Leaked Documents Show What Phones Secretive Tech 'Graykey' Can Unlock

Primarily used by law enforcement, Graykey unlocks mobile devices to extract data from both Android and iOS systems, according to the blog AppleInsider, "though its effectiveness varies depending on the specific hardware and software involved." But while its capabilities are rarely disclosed, "a leak of some Grayshift's internal documents was recently reported on by 404 Media." According to the data, Graykey can only perform "partial" data retrieval from iPhones running iOS 18 and iOS 18.0.1. These versions were released in September and early October, respectively. A partial extraction likely includes unencrypted files and metadata, such as folder structures and file sizes, according to past reports. Notably, Graykey struggles with beta versions of iOS 18.1. Under the latest update, the tool fails to extract any data, as per the documents.

Meanwhile, Graykey's performance with Android phones varies, largely due to the diversity of devices and manufacturers. On Google's Pixel lineup, Graykey can only partially access data from the latest Pixel 9 when in an "After First Unlock" (AFU) state — where the phone has been unlocked at least once since being powered on.
Thanks to long-time Slashdot reader AmiMoJo for sharing the article.

The solution is simple

[gweihir]

Do not trust your phone. No, really do not. Not even with your location. Learn to regard you phone as a portable listening and recording device that is not under your control.

Also, get one with a removable battery (which is a good idea anyways) and remove that battery whenever there is reason to.

That said, you can still use your phone for most things it is designed to do. Just be aware that it is not really _your_ phone.

Re:The solution is simple

[AmiMoJo]

It really depends what you keep on your phone and who your adversary is. If you are planning some light treason, you might consider this a factor. If you are only concerned about theft, the good news is that these days most phones are fairly resistant to the thief getting into your stuff.

Re:

[PPH]

most phones are fairly resistant to the thief getting into your stuff.

Quite a few thieves don't want "your stuff". They just want your phone. And are willing to kill for it.

It's getting very easy to clone phones to get "your stuff" now that eSIMs are becoming widespread.

Re:

[AmiMoJo]

How does cloning your phone help get your stuff? Surely you aren't using SMS for 2FA or something?

Re:

[PPH]

Surely you aren't using SMS for 2FA or something?

Personally, no. But there are a lot of businesses that assume everyone will do so. And freak out if you don't give them your cell number or have a phone that doesn't do "apps", or scan QR codes.

Re:

[gweihir]

Well, if you trust a business using crappy, outdated "IT security", then maybe that is a problem on your side?

There is not a single serious IT security catalog left that classifies SMS as real 2nd factor.

Re:The solution is simple

[PPH]

Well, if you trust a business using crappy, outdated "IT security"

Businesses change over time. My bank went from passwords to browser/IP fingerprinting. And now they look at me with a sad face when I tell them that my phone doesn't support their banking app.

Even Slashdot has added:

This page could not be loaded due to incorrect / bad filtering rule(s) of adblocker

... just to remind us that advertisers will now be tracking us as a part of their agreement.

There is not a single serious IT security catalog left that classifies SMS as real 2nd factor.

It's not 2FA. It never was. They want your cell number for tracking purposes.

Re:The solution is simple

[aaarrrgggh]

Yeah, the html-load crap is quite annoying with /.

Re:

[bemymonkey]

And yet for consumer level applications, SMS is still an option for 2-factor authentication in most cases. People are still accessing accounts using using SMS 2FA all over the world...

Re:

[gweihir]

"Option" as in "can be done". It is a bad, insecure option. Worse, it pretends to be secure 2FA and will make people believe they have strong 2FA. Do not use it.

Re:

[jonbryce]

I generally don't have a choice in the matter. Where I do have a choice, I don't use SMS.

Re:

[Tony Isaac]

Also, for the same reasons, don't use a desktop computer, or browse the web (and especially not slashdot!), or connect to the internet for any reason, or use Windows or Mac or Linux. Also, never buy anything anywhere with credit or debit, cash only. And never us a bank, keep your cash safely in your house. Never walk outside, cameras are watching your every move. There are still some places in Canada's Northwest Territories where you can live free of surveillance, and maybe some parts of west Texas. In thos

Re:

[gweihir]

Are you functionally illiterate? I wrote "do not _trust_ your phone", not "do not _use_ your phone".

DMCA

[ZipK]

Wouldn't the sale of these tools violate the DMCA?

Re:DMCA

[quonset]

No. Law enforcement has an exemption. It's the same reason political campaigns can spam you day and night via phone, text, or email and not pay a penalty. They exempted themselves from the spam rules.

Re: DMCA

[writeRight]

>> political campaigns can spam you day and night via phone

Why do people voluntarily include their phone number when registering to vote? They CAN do it because you provided it.

Re:

[kmoser]

They don't all get your phone number from voter registration records.

Re:

[ArchieBunker]

It only applies to common folks.

Re:

[LaughingRadish]

Why would the DMCA have anything to do with something like this?

Which

[gregstumph]

The word the editor was looking for was "which" not "what." SMH.

After first unlock.

[whoever57]

I see that Android (Pixel phones, at least) has an option to revert to before first unlock if it doesn't have a network connection for some time. I assume this is aimed at making things more difficult for the police to use tools like Graykey.

Combined with a remote wipe capability, what do the police do? Keep it in a Faraday cage and allow the phone to go to before first unlock, or allow it network access and risk a remote wipe?

Re:

[timonak]

iOS 18 also reboots to get back into BFU mode after 72 hours of inactivity. Are you sure the Pixel requires network blackout to reboot? Its probably doing the same thing as iOS and rebooting on device inactivity. And this makes things significantly more difficult to attack because the user partition (where your data is stored) isn't mounted. Your credentials are needed to unlock the secure enclave to get the decryption key. The police already keep your phone in a faraday cage to prevent remote wipes

Powered On or Booted?

[bill_mcgonigle]

> unlocked at least once since being powered on

Does Android not securely clear keys from memory on reboot?

Opsec wise it's important to say powered-on or booted precisely.

But there's no battery switch so who knows.

Re:

[Tony Isaac]

Do you have your email on it? If so, someone who picks up your phone can use that to reset your bank password, and gain access to your accounts. Every account everywhere has an email-based password reset. These days, email has become the thing that requires the most security.

So, not much?

[bubblyceiling]

Unless you are running old software, it won't be able to get much. On either Android or iOS

Old news...

[Currawong]

.... from mid-November.

Which*

[Gravis Zero]

Leaked Documents Show Which Phones Secretive Tech 'Graykey' Can Unlock

It refers to a finite field of items. The correct word to use is "which".

What else is new?

[Slashythenkilly]

You cannot trust any device and never could.

Re:

[Tony Isaac]

There are different levels of trust.

Trust that law enforcement can't break in? No, not a good idea. On the other hand, doing so costs them money, so they aren't going to do it to just anybody. To be on their radar, you have to have done something pretty serious.

Trust that it will securely manage your bank accounts or payment methods? That's reasonably safe, as long as you properly lock your phone.