Leaked Documents Show What Phones Secretive Tech 'Graykey' Can Unlock (appleinsider.com) 57
Primarily used by law enforcement, Graykey unlocks mobile devices to extract data from both Android and iOS systems, according to the blog AppleInsider, "though its effectiveness varies depending on the specific hardware and software involved."
But while its capabilities are rarely disclosed, "a leak of some Grayshift's internal documents was recently reported on by 404 Media."
According to the data, Graykey can only perform "partial" data retrieval from iPhones running iOS 18 and iOS 18.0.1. These versions were released in September and early October, respectively. A partial extraction likely includes unencrypted files and metadata, such as folder structures and file sizes, according to past reports. Notably, Graykey struggles with beta versions of iOS 18.1. Under the latest update, the tool fails to extract any data, as per the documents.
Meanwhile, Graykey's performance with Android phones varies, largely due to the diversity of devices and manufacturers. On Google's Pixel lineup, Graykey can only partially access data from the latest Pixel 9 when in an "After First Unlock" (AFU) state — where the phone has been unlocked at least once since being powered on.
Thanks to long-time Slashdot reader AmiMoJo for sharing the article.
Meanwhile, Graykey's performance with Android phones varies, largely due to the diversity of devices and manufacturers. On Google's Pixel lineup, Graykey can only partially access data from the latest Pixel 9 when in an "After First Unlock" (AFU) state — where the phone has been unlocked at least once since being powered on.
Thanks to long-time Slashdot reader AmiMoJo for sharing the article.
The solution is simple (Score:5, Interesting)
Do not trust your phone. No, really do not. Not even with your location. Learn to regard you phone as a portable listening and recording device that is not under your control.
Also, get one with a removable battery (which is a good idea anyways) and remove that battery whenever there is reason to.
That said, you can still use your phone for most things it is designed to do. Just be aware that it is not really _your_ phone.
Re:The solution is simple (Score:5, Interesting)
It really depends what you keep on your phone and who your adversary is. If you are planning some light treason, you might consider this a factor. If you are only concerned about theft, the good news is that these days most phones are fairly resistant to the thief getting into your stuff.
Re: (Score:2)
most phones are fairly resistant to the thief getting into your stuff.
Quite a few thieves don't want "your stuff". They just want your phone. And are willing to kill for it.
It's getting very easy to clone phones to get "your stuff" now that eSIMs are becoming widespread.
Re: (Score:2)
How does cloning your phone help get your stuff? Surely you aren't using SMS for 2FA or something?
Re: (Score:3)
Surely you aren't using SMS for 2FA or something?
Personally, no. But there are a lot of businesses that assume everyone will do so. And freak out if you don't give them your cell number or have a phone that doesn't do "apps", or scan QR codes.
Re: (Score:2)
Well, if you trust a business using crappy, outdated "IT security", then maybe that is a problem on your side?
There is not a single serious IT security catalog left that classifies SMS as real 2nd factor.
Re:The solution is simple (Score:4, Insightful)
Well, if you trust a business using crappy, outdated "IT security"
Businesses change over time. My bank went from passwords to browser/IP fingerprinting. And now they look at me with a sad face when I tell them that my phone doesn't support their banking app.
Even Slashdot has added:
This page could not be loaded due to incorrect / bad filtering rule(s) of adblocker
There is not a single serious IT security catalog left that classifies SMS as real 2nd factor.
It's not 2FA. It never was. They want your cell number for tracking purposes.
Re:The solution is simple (Score:4, Informative)
Yeah, the html-load crap is quite annoying with /.
Re: (Score:2)
> It's not 2FA. It never was. They want your cell number for tracking purposes.
Yup. This times 100.
I have ongoing arguments with my bank r.e. 2fa bullshit. When they forced it I bought a second "pay as you go" phone which sits in a locked drawer most of the time. It's a pain as I have to remember to take it out and charge it about 1/2 hour before I want to use it. Plus I have to use it to call my main mobile every few months to prevent it getting deactivated.
