in every single city, in every single state.

That's thousands, if not tens of thousands, of departments buying these when
they'll all be useless as soon as Apple patches the exploit.

Seems like a whole lot of wasted money. But who knows, they might just catch
enough "big bad Marijuana dealers" to offset the cost.

That's what the LEO really means by cold cases. Nothing important. Just more
drug busts.

~~~
dvt
> Nothing important. Just more drug busts.

People dying because of drug overdoses seems like a pretty big deal to me, but
then again (thank God) I've never had a family member or close friend succumb
to a drug addiction.

~~~
scarecrowbob
I don't think it's very charitable of you to assume that just because people
don't believe that police handling of drug crimes is effective they don't also
think the opiate crisis in the US is a big deal (I'm assuming that's what
you're referring to).

If you don't believe that a solution works, then further effort on a non-
functioning solution isn't a big deal, even if you feel the problem is a
problem.

------
atonse
My guess is that Apple will find a way to secure their own copy of GrayKey
using a shell company and reverse engineer the exploit. Like others have said,
it's a cat and mouse game.

This seems to be a software exploit if it requires not opening up the iPhone.
There are more sophisticated hardware techniques (one was "decapping" the chip
and reading the data out so you can try passcodes elsewhere), but I believe
Apple's also finding mitigations for those as well.

~~~
developer2
Most people seem to have missed the reported fact that a security researcher
now working as an executive at Grayshift was previously an employee at Apple.
The exploit being used in the GrayKey device may have been exported directly
from within Apple's walls. Perhaps this man was involved enough with iOS
security that he a) built in a backdoor; or b) discovered a vulnerability, and
instead of disclosing it, left Apple to profit off the exploit; or c) gained
enough knowledge of the systems to be able to reverse engineer an exploit from
scratch, after leaving Apple.

The fact that the company producing the GreyKey has an executive who is a
security researcher and used to work for Apple is such an obvious, damning
piece of evidence. I don't understand why this connection hasn't been more
widely reported and investigated.

~~~
saagarjha
> gained enough knowledge of the systems to be able to reverse engineer an
> exploit from scratch, after leaving Apple

While the other two are suspicious, I don't think the last one is. If you're
good enough to come up with a clean room implementation than I don't see any
foul play here.

~~~
stordoff
Isn't that by definition _not_ a clean room? You have knowledge about the
device that you wouldn't be able to derive just from looking at the device
itself.

~~~
saagarjha
No, that's what the other two were. I'm saying that there's the possibility
that you got hired at Apple because you were smart, and end up continuing work
on iOS even when you leave, but without any sort of knowledge of the
internals. For example, say they rewrote some portion of code that you were
familiar with: in that case, you should be free to take a look since you no
longer have any inside information on it.

------
jonnrb
Since the DMCA prohibits the circumvention of Access Controls, couldn't Apple
litigate the heck out of the GreyKey?

~~~
dsfyu404ed
You can sue anyone for anything.

On paper sure there's merit to it, in practice it's probably an exercise in
futility while the exploit is un-patched and GreyKey is useful to law
enforcement.

~~~
kossae
I would think the best use of Apple's time is reverse engineering (if the
exploit is not already assumed/known) the device and releasing an update
rendering it useless. If that isn't possible, perhaps litigation would be the
next step. However simply making it 'not work' for LE would be the lowest
hanging fruit (under many assumptions about the complexity of this exploit).

------
thisacctforreal
According to the iOS Security whitepaper[0];

Each device has a unique 256-bit AES key called the "UID", and a programmable
"device group ID" called the "GID".

The UID is "fused" and the GID "compiled" into the Application Processor and
Secure Enclave during manufacturing, but no software or firmware can access
them. The firmware can only see results of encryption and decryption, and the
keys are accessible only to the AES engine's silicon. They are not available
via JTAG or other debugging interfaces.

On some later chips the Secure Enclave generates the UID itself.

Apart from the UID and GID, the Secure Enclave can also generate new keys
using a RNG. See also: Krypton[1].

(see page 12)

Passcodes are "entangled" with the device's UID, so brute-force attempts must
be done using the Secure Enclave (or with an electron microscope?).

Each attempt has an iteration count calibrated for 80ms, which would mean an
average of ~11 hours to brute force a 6-digit pin[2].

iOS also has longer delays for multiple attempts; 1 minute after 5 attempts, 5
minutes after 6, 15 minutes from 7-8, and 1 hour for each attempt after 9. The
paper later mentions that devices with the Secure Enclave will enforce the
longer delays, including after reboots, but this doesn't seem to to be the
case for GrayKey.

