GrayShift is a new company that promises to unlock even iPhones running the latest version of iOS for a relatively cheap price.
In a sign of how hacking technology often trickles down from more well-funded federal agencies to local bodies, at least one regional police department has already signed up for GrayShift's services, according to documents and emails obtained by Motherboard.
As Forbes reported on Monday, GrayShift is an American company which appears to be run by an ex-Apple security engineer and others who have long held contracts with intelligence agencies. In its marketing materials, GrayShift offers a tool called GrayKey, an offline version of which costs $30,000 and comes with an unlimited number of uses. For $15,000, customers can instead buy the online version, which grants 300 iPhones unlocks.
This is what the Indiana State Police bought, judging by a purchase order obtained by Motherboard. The document, dated February 21, is for one GrayKey unit costing $500, and a "GrayKey annual license—online—300 uses," for $14,500. The order, and an accompanying request for quotation, indicate the unlocking service was intended for Indiana State Police's cybercrime department. A quotation document emblazoned with GrayShift's logo shows the company gave Indiana State Police a $500 dollar discount for their first year of the service.
Importantly, according to the marketing material cited by Forbes, GrayKey can unlock iPhones running modern versions of Apple's mobile operating system, such as iOS 10 and 11, as well as the most up to date Apple hardware, like the iPhone 8 and X.
(Score: 2, Interesting) by cocaine overdose on Sunday March 11 2018, @06:24AM (3 children)
Anyway, it looks absolutely trivial to penetrate their website (thank you modern JS and Google for boosting sites' SEOs that have sitemaps, you glorious moron). One would hope they're not running their police backend on the same server as their website, but who knows (well, I'll leave that up to interpretation ;) ). Once that's through, finding "graykeypassword.txt" is a piece of bacon. Now all you gotta do is setup a proxy through your backdoor and you've got near undetectable access to GrayKey. What would be worse, however, would be if they bought the offline package. Then it's just a matter of downloading the files and reselling them on your end. Or worse!
Careful what you sell to morons, they might kill your mom.
(Score: 1, Funny) by Anonymous Coward on Sunday March 11 2018, @06:59AM
If you actually manage to do this, the hilarious thing to do would be to simply use up all 300 uses.
(Score: 2) by MichaelDavidCrawford on Sunday March 11 2018, @07:35AM (1 child)
You have the right to remain silent.
Yes I Have No Bananas. [gofundme.com]
(Score: 0, Flamebait) by cocaine overdose on Sunday March 11 2018, @07:45AM