I Told You So Department: GrayKey Hacked

Apple, bless its corporate heart, has continued to refuse to cooperate with U.S. demands for a backdoor to Apple’s iPhone. One of Apple’s reasons fo refusing to sacrifice customer’s privacy is that secret back doors don’t stay secret. And now there is proof Apple was exactly right.

A company called Grayshift has stepped into the market niche, offering something called “GrayKey,” which hacks its way in to an Apple iPhone. It’s a brute force attack, and bypasses Apple’s protection against multiple attempts to guess a password. The techniques are confidential, but it may be something as simple as creating an image of the iPhone’s memory and making guesses until the image is deleted. Rinse. Repeat. Anyway, Grayshift sells its GrayKey device to law enforcement for $15,000 a unit.

And now Grayshift has been hacked. Some of the source code for the GrayKey device has been posted on a public forum, with a ransom demand threatening to post more source code unless a ransom demand was paid. The amount and extent of the hack are unknown. Grayshift has been minimizing the extent of the intrusion, but there is no way of knowing for certain.

But the incident perfectly illustrates Apple’s point. When you are weighing the danger of secrets being concealed from law enforcement, you have to weigh it against the risk that any means of giving law enforcement access to the concealed information will be hacked, leaked or shared, destroying all privacy.

The GrayKey hack can be largely defeated by simply increasing the length of your password from six to ten digits.

But, again, that’s not the point. Tim Cook and Apple are right: the “cure” for law enforcement’s demands is worse than the disease.