And they keep requesting I install their (cr
Re: (Score:2)
And yet for consumer level applications, SMS is still an option for 2-factor authentication in most cases. People are still accessing accounts using using SMS 2FA all over the world...
Re: (Score:2)
"Option" as in "can be done". It is a bad, insecure option. Worse, it pretends to be secure 2FA and will make people believe they have strong 2FA. Do not use it.
Re: (Score:2)
People are still accessing accounts using using SMS 2FA all over the world...
People are still accessing accounts using "password" as a password all over the world...
Re: (Score:2)
I generally don't have a choice in the matter. Where I do have a choice, I don't use SMS.
Re: (Score:2)
I cant recall where I read recently, probably here, that thieves are grabbing iPhones out of people's hands on the subway etc, and then just selling them for parts (the screen in particular)
But secondly, I'd like to point out the real problem here is that the real adversaries are your service providers.. App
Re: (Score:2)
I don't disagree, but in terms of information security if your phone gets stripped for parts then your data is still safe.
Re: (Score:2)
I'm really quite tiresome, I know, but I think the other point is really what should be known/understood... your service providers are the fox in the henhouse. I just find no one wants to hear it. We have tons of evidence. In most cases you just have to read the Terms of
Re:The solution is simple (Score:4, Funny)
Also, for the same reasons, don't use a desktop computer, or browse the web (and especially not slashdot!), or connect to the internet for any reason, or use Windows or Mac or Linux. Also, never buy anything anywhere with credit or debit, cash only. And never us a bank, keep your cash safely in your house. Never walk outside, cameras are watching your every move. There are still some places in Canada's Northwest Territories where you can live free of surveillance, and maybe some parts of west Texas. In those places, you are sure to find some survivors of the Y2K meltdown, who completely disconnected from everything in order to stay alive. Those nice people will help you through these difficult times.
Re: (Score:2)
Are you functionally illiterate? I wrote "do not _trust_ your phone", not "do not _use_ your phone".
Re: (Score:3)
Sure, but if you don't trust your phone, why would you use it?
You mention, for example, 'don't trust it with your location.' Well, that means you need the cellular modem turned off, as the protocol is designed to use tower triangulation to determine your location.
Also, can't use the wifi, thanks to the afore mentioned cellular triangulation being used to build a database of the locations of visible SSIDs.
So now you have a phone that you can't use as a phone.
Re: (Score:2)
Sure, but if you don't trust your phone, why would you use it?
Is this a serious question? Have you _ever_ heard of risk management?
Re: (Score:2)
Re: (Score:2)
I don't see the difference, you can't *use* your phone unless you *trust* it at least to some degree.
How are you going to *use* it for navigation, unless you "trust" it with your location? Even for cellular or wifi communication, you have to "trust" it with your location. The Austin package bomber was tracked through cell tower triangulation, not GPS location. https://www.cazayouxewinglaw.c... [cazayouxewinglaw.com].
How are you going to *use* it to take photos, unless you "trust" it to keep your private photos private?
What exactl
Re: (Score:2)
Ever heard of risk management? You not not need to trust it to use it.
Re: (Score:2)
OK I'm confused then. You said:
Do not trust your phone. No, really do not. Not even with your location.
So do you mean by this that you shouldn't enable location services on your phone? To what extent can you enable location services without "trusting" your phone with your location?
Re: (Score:2)
That means you need to be aware that under some circumstances you should not only switch your phone off, you remove the battery. When those circumstances arise is a risk-management decision. And no, this does not mean criminal activity, although that is a use-case. Another one may be joining an entirely legal public protest, or going to an abortion clinic in a different state.
Re: (Score:2)
And how exactly would you know what circumstances warrant removal of the battery? How would you ever know that you are about to enter an area where a crime, or a protest, or some other incident investigated by the authorities, has just taken place, or is about to take place?