(see page 15)

GrayKey claims to crack an iPhone (with 4-digit pincode?) in around ~2 hours,
but more than 3 days for 6-digit pincodes. Which might work out to ~1s per
guess?[3].

If you use a alphanumeric passcode, or a custom numeric code, you likely don't
have to worry about these unlockers.

A random 10-digit pin will take an average of 12 years 6 months to crack[4].

[0]
[https://www.apple.com/business/docs/iOS_Security_Guide.pdf](https://www.apple.com/business/docs/iOS_Security_Guide.pdf)

[1] [https://krypt.co](https://krypt.co)

[2] 6-digit pin, 80ms/guess: 1e6 * 80 / 1000 / 60 / 60 / 2 = 11h 7m

[3] 4-digit pin, 1s/guess: 1e4 * 1000 / 1000 / 60 / 60 / 2 = 1h 23m

[3] 6-digit pin, 1s/guess: 1e6 * 1000 / 1000 / 60 / 60 / 2 = 5d 18h 53m

[4] 10-digit pin, 80ms/guess: 1e10 * 80 / 1000 / 60 / 60 / 24 / 365 / 2 = 12Y
8M 6d

------
qume
This is strange... I posted here a theory on how this might work and the post
has dissapeared completely while showing zero points in my comments page. Just
a single downvote wouldnt make it not show, correct?

Does HN censor potential security disclosures?

All I said was it was probably using techniques like voltage and timing
analysis for instance as described here:

[https://www.coursera.org/learn/hardware-
security/lecture/2Ug...](https://www.coursera.org/learn/hardware-
security/lecture/2UgeK/power-analysis)

~~~
jstanley
I still see that comment, fwiw.

------
wpdev_63
What's up with these stories? It's been known for awhile now that the fbi and
other _american_ agencies have backdoors into every cellphone:
[https://wikileaks.org/ciav7p1/#ANALYSIS](https://wikileaks.org/ciav7p1/#ANALYSIS)

~~~
wpdev_63
If you're going to down vote me, at least state the reason you are.

Here's another article from the same source about the FBI using 'classified'
tools: [https://motherboard.vice.com/en_us/article/7xdxg9/fbi-
hackin...](https://motherboard.vice.com/en_us/article/7xdxg9/fbi-hacking-
investigations-classified-remote-operations-unit)

~~~
willstrafach
Probavly because they are independently discovered vulnerabilities,
specifically not backdoors. That term implies something intentionally done.

------
onetimemanytime
How it can be solved:

Apple, announces $10 million bounty to reveal exploit. I guess within hours
they'll have it, probably from GrayKey engineers (might be hard to claim given
NDAs).

~~~
scottmf
Hey if any GrayKay employees wanna split the bounty let me know...

------
ada1981
Is anyone selling a charging dock modeled after this yet?

------
sneak
Dear Apple staff reading this: the continued silence of Apple on this matter
is making me lose trust in the safety of my iPhone. I want to know what iOS
version protects me against the exploit used by the GrayKey, if indeed I am,
or I want to know I’m not if I am not.

~~~
edge17
In all seriousness, what are you going to do about it with your loss of trust?

~~~
Anderkent
Buy a pixel? Google have been doing really good work with android encryption

~~~
RandomBK
As someone who has never used an iPhone and has always stayed within the
Android ecosystem, I doubt any device on the Android market can compete with
what Apple has in terms of security and privacy at the moment.

~~~
jacksmith21006
Would guess the Pixel is more secure. Google poject zero is first rate in
terms of finding and mitigation of vulnerabilities. Pixel also gets monthly
updates. Have a pixel 2 XL and love the phone and highly recommend.

------
mtgx
I don't really care whether or not the FBI bought this device or another. What
I want to know is what's Apple's response to all of this?

iOS11 seems to have almost purposeful security weakenesses. I'm willing to
give Apple the benefit of the doubt here, but only if they fix whatever flaws
these guys and Cellebrite are using to break into iOS11 iPhones.

Both those decryption devices seem to rely on iOS11 so it must a new change,
which means it shouldn't be too hard for Apple to figure out which one of its
recent changes caused this weakness in security.

~~~
exabrial
I agree.

I'm fine with the FBI going about the letter of the law with a warrant to
obtain evidence.

I'm also fine with Apple hardening their devices against such attacks,
eventually the "GrayKey" technology will become commodity and we'll need to
protect our information from casual thieves.

However, I take a strong stance against mass surveillance and obtaining
(any/all, including metadata) information without due process. This includes
getting pulled over and having police search my phone, or as a US citizen, re-
entering my country and having my phone searched.

