Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Cellphones

Leaked Documents Show What Phones Secretive Tech 'Graykey' Can Unlock (appleinsider.com) 57

Primarily used by law enforcement, Graykey unlocks mobile devices to extract data from both Android and iOS systems, according to the blog AppleInsider, "though its effectiveness varies depending on the specific hardware and software involved." But while its capabilities are rarely disclosed, "a leak of some Grayshift's internal documents was recently reported on by 404 Media." According to the data, Graykey can only perform "partial" data retrieval from iPhones running iOS 18 and iOS 18.0.1. These versions were released in September and early October, respectively. A partial extraction likely includes unencrypted files and metadata, such as folder structures and file sizes, according to past reports. Notably, Graykey struggles with beta versions of iOS 18.1. Under the latest update, the tool fails to extract any data, as per the documents.

Meanwhile, Graykey's performance with Android phones varies, largely due to the diversity of devices and manufacturers. On Google's Pixel lineup, Graykey can only partially access data from the latest Pixel 9 when in an "After First Unlock" (AFU) state — where the phone has been unlocked at least once since being powered on.

Thanks to long-time Slashdot reader AmiMoJo for sharing the article.

Leaked Documents Show What Phones Secretive Tech 'Graykey' Can Unlock

Comments Filter:
  • by gweihir ( 88907 ) on Sunday December 01, 2024 @12:46PM (#64983455)

    Do not trust your phone. No, really do not. Not even with your location. Learn to regard you phone as a portable listening and recording device that is not under your control.

    Also, get one with a removable battery (which is a good idea anyways) and remove that battery whenever there is reason to.

    That said, you can still use your phone for most things it is designed to do. Just be aware that it is not really _your_ phone.

    • by AmiMoJo ( 196126 ) on Sunday December 01, 2024 @01:05PM (#64983479) Homepage Journal

      It really depends what you keep on your phone and who your adversary is. If you are planning some light treason, you might consider this a factor. If you are only concerned about theft, the good news is that these days most phones are fairly resistant to the thief getting into your stuff.

      • by PPH ( 736903 )

        most phones are fairly resistant to the thief getting into your stuff.

        Quite a few thieves don't want "your stuff". They just want your phone. And are willing to kill for it.

        It's getting very easy to clone phones to get "your stuff" now that eSIMs are becoming widespread.

        • by AmiMoJo ( 196126 )

          How does cloning your phone help get your stuff? Surely you aren't using SMS for 2FA or something?

          • by PPH ( 736903 )

            Surely you aren't using SMS for 2FA or something?

            Personally, no. But there are a lot of businesses that assume everyone will do so. And freak out if you don't give them your cell number or have a phone that doesn't do "apps", or scan QR codes.

            • by gweihir ( 88907 )

              Well, if you trust a business using crappy, outdated "IT security", then maybe that is a problem on your side?

              There is not a single serious IT security catalog left that classifies SMS as real 2nd factor.

              • by PPH ( 736903 ) on Sunday December 01, 2024 @04:14PM (#64983761)

                Well, if you trust a business using crappy, outdated "IT security"

                Businesses change over time. My bank went from passwords to browser/IP fingerprinting. And now they look at me with a sad face when I tell them that my phone doesn't support their banking app.

                Even Slashdot has added:

                This page could not be loaded due to incorrect / bad filtering rule(s) of adblocker

                ... just to remind us that advertisers will now be tracking us as a part of their agreement.

                There is not a single serious IT security catalog left that classifies SMS as real 2nd factor.

                It's not 2FA. It never was. They want your cell number for tracking purposes.

                • by aaarrrgggh ( 9205 ) on Sunday December 01, 2024 @04:37PM (#64983795)

                  Yeah, the html-load crap is quite annoying with /.

                • > It's not 2FA. It never was. They want your cell number for tracking purposes.

                  Yup. This times 100.

                  I have ongoing arguments with my bank r.e. 2fa bullshit. When they forced it I bought a second "pay as you go" phone which sits in a locked drawer most of the time. It's a pain as I have to remember to take it out and charge it about 1/2 hour before I want to use it. Plus I have to use it to call my main mobile every few months to prevent it getting deactivated.

