For a long time, GrayShift has been renowned worldwide for its GrayKey tool capable of unlocking iPhones, but very few people understand its operational mechanisms. Recently, however, instructional documents about it were suddenly leaked online, providing everyone with a clearer view of the device’s capabilities and how it works.
Previously, many reports indicated that the device unlocks iPhones or iPads by using a brute-force attack algorithm to guess the password. Although this is not an ideal method, the tool has repeatedly helped law enforcement gain access to locked iPhones.
The leaked usage instructions appear to belong to the San Diego Police Department, written to guide officers on how to use this device and were found by Motherboard. The document requires users to “determine whether law enforcement is permitted to search the Apple device.”
The document describes various conditions under which GrayKey can connect: the device is off (also known as BFU – before First Unlock), the phone is turned on (After First Unlock or AFU), the device has a damaged screen, or when the battery is low.
To unlock the device, the document states: “GrayKey will install a piece of code (also called an agent) when the device has only 2% to 3% battery left.” This code will be used to brute-force the device’s password but requires the iPhone to maintain power until the password is found.
When running GrayKey, users have various options regarding the type of data they want to collect from the iPhone. This data may include metadata in inaccessible files or “immediately extracted when the SE is unlocked” – SE seemingly stands for Secure Enclave, the part that stores sensitive data such as passwords and encryption keys in iOS.
Part of the instructional document also describes how GrayKey brute-forces passwords using characters. While many iPhone users only use entirely numeric passwords, character-based passwords can include letters, providing more options and often being harder to brute-force. However, if the device uses character passwords in the form of readable words, unlocking becomes easier when GrayKey has a long list of human-readable words at its disposal.
This list is provided in a file named “Crackstation-human-only.txt” containing about 1.5 billion words and passwords. However, GrayKey can also use other word lists, but at any one time, only one list is used.
Once the “agent” code is installed, the iPhone will be set to Airplane mode, allowing it to disconnect from GrayKey at this point.
Another feature of the device is called HideUI. This feature allows GrayKey to install another piece of code onto the device to secretly record the user’s password in case law enforcement is forced to return the iPhone to the suspect.
GrayKey and many other companies in the industry seem to be playing a cat-and-mouse game with Apple as they try to infiltrate locked iPhones. Every time Apple upgrades its operating system or introduces new security layers for its devices, GrayShift and other companies in the industry simultaneously upgrade their methods to bypass that new encryption layer.
Reference: AppleInsider