Just a week after Forbes reported on the claim of Israeli U.S. government manufacturer Cellebrite that it could unlock the latest Apple iPhone models, another service has emerged promising much the same. Except this time it comes from an unkown entity, an obscure American startup named Grayshift, which appears to be run by long-time U.S. intelligence agency contractors and an ex-Apple security engineer.
In recent weeks, its marketing materials have been disseminated around private online police and forensics groups, offering a $15,000 iPhone unlock tool named GrayKey, which permits 300 uses. That’s for the online mode that requires constant connectivity at the customer end, whilst an offline version costs $30,000. The latter comes with unlimited uses.
Another ad showed Grayshift claiming to be able to unlock iPhones running iOS 10 and 11, with iOS 9 support coming soon. It also claims to work on the latest Apple hardware, up to the iPhone 8 and X models released just last year. In a post from one private Google group, handed to Forbes by a source who asked to remain anonymous, the writer indicated they’d been demoed the technology and that it had opened an iPhone X.
The marketing doesn’t reveal just what iOS vulnerabilities GrayKey exploits to unlock iPhones. It claims GrayKey works on disabled iPhones and can extract the full file system from the Apple device, and indicates the tool would make repeated guesses at passcodes, a technique known as brute forcing, to first get into the device.
According to Ryan Duff, director of cyber solutions at Point3 Security, it appeared Grayshift had access to similar exploits as Cellebrite, namely a probable hack that targets Apple’s Secure Enclave, the isolated chip in iPhones that handles encryption keys. The Secure Enclave makes it especially time-consuming to carry out brute forcing by incrementally increasing the time between guesses, up to an hour for the ninth attempt onwards. But if it can be broken, the speed to guessing the right password can be improved.
“Without breaking the encryption, you will always be forced into a brute force situation,” explained Duff. “That doesn’t mean they are using the exact same exploit that Cellebrite is using. It’s possible they are different. But the process post-exploitation is almost certainly the same.”
Apple declined to comment on Grayshift’s claims. But it typically recommends users take advantage of iOS updates as they will contain fixes for the latest vulnerabilities.
Those patches may not be too far off, said Duff. That’s because of Grayshift’s apparent business model, which differs from Cellebrite in that the latter is asking law enforcement to send in devices to its labs. As Grayshift is putting its exploits in software, it could be possible for security researchers or Apple engineers to get hold of the GrayKey and determine what vulnerabilties it uses. “This will almost certainly lead to the exploit being burned,” added Duff, a former cyber operations tactician at the U.S. Cyber Command. “Someone, maybe even Apple, will eventually get a hold of one of these devices and will examine how it works. If it’s a non-Apple researcher, they will be able to report the bug to Apple and make $100,000 to $200,000 from their bug bounty program depending on how the exploit works.”
Forbes made multiple attempts to contact Grayshift, but had received no response at the time of publication. Its website, which contains little more than a logo and the tagline “the state of the art has a new requirement,” asks for a login to learn more.
In the wake of San Bernadino
Forbes has not been able to verify the company’s claims and given it’s a new, unproven entity, it’s hard to say how far the marketing material should be trusted. But, whilst there’s very little information about Grayshift online, Forbes has unearthed some tantalizing tidbits, pointing to a legitimate company with plenty of experience in its field.
According to LinkedIn profiles, the company was co-founded in Atlanta, Georgia, back in September 2016 by David Miles, who previously worked at Endgame, a company that reportedly developed hacking tools for U.S. government agencies, including the NSA. The company’s founding came in the wake of the battle between Apple and the FBI in San Bernardino, where the feds ordered the Cupertino giant to unlock the iPhone of terrorist shooter Syed Rizwan Farook, a request the iDevice manufacturer vehemently protested. The FBI eventually paid an unknown contractor in the region of $1 million to hack into the device.
One source told Forbes Grayshift also counted amongst its ranks former staff of cybersecurity firm Optiv, where Miles worked prior to co-founding Grayshift. Two cybersecurity industry sources with knowledge of the company claimed Optiv had previously developed so-called zero-day exploits for the U.S. government, where programs hack into systems via previously-unkown software vulnerabilties for the sake of finding out information from target devices, a business practice that had been alluded to in a 2013 Rolling Stone report, back when the company was called Accuvant.
And, the sources added, Optiv had a specialty in iOS hacks. (Optiv hadn’t responded to requests for comment at the time of publication). Indeed, two former employees from Optiv are listed on LinkedIn as working at secret companies in Atlanta from September 2016, the same month Miles is listed as founding Grayshift. They include Justin Fisher, also previously of Endgame, and Braden Thomas, who’d previously worked at Apple for six years as a security engineer. Forbes also unearthed company records, showing both as “principals” at the firm, along with Miles. Principals are typically co-founders or executives, though Fisher’s LinkedIn shows him as a senior researcher and Thomas as a security engineer. Neither Fisher nor Thomas had responded to messages at the time of publication.
‘Breaking the unbreakable’
The company is due to show for a conference in Myrtle Beach, South Carolina, this June. A description on the Techno Security & Digital Forensics conference website indicated the company is a direct Cellebrite competitor, reading: “Grayshift is a cyber security firm built by experts in security research and access technology. Our focus is on building advanced capabilities to support local, state and federal government agencies for the purposes of accessing mobile platforms to enable digital forensic analysis.”
Another blurb on 99Designs, where the company had its logo drawn up, was a little more revealing, indicating the company was providing services to private industry too. “We specialize in software vulnerability research.
“Our research consultants employ an in-depth knowledge of the latest exploitation techniques and methodologies in order to triage, analyze and prioritize discovered vulnerabilities for remediation. Our typical customer base are large Fortune 500 organizations and also high tech companies requiring advanced security research consulting.
“We know how to break things that are thought to be unbreakable.”
Multiple sources in the forensics industry confirmed they’d heard about Grayshift and were intrigued by its offerings. Italian forensics specialist Mattia Epifani noted that the GrayKey was cheaper than Cellebrite’s offering, which costs around $1,500 per device, compared to Grayshift’s 300 for $15,000. Vladimir Katalov, chief of Elcomsoft, a Russian competitor that does plenty of business in the U.S., said that if it really has found a way to force iPhones into a mode where passcode attempts are unlimited, “then hats off.”
“The only thing that worries me… it is not really good for the community that the vulnerability is ‘private.’ That creates the same problem as with ‘backdoors for law enforcement,’ [is] probably even worse. We can only guess how (and since when) they are being exploited by criminals,” said Katalov. “The trend when critical vulnerabilities are being kept private and used by vendors providing the services to law enforcement is really a very bad idea.” As the EFF said of the Cellebrite iPhone revelations, when vulnerabilities are kept secret, everyone is walking around with weaknesses in their devices that could be exploited by anyone, whether governments or criminals.
Cellebrite doesn’t agree with that line of thinking. In a recent interview with Forbes, chief marketing officer Jeremy Nazarian said it was necessary for the flaws to stay secret so the tools remained effective and law enforcement could gather evidence from devices.