How FBI Uses GrayKey and Hide UI to Unlock iPhones
FBI and other law enforcement agencies have been using GrayKey, and a software application called Hide UI, developed by Grayshift, to unlock iPhones with varying degrees of success. Hide UI is a malware that is installed on a suspect's iPhone, which then captures and saves the passcode when the iPhone is unlocked.
NBC has written about the new Hide UI app with newly uncovered details. The tool had previously been a well-kept secret due to strong NDAs in place, however, NBC got in touch with people who were willing to share details.
Software called Hide UI, created by Grayshift, a company that makes iPhone-cracking devices for law enforcement, can track a suspect's passcode when it's entered into a phone, according to two people in law enforcement, who asked not to be named out of fear of violating non-disclosure agreements.
Apple is well known for its refusal to create backdoors for iPhone, which would help law enforcement agencies with investigations. However, the company is rightfully concerned that any such tool or backdoor will ultimately fall into the hands of the bad guys, which would put the security and privacy of all iPhone users at stake.
The FBI was recently able to unlock the iPhones used by the shooter in Pensacola, Florida, without Apple's help. Apple had been approached by FBI, and the company provided iCloud data, however, it drew the line when it came to unlocking the iPhone.
GrayKey is well known for being one of the only few solutions to unlocking iPhones by using iOS vulnerabilities. The tool is a hardware device which connects to iPhone via a Lighting cable and attempts a brute force attack after installing a software 'agent'. As per NBC, the tool can crack a four-digit passcode in a few minutes, while a six-digit passcode can take less than a day. However, 8 or 10 digit passcodes can take weeks or years.
It can take minutes to crack a four-digit pin and less than a day to crack a six-digit pin, according to calculations by cryptographer Matthew Green, an Associate Professor of Computer Science at the Johns Hopkins Information Security Institute. For eight- and 10-digit passcodes it can take weeks or years. It is under these circumstances that Hide UI provides a way to get access to the device more quickly.
When GrayKey fails, law enforcement agencies have to rely on Hide UI. Once installed on an iPhone, It works as sort of a key logger, which records any successful passcode input and saved it in a text file. This text file can then be retrieved by GrayKey, and the passcode can be used to unlock the iPhone. Hide UI also disables Airplane mode and prevents the device from being erased.
Using Hide UI is not as simple as just installing the app though. Once the app is installed, law enforcement agencies have to trick the suspect into unlocking the iPhone, sometimes under the guise of calling their lawyer. Once the suspect enters the passcode, it is saved to the text file, even if the iPhone is locked again.
Of course, Hide UI will not be effective if the suspect is dead, which was the case with the Florida shooter. Hide UI is also buggy and does not always work.
A second law enforcement official said that the software was “buggy” and that it was often easier to get the suspect to hand over their passcode during interrogation than to use the subterfuge required for Hide UI to work.
Does this solve the issue of unlocking iPhones for investigations? No. It opens another can of worms. Although law enforcement officials need a warrant to be able to use such means to unlock iPhones, things are not as black and white. Law enforcement officials have anonymously told NBC that offices often engage in unethical behavior.
“It’s great technology for our cases, but as a citizen I don’t really like how it’s being used. I feel like sometimes officers will engage in borderline and unethical behavior,” the law enforcement official said.
Concerns arise that Hide UI and GrayKey might be commonly used without a warrant, because of the time restrictions that Apple puts on iOS devices, when incorrect passcodes are entered. GrayKey also does not advertise Hide UI in its features, which means that it is intentionally hidden and only shared with customers under strict NDAs. This means that although GrayKey is mentioned in some warrants, Hide UI is never mentioned in them, which raises concerns with legality and failure of disclosure. This opens up the possibility of unauthorized usage of the tools for reasons that are not outlined in any legal document.
“Law enforcement use of this ‘agent’ keylogger feature can be legal, so long as the warrant the government gets to search and seize the device spells out that the investigators are permitted to use it,” said Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford Law School’s Center for Internet and Society. “In general, I don't think that magistrate judges authorizing search warrants would expect that the government plans to implant malware on a device it has seized.”