Leaked Documents Show What Phones Secretive Tech 'Graykey' Can Unlock (appleinsider.com)
- Reference: 0175570389
- News link: https://mobile.slashdot.org/story/24/11/30/2359220/leaked-documents-show-what-phones-secretive-tech-graykey-can-unlock
- Source link: https://appleinsider.com/articles/24/11/19/leak-what-law-enforcement-can-unlock-with-the-graykey-iphone-hacking-tool
> According to the data, Graykey can only perform "partial" data retrieval from iPhones running iOS 18 and iOS 18.0.1. These versions were released in September and early October, respectively. A partial extraction likely includes unencrypted files and metadata, such as folder structures and file sizes, according to past reports. Notably, Graykey struggles with beta versions of iOS 18.1. Under the latest update, the tool fails to extract any data, as per the documents.
>
> Meanwhile, Graykey's performance with Android phones varies, largely due to the diversity of devices and manufacturers. On Google's Pixel lineup, Graykey can only partially access data from the latest Pixel 9 when in an "After First Unlock" (AFU) state — where the phone has been unlocked at least once since being powered on.
Thanks to long-time Slashdot reader [3]AmiMoJo for sharing the article.
[1] https://appleinsider.com/articles/24/11/19/leak-what-law-enforcement-can-unlock-with-the-graykey-iphone-hacking-tool
[2] https://www.404media.co/leaked-documents-show-what-phones-secretive-tech-graykey-can-unlock-2/
[3] https://www.slashdot.org/~AmiMoJo
DMCA (Score:3)
Wouldn't the sale of these tools violate the DMCA?
Re:DMCA (Score:4, Informative)
No. Law enforcement has an exemption. It's the same reason political campaigns can spam you day and night via phone, text, or email and not pay a penalty. They exempted themselves from the spam rules.
Re: DMCA (Score:1)
political campaigns can spam you day and night via phone
Why do people voluntarily include their phone number when registering to vote? They CAN do it because you provided it.
Re: (Score:2)
They don't all get your phone number from voter registration records.
Re: (Score:2)
It only applies to common folks.
Re: (Score:1)
Why would the DMCA have anything to do with something like this?
Which (Score:2)
The word the editor was looking for was "which" not "what." SMH.
After first unlock. (Score:3)
I see that Android (Pixel phones, at least) has an option to revert to before first unlock if it doesn't have a network connection for some time. I assume this is aimed at making things more difficult for the police to use tools like Graykey.
Combined with a remote wipe capability, what do the police do? Keep it in a Faraday cage and allow the phone to go to before first unlock, or allow it network access and risk a remote wipe?
Powered On or Booted? (Score:2)
> unlocked at least once since being powered on
Does Android not securely clear keys from memory on reboot?
Opsec wise it's important to say powered-on or booted precisely.
But there's no battery switch so who knows.
The solution is simple (Score:5, Interesting)
Do not trust your phone. No, really do not. Not even with your location. Learn to regard you phone as a portable listening and recording device that is not under your control.
Also, get one with a removable battery (which is a good idea anyways) and remove that battery whenever there is reason to.
That said, you can still use your phone for most things it is designed to do. Just be aware that it is not really _your_ phone.
Re:The solution is simple (Score:5, Interesting)
It really depends what you keep on your phone and who your adversary is. If you are planning some light treason, you might consider this a factor. If you are only concerned about theft, the good news is that these days most phones are fairly resistant to the thief getting into your stuff.
Re: (Score:2)
> most phones are fairly resistant to the thief getting into your stuff.
Quite a few thieves don't want "your stuff". They just want your phone. And are willing to kill for it.
It's getting very easy to clone phones to get "your stuff" now that eSIMs are becoming widespread.
Re: (Score:2)
How does cloning your phone help get your stuff? Surely you aren't using SMS for 2FA or something?
Re: (Score:2)
> Surely you aren't using SMS for 2FA or something?
Personally, no. But there are a lot of businesses that assume everyone will do so. And freak out if you don't give them your cell number or have a phone that doesn't do "apps", or scan QR codes.
Re: (Score:2)
Well, if you trust a business using crappy, outdated "IT security", then maybe that is a problem on your side?
There is not a single serious IT security catalog left that classifies SMS as real 2nd factor.
Re: (Score:2)
> Well, if you trust a business using crappy, outdated "IT security"
Businesses change over time. My bank went from passwords to browser/IP fingerprinting. And now they look at me with a sad face when I tell them that my phone doesn't support their banking app.
Even Slashdot has added:
> This page could not be loaded due to incorrect / bad filtering rule(s) of adblocker
... just to remind us that advertisers will now be tracking us as a part of their agreement.
> There is not a single serious IT security catalog left that classifies SMS as real 2nd factor.
It's not 2FA. It never was. They want your cell number for tracking purposes.
Re: (Score:3)
Yeah, the html-load crap is quite annoying with /.
Re: (Score:2)
I generally don't have a choice in the matter. Where I do have a choice, I don't use SMS.