GrayKey iPhone ‘hack-in-a-box’ proves you need complex passcodes
If you care about your digital privacy you should give it the very best protection you can, as tools to break into your devices will eventually reach criminals outside of government.
Ever since the San Benardino shooter case saw U.S. law enforcement begin its push to make your digital devices their open book we’ve seen a cat and mouse struggle between tech firms, privacy advocates and the state.
This has driven the evolution of a third-party market offering to unlock devices for a fee, GrayKey is an example of a device that does this, and it’s the best argument yet to use a complex passcode if you care about your iPhone privacy.
Protection beats cure
As revealed by Thomas Reed, long-time Mac security expert and director of mobile for Malwarebytes, GrayKey is a small black box made by an Atlanta-based company called Grayshift. Reed has published an in-depth look at the box and how it works in an extensive blog post you can read here.
The very simplest explanation is that you plug an iPhone into the box for a few minutes and then disconnect the devices. After some dealy, you’ll see a black screen with the passcode appear on the iPhone.
What’s interesting about the report is the time it takes to crack the passcode, this varies, but it is suggested that:
- It can take about two hours for a four-digit code
- It can take three days or more for a six-digit code
- There’s no mention of how long it takes for longer, more complex codes.
Images attached to the report shows these times are approximate – it can take less long to crack a device, but it remains compelling evidence for the value of using complex alphanumeric codes to protect your devices.
There’s nothing about protecting your digital lives that is anti-law enforcement, though history is peppered with examples of what happens when security is broken and the breach tech leaks:
- Security firms find ways to break through mobile phone protections;
- Tech firms figure out how to protect those devices again;
- Security firm breaks the protection
- Someone leaves the firm, taking the secrets with them
- Other associated firms learn how the hack works
- Word spreads as people quit
- One day a disaffected employee (or spy) shares the secrets of the breach with criminals and/or hostile state actors
- No one’s data is subsequently safe until tech firms figure out protection again
- And repeat.
I think it’s reasonable to think most people would be happy to share what is on their devices if given a good reason, but that doesn’t mean they want their digital lives to become increasingly open books for hackers.
That’s why it’s so concerning that the GrayKey device can be purchased by law enforcement for as little as $30,000. Citing the story of the IP-Box device that could break into iOS 8.2 and earlier, Reed observes that such hardware-based technologies have existed – and leaked – before:
“Unfortunately, the IP-Box 2 became widely available and was almost exclusively used illegitimately, rather than in law enforcement. Today, various IP-Boxes can still be found being sold through a variety of websites, even including Amazon. Anyone who wants such a device can get one.”
He also warns:
“It’s also entirely possible, based on the history of the IP-Box, that Grayshift devices will end up being available to anyone who wants them and can find a way to purchase them, perhaps by being reverse-engineered and reproduced by an enterprising hacker, then sold for a couple hundred bucks on eBay.”
The inference is clear: It’s irresponsible to assume technologies like these won’t leak into the world.
What can you do?
The inconvenient truth is that while iOS remains the most secure OS (despite recent hype), security is a movable feast. Security protection is broken, only to be fixed again, in an endless dance.
What the new device does show us, however, is the inherent value of using complex alphanumeric passcodes to protect our devices. Not only are these so much harder to guess, but they’re harder to crack – even by these sophisticated systems. But, even iPhones aren’t invulnerable and every user should ensure they employ efficient security tools, including use anti-virus, MTM and MDM systems, where available.
Ultimately, as the world becomes more connected and the data in our devices becomes ever more essential, we can expect more attacks and the consequences of such attacks will also grow.