Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Cellphones

Leaked Documents Show What Phones Secretive Tech 'Graykey' Can Unlock (appleinsider.com) 41

Primarily used by law enforcement, Graykey unlocks mobile devices to extract data from both Android and iOS systems, according to the blog AppleInsider, "though its effectiveness varies depending on the specific hardware and software involved." But while its capabilities are rarely disclosed, "a leak of some Grayshift's internal documents was recently reported on by 404 Media." According to the data, Graykey can only perform "partial" data retrieval from iPhones running iOS 18 and iOS 18.0.1. These versions were released in September and early October, respectively. A partial extraction likely includes unencrypted files and metadata, such as folder structures and file sizes, according to past reports. Notably, Graykey struggles with beta versions of iOS 18.1. Under the latest update, the tool fails to extract any data, as per the documents.

Meanwhile, Graykey's performance with Android phones varies, largely due to the diversity of devices and manufacturers. On Google's Pixel lineup, Graykey can only partially access data from the latest Pixel 9 when in an "After First Unlock" (AFU) state — where the phone has been unlocked at least once since being powered on.

Thanks to long-time Slashdot reader AmiMoJo for sharing the article.

Leaked Documents Show What Phones Secretive Tech 'Graykey' Can Unlock

Comments Filter:
  • by gweihir ( 88907 ) on Sunday December 01, 2024 @12:46PM (#64983455)

    Do not trust your phone. No, really do not. Not even with your location. Learn to regard you phone as a portable listening and recording device that is not under your control.

    Also, get one with a removable battery (which is a good idea anyways) and remove that battery whenever there is reason to.

    That said, you can still use your phone for most things it is designed to do. Just be aware that it is not really _your_ phone.

    • by AmiMoJo ( 196126 ) on Sunday December 01, 2024 @01:05PM (#64983479) Homepage Journal

      It really depends what you keep on your phone and who your adversary is. If you are planning some light treason, you might consider this a factor. If you are only concerned about theft, the good news is that these days most phones are fairly resistant to the thief getting into your stuff.

      • by PPH ( 736903 )

        most phones are fairly resistant to the thief getting into your stuff.

        Quite a few thieves don't want "your stuff". They just want your phone. And are willing to kill for it.

        It's getting very easy to clone phones to get "your stuff" now that eSIMs are becoming widespread.

        • by AmiMoJo ( 196126 )

          How does cloning your phone help get your stuff? Surely you aren't using SMS for 2FA or something?

          • by PPH ( 736903 )

            Surely you aren't using SMS for 2FA or something?

            Personally, no. But there are a lot of businesses that assume everyone will do so. And freak out if you don't give them your cell number or have a phone that doesn't do "apps", or scan QR codes.

            • by gweihir ( 88907 )

              Well, if you trust a business using crappy, outdated "IT security", then maybe that is a problem on your side?

              There is not a single serious IT security catalog left that classifies SMS as real 2nd factor.

              • by PPH ( 736903 ) on Sunday December 01, 2024 @04:14PM (#64983761)

                Well, if you trust a business using crappy, outdated "IT security"

                Businesses change over time. My bank went from passwords to browser/IP fingerprinting. And now they look at me with a sad face when I tell them that my phone doesn't support their banking app.

                Even Slashdot has added:

                This page could not be loaded due to incorrect / bad filtering rule(s) of adblocker

                ... just to remind us that advertisers will now be tracking us as a part of their agreement.

                There is not a single serious IT security catalog left that classifies SMS as real 2nd factor.

                It's not 2FA. It never was. They want your cell number for tracking purposes.

              • And yet for consumer level applications, SMS is still an option for 2-factor authentication in most cases. People are still accessing accounts using using SMS 2FA all over the world...

                • by gweihir ( 88907 )

                  "Option" as in "can be done". It is a bad, insecure option. Worse, it pretends to be secure 2FA and will make people believe they have strong 2FA. Do not use it.

          • I generally don't have a choice in the matter. Where I do have a choice, I don't use SMS.

      • Well I wouldn't say you're entirely wrong, but.. two things.

        I cant recall where I read recently, probably here, that thieves are grabbing iPhones out of people's hands on the subway etc, and then just selling them for parts (the screen in particular) ... so basically the phone hardware is shipped to china for the screen, and thief gets a minimal amount, but enough to motivate them to steal.

