Apple’s iOS 12 has basically rendered brute-force iPhone hacking tools such as the GrayKey box ineffective, Forbes reports. The GrayKey box, produced by Atlanta-based company Grayshift has been used widely by governments and law enforcement agencies to bypass iOS security, and was able to do so even with the latest iPhone models running iOS 11. Apple entered a cat-and-mouse game with Grayshift in trying to clamp down on iOS security, but the company continued to grow, even security contracts with U.S. Immigration and Customs Enforcement and the Secret Service. With iOS 12, however, Apple may have finally put up an “insurmountable wall,” with multiple sources telling Forbes that the device can no longer break the passcodes of “any iPhone running iOS 12 or above.” While GrayKey is apparently still able to do a “partial extraction,” this is limited to drawing out relatively few unencrypted files and basic metadata such as folder structures.
GrayKey relies primarily on a “brute forcing” approach of simply guessing passcodes, and had managed to defeat Apple’s built-in limits on repeat guesses by working through the USB port. In addition to several anonymous sources, Forbes even spoke on the record with Police officer Captain John Sherwin of the Rochester Police Department in Minnesota, who described the claim as “a fairly accurate assessment as to what we have experienced.”
What’s more interesting is that although sources have confirmed that Apple has locked Grayshift out, nobody seems to be able to provide any solid information on how Apple has accomplished this, and even veteran iPhone forensic companies like Elcomsoft are currently stumped. What seems clear is that the method goes beyond the USB Restricted Mode that Apple began to implement last spring in iOS 11.4 — a mode that would lock down all USB communications if an iOS device hadn’t been unlocked within an hour, and possibly even sooner under certain other conditions1. Elcomsoft chief Vladimir Katalov admitted that he has no ideas, adding that “It could be everything from better kernel protection to stronger configuration-profile installation restrictions.” Of course, forensic companies such as Grayshift and Elcomsoft have proven to be resourceful in the past, and sources suggest that it’s only a matter of time before another vulnerability or workaround is discovered. As Sherwin notes, “Someone is always building a better mousetrap, whether it’s Apple or someone trying to defeat device security.”
- According to Apple’s latest iOS Security Guide, “if it’s been more than three days since a USB connection has been established, the device will disallow new USB connections immediately after it locks. This is to increase protection for users that don’t often make use of such connections. USB connections are also disabled whenever the device is in a state where it requires a passcode to re-enable biometric authentication.” ↩