Thanks to an anonymous source, we now know what this mysterious device looks like, and how it works. And while the technology is a good thing for law enforcement, it presents some significant security risks. GrayKey is a gray box, four inches wide by four inches deep by two inches tall, with two lightning cables sticking out of the front. Two iPhones can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device, but are not yet cracked. Some time later, the phones will display a black screen with the passcode, among other information. The exact length of time varies, taking about two hours in the observations of our source. It can take up to three days or longer for six-digit passcodes, according to Grayshift documents, and the time needed for longer is not mentioned. Even disabled phones can be unlocked, according to Grayshift. After the device is unlocked, the full contents of the filesystem are downloaded to the GrayKey device. From there, they can be accessed through a web-based interface on a connected computer, and downloaded for analysis. The full, unencrypted contents of the keychain are also available for download.So the phone is only connected to the box for two minutes, and then the phone itself displays the passcode after it’s cracked? If I’m reading this right, the box must jailbreak the iPhone and install the cracking software on the iPhone itself. I guess that would explain how they get around iOS’s (optional) wipe-after-10-wrong-guesses feature, as well as the escalating delays after a few wrong guesses. Hopefully Apple can figure out how to fix this jailbreak. If you’re concerned about this, you ought to switch to a stronger alphanumeric passphrase.
Thomas Reed, writing for the Malwarebytes Labs blog: