Yet another security company is pitching high-paying customers on the ability to possibly crack iPhones running a version of iOS 11, Forbes reports. US-based firm Grayshift is reportedly advertising access to a $15,00o tool called GrayKey that offers 300 attempts to access data on encrypted iPhones, while a pricier $30,000 version offers unlimited attempts.
As with Cellebrite’s claim last week, it’s unclear what specific version of iOS 11 may be vulnerable to the exploit possibly used by the security firm. For example, Grayshift could be targeting a vulnerability discovered in iOS 11.0 or iOS 11.1 that has been addressed in iOS 11.2 and later.
This is also an example of these types of firms competing against each other with such claims that do not have to be demonstrably proven.
Most customers shouldn’t be concerned with GrayKey as a security risk either. As Forbes notes, at this time the alleged exploit is quite costly so the run-of-the-mill attacker isn’t going to target just anyone without a large pay off on the other side, and the tool requires physical access to the device before the crack can be attempted.
The mention of limiting crack attempts at 300 for the $15,000 tier also implies that the method requires brute force to potentially work. According to marketing material reviewed by Forbes, that’s precisely what the firm is telling potential clients (like law enforcement) too:
iOS includes a few basic features to protect data from basic brute force attacks: time between passcode attempts increases more and more after multiple failed passcodes, and Settings -> Passcode –> Erase Data gives your iPhone permission to erase your data after 10 failed passcode attempts.
As ever, the best method to protect yourself against such vulnerabilities is to always update to the latest version of iOS (and avoid criminal activity). You can check for the latest security update for iOS here.