                  And they keep requesting I install their (cr

              • And yet for consumer level applications, SMS is still an option for 2-factor authentication in most cases. People are still accessing accounts using using SMS 2FA all over the world...

                • by gweihir ( 88907 )

                  "Option" as in "can be done". It is a bad, insecure option. Worse, it pretends to be secure 2FA and will make people believe they have strong 2FA. Do not use it.

                • by PPH ( 736903 )

                  People are still accessing accounts using using SMS 2FA all over the world...

                  People are still accessing accounts using "password" as a password all over the world...

          • I generally don't have a choice in the matter. Where I do have a choice, I don't use SMS.

      • Well I wouldn't say you're entirely wrong, but.. two things.

        I cant recall where I read recently, probably here, that thieves are grabbing iPhones out of people's hands on the subway etc, and then just selling them for parts (the screen in particular) ... so basically the phone hardware is shipped to china for the screen, and thief gets a minimal amount, but enough to motivate them to steal.

        But secondly, I'd like to point out the real problem here is that the real adversaries are your service providers.. App
        • by AmiMoJo ( 196126 )

          I don't disagree, but in terms of information security if your phone gets stripped for parts then your data is still safe.

          • Sure you're out 1 phone. And quite likely, if you can navigate the commercial systems and properly identify yourself, you could probably get 99% of your data back out of the cloud. Not really different than "upgrading" (buying) a new phone.

            I'm really quite tiresome, I know, but I think the other point is really what should be known/understood... your service providers are the fox in the henhouse. I just find no one wants to hear it. We have tons of evidence. In most cases you just have to read the Terms of
    • by Tony Isaac ( 1301187 ) on Sunday December 01, 2024 @11:33PM (#64984393) Homepage

      Also, for the same reasons, don't use a desktop computer, or browse the web (and especially not slashdot!), or connect to the internet for any reason, or use Windows or Mac or Linux. Also, never buy anything anywhere with credit or debit, cash only. And never us a bank, keep your cash safely in your house. Never walk outside, cameras are watching your every move. There are still some places in Canada's Northwest Territories where you can live free of surveillance, and maybe some parts of west Texas. In those places, you are sure to find some survivors of the Y2K meltdown, who completely disconnected from everything in order to stay alive. Those nice people will help you through these difficult times.

      • by gweihir ( 88907 )

        Are you functionally illiterate? I wrote "do not _trust_ your phone", not "do not _use_ your phone".

        • Sure, but if you don't trust your phone, why would you use it?

          You mention, for example, 'don't trust it with your location.' Well, that means you need the cellular modem turned off, as the protocol is designed to use tower triangulation to determine your location.

          Also, can't use the wifi, thanks to the afore mentioned cellular triangulation being used to build a database of the locations of visible SSIDs.

          So now you have a phone that you can't use as a phone.

          • by gweihir ( 88907 )

            Sure, but if you don't trust your phone, why would you use it?

            Is this a serious question? Have you _ever_ heard of risk management?

            • Well, yes, I have. I'm trying to explore your ideas of acceptable risk, as well as explore if you actually understand the risks.
        • I don't see the difference, you can't *use* your phone unless you *trust* it at least to some degree.

          How are you going to *use* it for navigation, unless you "trust" it with your location? Even for cellular or wifi communication, you have to "trust" it with your location. The Austin package bomber was tracked through cell tower triangulation, not GPS location. https://www.cazayouxewinglaw.c... [cazayouxewinglaw.com].
          How are you going to *use* it to take photos, unless you "trust" it to keep your private photos private?

          What exactl

          • by gweihir ( 88907 )

            Ever heard of risk management? You not not need to trust it to use it.

            • OK I'm confused then. You said:

              Do not trust your phone. No, really do not. Not even with your location.

              So do you mean by this that you shouldn't enable location services on your phone? To what extent can you enable location services without "trusting" your phone with your location?

              • by gweihir ( 88907 )

                That means you need to be aware that under some circumstances you should not only switch your phone off, you remove the battery. When those circumstances arise is a risk-management decision. And no, this does not mean criminal activity, although that is a use-case. Another one may be joining an entirely legal public protest, or going to an abortion clinic in a different state.