        But secondly, I'd like to point out the real problem here is that the real adversaries are your service providers.. App
        • by AmiMoJo ( 196126 )

          I don't disagree, but in terms of information security if your phone gets stripped for parts then your data is still safe.

    • Also, for the same reasons, don't use a desktop computer, or browse the web (and especially not slashdot!), or connect to the internet for any reason, or use Windows or Mac or Linux. Also, never buy anything anywhere with credit or debit, cash only. And never us a bank, keep your cash safely in your house. Never walk outside, cameras are watching your every move. There are still some places in Canada's Northwest Territories where you can live free of surveillance, and maybe some parts of west Texas. In thos

      • by gweihir ( 88907 )

        Are you functionally illiterate? I wrote "do not _trust_ your phone", not "do not _use_ your phone".

        • Sure, but if you don't trust your phone, why would you use it?

          You mention, for example, 'don't trust it with your location.' Well, that means you need the cellular modem turned off, as the protocol is designed to use tower triangulation to determine your location.

          Also, can't use the wifi, thanks to the afore mentioned cellular triangulation being used to build a database of the locations of visible SSIDs.

          So now you have a phone that you can't use as a phone.

          • by gweihir ( 88907 )

            Sure, but if you don't trust your phone, why would you use it?

            Is this a serious question? Have you _ever_ heard of risk management?

            • Well, yes, I have. I'm trying to explore your ideas of acceptable risk, as well as explore if you actually understand the risks.
        • I don't see the difference, you can't *use* your phone unless you *trust* it at least to some degree.

          How are you going to *use* it for navigation, unless you "trust" it with your location? Even for cellular or wifi communication, you have to "trust" it with your location. The Austin package bomber was tracked through cell tower triangulation, not GPS location. https://www.cazayouxewinglaw.c... [cazayouxewinglaw.com].
          How are you going to *use* it to take photos, unless you "trust" it to keep your private photos private?

          What exactl

      • You could move to National Radio Quiet Zone in WV.

  • by ZipK ( 1051658 ) on Sunday December 01, 2024 @01:19PM (#64983509)
    Wouldn't the sale of these tools violate the DMCA?
  • The word the editor was looking for was "which" not "what." SMH.
  • by whoever57 ( 658626 ) on Sunday December 01, 2024 @02:15PM (#64983587) Journal

    I see that Android (Pixel phones, at least) has an option to revert to before first unlock if it doesn't have a network connection for some time. I assume this is aimed at making things more difficult for the police to use tools like Graykey.

    Combined with a remote wipe capability, what do the police do? Keep it in a Faraday cage and allow the phone to go to before first unlock, or allow it network access and risk a remote wipe?

    • by timonak ( 800869 )
      iOS 18 also reboots to get back into BFU mode after 72 hours of inactivity. Are you sure the Pixel requires network blackout to reboot? Its probably doing the same thing as iOS and rebooting on device inactivity. And this makes things significantly more difficult to attack because the user partition (where your data is stored) isn't mounted. Your credentials are needed to unlock the secure enclave to get the decryption key. The police already keep your phone in a faraday cage to prevent remote wipes
  • > unlocked at least once since being powered on

    Does Android not securely clear keys from memory on reboot?

    Opsec wise it's important to say powered-on or booted precisely.

    But there's no battery switch so who knows.

  • Unless you are running old software, it won't be able to get much. On either Android or iOS
  • .... from mid-November.
  • Leaked Documents Show Which Phones Secretive Tech 'Graykey' Can Unlock

    It refers to a finite field of items. The correct word to use is "which".

  • You cannot trust any device and never could.
    • There are different levels of trust.

      Trust that law enforcement can't break in? No, not a good idea. On the other hand, doing so costs them money, so they aren't going to do it to just anybody. To be on their radar, you have to have done something pretty serious.

      Trust that it will securely manage your bank accounts or payment methods? That's reasonably safe, as long as you properly lock your phone.

  • Related discussion on GrapheneOS:
    https://discuss.grapheneos.org... [grapheneos.org]

I'm always looking for a new idea that will be more productive than its cost. -- David Rockefeller

Working...