Following a report last week that Israeli company Cellebrite was offering an unlocking service for Apple’s latest iOS 11 devices, a new report today claims that a former Apple employee is involved in a similar American business. Forbes says that an “obscure” startup named Grayshift “appears to be run by long-time U.S. intelligence agency contractors and an ex-Apple security engineer,” and is offering $15,000 to $30,000 iPhone unlocking services for models including the iPhone X.
According to today’s report, Grayshift has issued marketing materials offering an iPhone unlocking tool called GrayKey in two flavors: Online, with a 300-device usage limit, for a single payment of $15,000; or Offline, with no device limit, for $30,000. The company claims to be able to unlock iOS 10 and iOS 11 devices, including all currently sold iPhones, iPads, and iPod touches, with iOS 9 and older device support listed as “coming soon.” Forbes says that GrayKey’s service has apparently been demonstrated successfully on a locked iPhone X.
While Grayshift’s full employee roster isn’t known, Forbes says that it includes former employees of U.S. government-sponsored hacking companies Endgame and Optiv, as well as Braden Thomas, who is said to have spent six years as a security engineer for Apple. Thomas’ claimed involvement raises the prospect that iOS devices and software might have been compromised by Apple employees who later left to work against the company’s interests.
There’s been no claim of direct Apple involvement in Cellebrite’s service, which is currently said to work on “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.” Unlike Grayshift, Cellebrite requires that each locked iPhone be sent to the company’s labs, at which point it will charge approximately $1,500 per unlock.
The claims of easy — if pricey — access to a locked iPhone’s contents come after years of agonizing debate over iOS users’ rights to device security. Apple has publicly vowed to fight for user privacy and claimed to protect its products with encryption technologies that it says it cannot break. When Apple refused to assist in unlocking the San Bernardino shooter’s iPhone, an unidentified contractor reportedly stepped in and unlocked the device for roughly $1 million, a feat previously thought to be all but impossible. Since then, Apple has recently offered support to law enforcement officials in certain criminal investigations.
While it’s uncertain whether the claimed Cellebrite and Grayshift techniques rely upon undisclosed vulnerabilities in Apple’s authentication schemes, one possibility is a speculative execution exploit targeting the devices’ “secure enclaves,” akin to the Spectre and Meltdown bugs publicized in January. While brute-force guessing of the device’s PIN or password is likely involved in the exploits, it’s believed that any successful hack would need to trick the device into allowing multiple fast guesses, as it currently requires up to an hour for the ninth and further attempts.