A department of the US State Department dedicated to diplomatic security has reportedly procured a $15,000, Apple TV-sized device its manufacturers advertise as being able to break iPhone encryption in anywhere from two hours to three days.
Per Motherboard, public federal procurement documents show that the State Department’s Bureau of Diplomatic Security purchased a GrayKey encryption-breaking device from Grayshift, a firm which reportedly lists a former Apple engineer on staff. The documents only identify the purchase as for “computer and computer peripheral equipment,” but Motherboard wrote that it had confirmed “the phone number of the vendor in both the purchase order and documents Motherboard previously obtained detailing a GrayKey purchase by Indiana State Police is the same.”
Parts of the federal government, notably the FBI and the Department of Justice, have been clamoring for Apple and other software compaies to build backdoors into their encryption technology on the dubious grounds it’s necessary to ensure criminals and terrorists can’t enjoy impregnable communications—even though any such backdoor could put the security of every single user who relies on that encryption for legitimate and legal security purposes at risk. First revealed earlier this month in a report by MalwareBytes, the $15,000 GrayKey box may offer a workaround to authorities at a significantly cheaper and more efficient rate than the $5,000-per-device rate reportedly quoted by Israeli competitor Cellebrite, which generally requires clients to mail them the phones in question.
GrayKey can allegedly crack an iPhone just by attaching it to one of two Lightning cables sticking out of the side and injecting some kind of program that eventually causes the affected iPhone to display its passcode. Time varies from two hours to three days or longer for six-digit passcodes, per MalwareBytes, and upon completion the device’s entire file system can be downloaded. The GrayKey device reportedly works on iOS versions as 11.2.5, which was released on January 23rd, 2018; the only security fix publicly acknowledged in the latest version, 11.2.6, pertained to the infamous Telugu bug.
Grayshift is reportedly offering the device in a $15,000, 30-use version that needs a geo-fenced internet connection to function, as well as a $30,000 unlocked version, so it would seem that the State Department purchased the limited version.
In any case, its existence at all poses a security threat both because there are so many unknowns about the security flaw it exploits and the ways it could be used to compromise some of the most sensitive information on a mobile device. While the vulnerability that enables GrayKey could ostensibly be discovered and patched out of existence at any time, a Saturday report in the New York Times indicated that federal law enforcement are preparing to renew their efforts to force tech companies to build backdoors into products anyhow.