All about GrayKey, the box cops are using to crack locked iPhones

2025-04-27 19:42:13admin

If you own an iPhone, you should be concerned about GrayKey. That's the name for a new kind of device that's becoming increasingly popular with law enforcement agencies across the U.S., according to recent reports. It's popular because it unlocks iPhones protected with a passcode, even ones running Apple's most recent software, iOS 11.

GrayKey is the product of Grayshift, a security company based in Atlanta that was co-founded by an ex-Apple security engineer. The device itself is a nondescript black box with two Lightning cables sticking out. But once you connect a locked iPhone, it can somehow bypass Apple's built-in protections against repeatedly attempting to guess the phone's passcode -- effectively letting users "brute force" the code and get in after a certain amount of tries. A four-digit code becomes practically useless, and a six-digit code might take a few days to crack at the most.

SEE ALSO: How Your iPhone's Screen Actually Works

Phone-cracking technology has been around since people started keeping sensitive information on phones, but in recent years the security pendulum swung hard in the direction of the user, with improved encryption techniques and widespread adoption of it by Apple, Google, and other big tech companies. As a result, law enforcement decried the emergence of "warrant-proof" devices and complained that important communications were now inaccessible, resulting in intelligence gathering "going dark."

With GrayKey, it definitely looks like the pendulum is swinging the other way. Thanks to the reporting of Motherboard journalist Joseph Cox, we know that local law enforcement across the country are buying the device, which costs as little as $15,000 (plus a subscription to Grayshift's service) -- expensive to the individual, but to a police department, much less than a single squad car. Federal agencies are looking to procure the device, too.

Cox joined the MashTalk podcast this week to discuss GrayKey, how it works, and the implications of it in the ongoing tug of war between digital security advocates and law enforcement. Joseph Hall, the chief technologist of the Center for Democracy and Technology, a Washington, D.C.-based group that advocates for civil liberties around digital issues, also guest stars to break down what this could mean for technology policy.

One of the first questions we tackle is whether or not GrayKey is actually a good thing? If it's only used when cops have a legitimate warrant to search the contents of an iPhone, doesn't that restore the status quo pre-encryption and ensure they can get the evidence they need to catch criminals?

Mashable Light Speed Want more out-of-this world tech, space and science stories? Sign up for Mashable's weekly Light Speed newsletter. By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up!

That may be true, but Hall points out that clearly GrayKey takes advantage of some heretofore unknown exploit, which could be leveraged by other parties. And even if others don't discover the flaw, there's not much stopping oppressive regimes, banks, or anyone else with $15,000 to burn from procuring one of these boxes, too.

"We have no indication that Grayshift is going to sell these devices only to U.S. law enforcement," said Hall. "They, like any other business that does this, have to ask themselves: How far is too far? What regime is too antithetical to your own principle that you won't sell the devices to?"

That would have grave implications for device privacy worldwide. Still, there's hope. As Cox says, the emergence of GrayKey (and other technologies like Cellebrite) means the balance between hacking devices and securing them has shifted, but that doesn't mean it won't shift back. Apple almost certainly has one of these boxes, Cox says, and surely a future iPhone or version of iOS will have better defenses against them.

"Eventually when it does get fixed, because presumably it will, there will be another lull," Cox said. "There will be a point where the hackers are trying to catch up again."

But does GrayKey betray the existence of a larger problem that needs solving? Just this week the infamous case that pitted Apple against the FBI two years ago was back in the news when research by former Microsoft Chief Technical Officer Ray Ozzie was highlighted in Backchannel: a way for iPhones to have an extra set of encryption keys, stored securely at Apple HQ, and only accessible with a valid warrant on a specific device.

It's essentially the backdoor into iPhones law enforcement has been asking for, but it's likely untenable. Ozzie's proposal was eviscerated by the infosec community, and Hall dismisses it as old news.

"Having mandates in the laws to have backdoors is just a really bad idea," said Hall. "We know that these devices have flaws, both hardware and software flaws, so use those to find the way. It's not going to be like a light switch -- you can't just turn it on and collect content willy-nilly... it's more something where you develop a capability, and you cultivate that ability. And when you can't do it internally, you may have to rely on the market. In that sense, it's good."

As uncomfortable as it may be to face, the security arms race between Big Tech and law enforcement may be the worst solution -- except for all the other ones.