GrayKey: The best iPhone unlocker is now in the hands of police

It would appear that there's a new best way to break into a locked iPhone as of this February. Back in February of this year, the startup known as Grayshift sent out an announcement of a new sort of device they'd whipped up. They had a device that apparently unlocked an iPhone – any iPhone – so that said iPhone could be rummaged through and utilized by law enforcement. Or, say, less-than-reputable persons. Of course, they'd never say they were all about such things at Grayshift.

Back in early March, word got out that Grayshift was shopping around a device called GrayKey. In a Motherboard investigation released this week, it seems obvious that this company's well on their way to being the most-used solution for breaking into iOS devices by law enforcement across the United States. A report from Malwarebytes showed a photo of the device, complete with in-use screenshots.

"The existence of the GrayKey isn't hugely surprising, nor is it a sign that the sky is falling," said Malwarebytes' Thomas Reed. "However, it does mean that an iPhone's security cannot be ensured if it falls into a third party's hands." Reports in March suggested that one employee at Grayshift is (or was) Braden Thomas, a former Apple security engineer.

Documents acquired by Motherboard showed federal agencies and police forces across the United States in negotiations – or at least preliminary talks – to acquire the GrayKey device. The good news is that GrayKey isn't selling their devices to just anyone – and they aren't selling their devices cheap.

One device rings in at $15,000 and can unlock a total of 300 phones. This cheaper device requires online connectivity – presumably to connect to Grayshift's servers to run their cracking software over said web connection.

The other device costs $30,000 and has an unlimited number of phone unlocks. This more expensive device works offline. Both devices are apparently able to unlock any iPhone, even the newest models running iOS 11, in between 2 hours and 3 days. The longer end of required processing seems to be reserved for those devices with 6-digit passcodes.

As yet, no evidence has turned up showing Grayshift as willing to sell their device to groups or persons with malicious intent. However, since Grayshift is so secretive, there's little documentation to be had in the first place. Until the company comes out of the dark a bit more than they have now, we'll be unable to get a grasp on the full extent of their business.