Grayshift, maker of the GrayKey iPhone unlocking boxes that allow law enforcement agencies to unlock suspects and victims locked iPhones, recently was hit with a data breach, and the hackers that pulled it off are asking for BitCoin ransom to prevent further leaking of the code.
Last week, an unknown party leaked portions of the GrayKey code onto the internet, demanding $15,000 from GrayShift to stop publishing the code.
“Mr. David Miles,” the extortionists’ first message, published on Thursday, reads, addressing a co-founder of Grayshift. “This is addressed to you and any other people interested in keeping GrayKey product secure and not available to the wide [sic] public.”
The site hosting the message has since deleted the post, but a Google cached version is still available, and a second message, published a day later, is online at the time of writing.
“We are a ‘business group’ looking forward to bring into your attention the fact that we HAVE obtained the source code for your product GrayKey and would appreciate any donation above 2 BTC [~$19,000 on Tuesday],” both messages continue. Both then paste different selections of apparent GrayKey code.
The code accessed is a tiny bit of the GrayKey code. It is the HTML/Javascript code that makes up the unlocking device’s UI. GrayKey says no sensitive IP or data was exposed.
The GrayKey is a small grey box that is equipped with dual Lightning cables. An iPhone is connected to one of the cables, allowing the GreyKey to install proprietary software that can guess the passcode of the iPhone, taking as little as a few hours, depending on the passcode’s strength. The devices start at $15,000, the same amount as the ransom asked by the hackers.
Law enforcement agencies around the U.S. have purchased the box, and the data breach has to be a bit unsettling to those buyers.
Motherboard reports that Grayshift hasn’t paid off the extortionists, as the Bitcoin adress used by the hackers has not received any funds.
Although Grayshift says it has made changes that will help customers prevent unauthorized access to GrayKey boxes in the future, Motherboard days they’ve discovered a second GrayKey device, broadcasting bits of code to the internet.
Using the computer search engine Shodan, Motherboard found a seemingly exposed GrayKey device, broadcasting similar chunks of code to the open internet.
“To brute force a complex alphanumeric passcode, upload a custom password dictionary. If a dictionary is not uploaded, GrayKey will not attempt to brute force custom alphanumeric passcodes,” one section of the apparent device’s code reads.
Users who fear their iPhone’s passcode could be cracked by using a GrayKey or similar device are encouraged to implement stronger passcodes. The default 6-digit numeric passcode on an iPhone can be defeated in as little as 11 hours. However, 8-digit numeric passcodes can take over a month to crack, while a 10-digit passcode can take years to crack.
For information on how to change your iPhone’s passcode, read our informative how to article on the subject.