                • And how exactly would you know what circumstances warrant removal of the battery? How would you ever know that you are about to enter an area where a crime, or a protest, or some other incident investigated by the authorities, has just taken place, or is about to take place?

                  • by gweihir ( 88907 )

                    Well, here is an alien concept for you: It is called "common sense".

                    • Common sense can tell you what is about to happen in the location you will be for an unrelated reason? That's amazing! I certainly don't have that kind of common sense.

      • You could move to National Radio Quiet Zone in WV.

  • by ZipK ( 1051658 ) on Sunday December 01, 2024 @01:19PM (#64983509)
    Wouldn't the sale of these tools violate the DMCA?
  • The word the editor was looking for was "which" not "what." SMH.
  • After first unlock. (Score:4, Interesting)

    by whoever57 ( 658626 ) on Sunday December 01, 2024 @02:15PM (#64983587) Journal

    I see that Android (Pixel phones, at least) has an option to revert to before first unlock if it doesn't have a network connection for some time. I assume this is aimed at making things more difficult for the police to use tools like Graykey.

    Combined with a remote wipe capability, what do the police do? Keep it in a Faraday cage and allow the phone to go to before first unlock, or allow it network access and risk a remote wipe?

    • by timonak ( 800869 )
      iOS 18 also reboots to get back into BFU mode after 72 hours of inactivity. Are you sure the Pixel requires network blackout to reboot? Its probably doing the same thing as iOS and rebooting on device inactivity. And this makes things significantly more difficult to attack because the user partition (where your data is stored) isn't mounted. Your credentials are needed to unlock the secure enclave to get the decryption key. The police already keep your phone in a faraday cage to prevent remote wipes
      • From what I can discern, the only thing that triggers this in such a manner is the phone being offline for some time.

        I don't think it reboots the phone. I think it just sets it back into the "just rebooted" state.

        However, there are clearly some other things that trigger this behavior -- the indication being that the phone will require the unlock code instead of unlocking via the fingerprint sensor.

  • > unlocked at least once since being powered on

    Does Android not securely clear keys from memory on reboot?

    Opsec wise it's important to say powered-on or booted precisely.

    But there's no battery switch so who knows.

  • Unless you are running old software, it won't be able to get much. On either Android or iOS
  • .... from mid-November.
  • Leaked Documents Show Which Phones Secretive Tech 'Graykey' Can Unlock

    It refers to a finite field of items. The correct word to use is "which".

  • You cannot trust any device and never could.
    • There are different levels of trust.

      Trust that law enforcement can't break in? No, not a good idea. On the other hand, doing so costs them money, so they aren't going to do it to just anybody. To be on their radar, you have to have done something pretty serious.

      Trust that it will securely manage your bank accounts or payment methods? That's reasonably safe, as long as you properly lock your phone.

      • States and federal governments, especially those that aid counties and cities who aid the prosecution of certain crimes have endless resources and always go after the "low hanging fruit" for easy convictions. LE agencies buy data lists and guilt is made by association not by proof of actual crime. Agencies acquire these software hacks which make it easier and less expensive to investigate and anyone and everyone deemed necessary. Operation Stingray was only the beginning.
        • These techniques, such as Stingray, never were admissible in court. They are legal (some places more than others) as investigative techniques, but to make a case, authorities must rely on hard evidence, not associations. The Austin package bomber, for example, was captured using cell tower triangulation. https://www.cazayouxewinglaw.c... [cazayouxewinglaw.com] His capture required only probable cause, not proof beyond reasonable doubt. To be convicted, authorities needed much more than triangulation.

          But let's take your argument

          • https://www.nytimes.com/intera... [nytimes.com] There is no solution just a need to be mindful of the tech your carrying.
            • OK, so no solution, just mindfulness then. Good, I don't have to keep taking the battery out of my phone (which doesn't have a removable battery anyway). If the "solution" is drastic, but still doesn't accomplish the goal, then the solution is not viable.

              In your story, the case against the man caught in a geofence net fell apart because it was not corroborated by other evidence, as it should.

  • Related discussion on GrapheneOS:
    https://discuss.grapheneos.org... [grapheneos.org]

To communicate is the beginning of understanding. -- AT&T

Working...