Re: (Score:2)
Well, here is an alien concept for you: It is called "common sense".
Re: (Score:2)
Common sense can tell you what is about to happen in the location you will be for an unrelated reason? That's amazing! I certainly don't have that kind of common sense.
Re: (Score:2)
You could move to National Radio Quiet Zone in WV.
DMCA (Score:3)
Re:DMCA (Score:4, Informative)
No. Law enforcement has an exemption. It's the same reason political campaigns can spam you day and night via phone, text, or email and not pay a penalty. They exempted themselves from the spam rules.
Re: DMCA (Score:1)
Why do people voluntarily include their phone number when registering to vote? They CAN do it because you provided it.
Re: (Score:2)
Re: (Score:3)
It only applies to common folks.
Re: (Score:1)
Why would the DMCA have anything to do with something like this?
Which (Score:2)
After first unlock. (Score:4, Interesting)
I see that Android (Pixel phones, at least) has an option to revert to before first unlock if it doesn't have a network connection for some time. I assume this is aimed at making things more difficult for the police to use tools like Graykey.
Combined with a remote wipe capability, what do the police do? Keep it in a Faraday cage and allow the phone to go to before first unlock, or allow it network access and risk a remote wipe?
Re: (Score:1)
Re: (Score:2)
From what I can discern, the only thing that triggers this in such a manner is the phone being offline for some time.
I don't think it reboots the phone. I think it just sets it back into the "just rebooted" state.
However, there are clearly some other things that trigger this behavior -- the indication being that the phone will require the unlock code instead of unlocking via the fingerprint sensor.
Powered On or Booted? (Score:2)
> unlocked at least once since being powered on
Does Android not securely clear keys from memory on reboot?
Opsec wise it's important to say powered-on or booted precisely.
But there's no battery switch so who knows.
Re: (Score:3)
Do you have your email on it? If so, someone who picks up your phone can use that to reset your bank password, and gain access to your accounts. Every account everywhere has an email-based password reset. These days, email has become the thing that requires the most security.
Re: (Score:2)
If you have any emails from your bank, they could use that to determine which bank you use. Also, they can just try the top 50 banks with your email address and see if any work. For most people it wouldn't be a challenge.
So, not much? (Score:2)
Old news... (Score:2)
Which* (Score:2)
Leaked Documents Show Which Phones Secretive Tech 'Graykey' Can Unlock
It refers to a finite field of items. The correct word to use is "which".
What else is new? (Score:2)
Re: (Score:2)
There are different levels of trust.
Trust that law enforcement can't break in? No, not a good idea. On the other hand, doing so costs them money, so they aren't going to do it to just anybody. To be on their radar, you have to have done something pretty serious.
Trust that it will securely manage your bank accounts or payment methods? That's reasonably safe, as long as you properly lock your phone.
Re: What else is new? (Score:2)
Re: (Score:2)
These techniques, such as Stingray, never were admissible in court. They are legal (some places more than others) as investigative techniques, but to make a case, authorities must rely on hard evidence, not associations. The Austin package bomber, for example, was captured using cell tower triangulation. https://www.cazayouxewinglaw.c... [cazayouxewinglaw.com] His capture required only probable cause, not proof beyond reasonable doubt. To be convicted, authorities needed much more than triangulation.
But let's take your argument
Re: What else is new? (Score:2)
Re: (Score:2)
OK, so no solution, just mindfulness then. Good, I don't have to keep taking the battery out of my phone (which doesn't have a removable battery anyway). If the "solution" is drastic, but still doesn't accomplish the goal, then the solution is not viable.
In your story, the case against the man caught in a geofence net fell apart because it was not corroborated by other evidence, as it should.
GrapheneOS discussion thread (Score:1)
Related discussion on GrapheneOS:
https://discuss.grapheneos.org... [grapheneos.org]