SoylentNews is people
SoylentNews
GrayShift is a new company that promises to unlock even iPhones running the latest version of iOS for a relatively cheap price.
In a sign of how hacking technology often trickles down from more well-funded federal agencies to local bodies, at least one regional police department has already signed up for GrayShift's services, according to documents and emails obtained by Motherboard.
As Forbes reported on Monday, GrayShift is an American company which appears to be run by an ex-Apple security engineer and others who have long held contracts with intelligence agencies. In its marketing materials, GrayShift offers a tool called GrayKey, an offline version of which costs $30,000 and comes with an unlimited number of uses. For $15,000, customers can instead buy the online version, which grants 300 iPhones unlocks.
This is what the Indiana State Police bought, judging by a purchase order obtained by Motherboard. The document, dated February 21, is for one GrayKey unit costing $500, and a "GrayKey annual license—online—300 uses," for $14,500. The order, and an accompanying request for quotation, indicate the unlocking service was intended for Indiana State Police's cybercrime department. A quotation document emblazoned with GrayShift's logo shows the company gave Indiana State Police a $500 dollar discount for their first year of the service.
Importantly, according to the marketing material cited by Forbes, GrayKey can unlock iPhones running modern versions of Apple's mobile operating system, such as iOS 10 and 11, as well as the most up to date Apple hardware, like the iPhone 8 and X.
(Score: 5, Insightful) by jmorris on Sunday March 11 2018, @06:40AM (4 children)
So somebody at Apple has apparently absconded with the private keys.
This is why I keep saying the only solution is to force device makers to allow the owner to pick which keys they want in their device. Defaulting to having the vendor keys is perfectly fine for most users most of the time, it makes updates simple, etc. But cases like this demonstrate why burning keys into a device that can't be replaced and that only the vendor is supposed to know is going to always be subject to unrecoverable failures, just like this one.
Each device (phone, tablet, laptop, desktop, etc) should include a business card with a QR code on it, or a USB stick as appropriate, with the master device key. Using that key you can access the deepest security level, add / remove keys, etc. Even replace the device key itself if one suspects (rightly) the vendor may have retained a copy. Of course removing any of the preloaded keys would have to impact warranty and updates from the vendor and the user would have to accept responsibility for that action. Of course it should also be possible (especially in a corporate environment) to have IT download updates, examine them and then add a signature with their keys to allow their devices to accept them from an inhouse repository.
Operating systems, even Holy Apple, should be mandated to be configurable to permit such things. When you buy a device you should own it. That means the keys AND the other access required to exercise ownership. Combine with Right to Repair and it should also mean full documentation of the hardware should be available, either supplied as a preloaded PDF or available at a nominal charge with out requirements for complex legal agreements, limitations to incorporated entities, credit checks and other BS.
I know this will shock the younger readers but we old timers remember when computing gear routinely came with extensive documentation and the extra service manual level documentation was typically sufficient to implement software drivers from. Then it all suddenly closed up and is only now, with the Open Source movement pushing hard, beginning to open back up a bit.
(Score: 1) by Ethanol-fueled on Sunday March 11 2018, @07:31AM
Yeah, this. Reminds me of that hacking contest in which an ex-NSA employee won. Come on, that's stacking the deck at best and a national security violation at worst.
Then you wonder why that is allowed. Marketing for the NSA, or just a plain unfair advantage for profit like how our congressmen can legally insider-trade while the rest of us cannot. I recall (not that I am a speculator) "blackout" periods in which it was forbidden for employees of my defense-contractor employer to trade during certain periods.
It doesn't matter even if they had approval from the alphabet soup to indirectly reveal vulns -- the deck is still stacked in their favor. Perks of the trade, perhaps, but still unethical ones.
(Score: 3, Interesting) by MichaelDavidCrawford on Sunday March 11 2018, @07:38AM (1 child)
The reason Working Software asked me to write a keylogger called "Last Resort" is that WSI's owners father was a writer.
If that father ever clicked in the wrong place his click would cause a different application to come to the front.
That confused and upset him so much that every single time he would pull out the power cord.
I really did write a keylogger. I think we charged $9.95 for it. I got lots of grateful fan mail from prospective Great American Novelists.
Yes I Have No Bananas. [gofundme.com]
(Score: 1) by Ethanol-fueled on Sunday March 11 2018, @06:58PM
Weev?
(Score: 3, Interesting) by MichaelDavidCrawford on Sunday March 11 2018, @07:51AM
Have you pointed that out to your elected representatives?
Don't email them. Phone calls are somewhat acceptable but hardcopy snail mail is the most effective.
That enables your representatives to sort their constituents' letters according to the opinions expressed therein and then...
... weigh them.
"Naked Economics: Understanding The Dismal Science" points out that small but vocal interest groups are the most effective with getting legislation passed. Consider that the Feds still offer a subsidy to mohair farmers.
It happens that I share your opinion but have yet to tell my congresscritters about it. My printer's busted so I'll have to use my client's. I'll mail such a letter on Monday.
Yes I Have No Bananas. [gofundme.com]