Today I’m taking a break from conference news analysis to write up something a bit different: Have you heard of GrayKey, the hardware device for cracking iPhone passcodes?
GrayKey actually popped up a few months ago, and there have been plenty of earlier iPhone vulnerabilities, unlocking tools, and privacy debates, so this is nothing new. However, it is a good reminder of some important security lessens; plus the next version of iOS may have an additional mitigation.
What is GrayKey
With physical access to an iPhone via the Lightning connector, GrayKey installs software that evidently jailbreaks the phone, and then brute forces the passcode, overcoming the passcode guessing limitations normally present in the UI. It works on at least iOS 11.2.5, and some sources suggest that it works on current versions of iOS, as well. Since it’s brute forcing the passcode, longer passcodes obviously take longer to guess. Supposedly, it’s marketed just to law enforcement agencies, but it might also be sold to Fortune 500 companies, and it could certainly fall into wrong hands. It’s also relatively cheap—one version costs $15,000 for 300 uses, the other $30,000 for unlimited uses.
So, this is certainly a threat that some organizations will be concerned about. But is it game over? No way. Like many other security threats, there are plenty of mitigations and lessons. Many of these lessons are already familiar, but they’re worth pointing out.
The first mitigation is to use a longer passcode, as more characters will make the passcode take exponentially longer to guess. Obviously, Touch ID will act as a passcode shortcut, making a long passcode much more acceptable to users. (Now, the fact that your fingerprints aren’t legally protected in the US to the same degree that your knowledge of your passcode is protected is another whole issue, though the iPhone’s Emergency SOS mode (click the side button five times, and then Touch ID is disabled) is a mitigation for this.)
The next mitigation is to keep the OS up to date, as patches may fix the vulnerabilities used by GrayKey. This makes me wonder what Grayshift’s SLA or guarantee has to say about iOS version compatibility. Again, Apple might not be able to patch the vulnerability if they don’t know what GrayKey uses. This leads us to the next point:
Last week, we got word that a “restricted USB mode” may be coming to iOS 11.4, via the ElcomSoft (maker of mobile forensics tools) blog. After seven days without the passcode being used, iOS will disable data over the Lightning connector, and it will only work for charging. (Restricted USB mode was in the iOS 11.3 beta for a while, but didn’t make it to the final release. There are indications that once this does arrive, there will be corresponding MDM controls for it, too.)
(Update, June 7: It turns out that restricted USB mode didn't make it into iOS 11.4, but it's in the beta for iOS 12. Apparently, it disables data after just an hour, not seven days.)
Even with these mitigations, another lesson is to not rely entirely on a single layer of security. Besides the iPhone’s encryption, many enterprise will protect their data by also encrypting it with a separate key at the app level; by enforcing various access controls; or by ensuring that apps don’t save any data locally.
We also have the debate over back doors in encryption, and while the vast majority of us in the tech space are opposed to back doors, this debate is out of the scope of today’s article.
On the tech side, most of these mitigations are standard security concepts, not anything extraordinarily esoteric—this is actually fairly reassuring.