Categories
Hack Hardware iOS iPhone News security

Grayshift confronts extortion demands after parts of GrayKey source code stolen, published online

It helps to keep your proprietary source code same.

Grayshift, the firm responsible for the GrayKey iPhone hacking tool, has been targeted an extortionist after its product’s source code was inadvertently exposed to the internet last week.

An unknown third party seems to have stolen GrayKey’s source code and leaked part of it online. The pay included a message threatening to distribute more of GrayKey unless Grayshift places two Bitcoin, currently worth about $19,000, into a secure account.

The company confirmed the breach, but says no sensitive data was exposed in the incident.


Grayshift offered the following comment in a recent statement:

“Due [to] a network misconfiguration at a customer site, a GrayKey unit’s UI was exposed to the internet for a brief period of time earlier this month. During this time, someone accessed the HTML/Javascript that makes up our UI. No sensitive IP or data was exposed, as the GrayKey was being validation tested at the time. We have since implemented changes to help our customers prevent unauthorized access.”

Grayshift has since maintained the hackers failed to glean code responsible for operating a GrayKey box, or functional code responsible for cracking an iPhone.

The GrayKey device debuted recently as a cost-effective digital forensics solution designed specifically to unlock password-protected iPhone hardware. Advertised in two “flavors,” GrayKey is available as an internet-connected, limited-use unit for $15,000, while an unrestricted standalone version sells for $30,000.

The device is also currently able to work around iOS’s mechanism in which the operating system institutes a mandatory pauses after four consecutive attempts, running from one minute for a fifth unsuccessful attempt to one hour for the ninth consecutive error. An additional protection allows iPhone owners to wipe their device on a tenth unsuccessful attempt.

GrayKey, in turns, has been shown to bypass each failsafe, including the automated data erasure option and has been proven capable of unlocking devices up to iPhone X running iOS 11.3. The device has generated interest from the law enforcement market, though specific numbers of orders for the device have yet to be released.

The announcement is troubling not only for Grayshift, but for iPhone owners as well. If the hackers were able to secure GrayKey’s source code, as they claim, the information could theoretically be acquired by unscrupulous organizations or individuals. Indeed, the extortionists have set up a secondary address to accept Bitcoin offers from “wild bidders” interested in procuring the alleged code. Of course, this second address could merely be a ploy to push Grayshift into paying the ransom, but the specter of a fully developed iPhone unlocking tool floating in the wild remains.

So far, neither account has received payment, the report said.

Stay tuned for additional details as they become available.

Via AppleInsider and Motherboard