Snippets of GrayKey's iPhone unlocking code got leaked, extortionists are demanding payment of 2 BTC

[captain_to_fire]

 

 

Sources: 9to5 Mac, Motherboard (Vice)

 

Quote

 

Recently, a portion of the GrayKey code leaked onto the internet (via Motherboard), and GrayShift, the company behind the device, is not happy. The leaker is demanding $15,000 from the company, which is the same price as an entry level GrayKey.

The code itself does not appear to be particularly sensitive, but Grayshift confirmed to Motherboard the brief data leak that led to the extortion attempt.

The leaker wrote the following message:

The site that originally hosted the message has been deleted, but a Google cached version is still floating around the internet. A second message, which was posted a day later reads:

“We are a ‘business group’ looking forward to bring into your attention the fact that we HAVE obtained the source code for your product GrayKey and would appreciate any donation above 2 BTC [~$19,000 on Tuesday],”

Apple is probably like "Damn it! That was close!" At the time of writing this post, 2 BTC is still almost equal to $19,000. GrayKey is known to sell black boxes that can unlock any iPhone by brute forcing passwords by dictionary attacks as explained by cybersecurity company Malwarebytes. 

Quote

Using the computer search engine Shodan, Motherboard found a seemingly exposed GrayKey device, broadcasting similar chunks of code to the open internet.

 

"To brute force a complex alphanumeric passcode, upload a custom password dictionary. If a dictionary is not uploaded, GrayKey will not attempt to brute force custom alphanumeric passcodes," one section of the apparent device's code reads.

 

At the time of writing, the Bitcoin addresses the extortionists gave for Grayshift to deposit the payment have received no funds. The unknown party also included a separate address for "wild bidders" who want all of the GrayKey information to be released. This address has also seen no payment.

Just like any IoT vendor, any device connected to the internet can be hacked that seems to what happened here;

Quote

Due [to] a network misconfiguration at a customer site, a GrayKey unit’s UI was exposed to the internet for a brief period of time earlier this month. During this time, someone accessed the HTML/Javascript that makes up our UI. No sensitive IP or data was exposed, as the GrayKey was being validation tested at the time. We have since implemented changes to help our customers prevent unauthorized access.

It sucks that their entire code didn't got leaked and only snippets are available. Just like with any ransom attempt, do not pay the ransom though I have a feeling if GrayShift's entire code got uploaded then they might actually consider paying the extortionists. So to all iPhone owners, make sure you install updates to keep your device secure and use unique passcodes/passwords that aren't birthdays. Also, enable the anti-brute force feature of the iPhone which will secure wipe all data after accumulating 10 failed attempts.

 

Settings>Touch ID & Passcode > enable "Erase Data"

 

And for Apple's side, I think what they should do is add an option to automatically deny any data transfer to any device connected to the iPhone in high risk scenarios and can only be disabled by a reboot and entering the passcode which is similar like how IT personnel disable USB drives in workstation computers to thwart targeted attacks. 

 

[AlwaysFSX]

Only 2 BTC? I'm sure they could ask for more with how damaging this could be.

[captain_to_fire]

34 minutes ago, AlwaysFSX said:

Only 2 BTC? I'm sure they could ask for more with how damaging this could be.

But it's only snippets. 

Edited April 25, 2018 by captain_to_fire

[79wjd]

11 minutes ago, captain_to_fire said:

Also, enable the anti-brute force feature of the iPhone which will secure wipe all data after accumulating 10 failed attempts.

That can't possibly prevent the attack.....can it? If it incremented the counter then it would be terrible for brute forcing an iPhone even without that restriction anyway due to the timeouts.

3 minutes ago, captain_to_fire said:

But it's only snippets. 

They're threatening with the snippets, but they have the entire source code.

[Guest]

They should try for real money. 

[captain_to_fire]

1 minute ago, RorzNZ said:

They should try for real money. 

This is just me wearing a tin foil hat at the moment but it could be Apple behind the code leak from Gray Shift. It's not far-fetched that Apple will do something so cutthroat just to protect their iPhone users. 

[AlwaysFSX]

7 minutes ago, captain_to_fire said:

But it's only snippets. 

A little bit of code can do a lot of damage.

6 minutes ago, RorzNZ said:

They should try for real money. 

Real money is a lot easier to trace.

[captain_to_fire]

13 minutes ago, AlwaysFSX said:

A little bit of code can do a lot of damage.

Or that little bit of code could lead to the next software update

[sazrocks]

GrayShift:

*creates “super secure” phone unlocker*

*gives said phone unlocker a web UI*

 

Me:

*bangs head on table*

[captain_to_fire]

11 minutes ago, VegetableStu said:

or that little bit of code is Public Static Void

It's probably the reason why GrayShift didn't pay the 2 BTC ransom demanded by the extortionists but then they could ask for more since they have GrayShift's entire source code

Edited April 25, 2018 by captain_to_fire

[captain_to_fire]

29 minutes ago, djdwosk97 said:

They're threatening with the snippets, but they have the entire source code.

I have a feeling that someone from Apple pitches Craig Federighi and Tim Cook in buying the GrayKey source code so that they can reverse it and deploy a security update

[Maslofski]

demanding 2 monetary units as ransom just sounds sad

[ScratchCat]

I greatly doubt GrayKey will pay.  Firstly the extortionist(s) have not explicitly said they will delete the code only that GrayKey should pay if they wan't to keep the code "secure", which indicates that the extortionist(s) will keep a copy of the code.  Secondly even if the extortionist(s) said they would delete the code GrayKey would not be able to confirm this and the attackers would not benefit from deleting the code but would benefit from reselling the code.

 

Given the price demanded it could well be that the extortionist does not harbor malicious intent with the code (they would sell it on the black market for an order of magnitude more).

[Spotty]

Doesn't Apple themselves offer up to hundreds of thousands of dollars for someone who finds a security flaw in their devices under a bug bounty scheme? Shouldn't this code that can brute force their phones be valuable to Apple under this scheme?
Surely worth more to Apple than 2BTC.

[samcool55]

5 hours ago, djdwosk97 said:

That can't possibly prevent the attack.....can it? If it incremented the counter then it would be terrible for brute forcing an iPhone even without that restriction anyway due to the timeouts.

Depends what counter the graykey resets.

If it resets the try count then the 10 tries won't matter.

However if it resets the timer than it does prevent an attack.

 

Or it does something totally different, i don't know. It can't hurt to turn it on tbh.

My blackberry has the "10 tries or wipe" thing on by default and it hasn't accidentally wiped itself since i got it so imo it doesn't exactly hurt your daily use.

[captain_to_fire]

29 minutes ago, Spotty said:

Doesn't Apple themselves offer up to hundreds of thousands of dollars for someone who finds a security flaw in their devices under a bug bounty scheme? Shouldn't this code that can brute force their phones be valuable to Apple under this scheme?
Surely worth more to Apple than 2BTC.

If the extortionists apply and submit to Apple's bug bounty then yes those people holding the code can earn up to $200,000 which is indeed higher than 2BTC at the moment. Though I'm not ruling out the possibility that Apple got their hands dirty and pitching the thought of buying GrayShift's source code in the Dark Web. 

Quote

The program launches in September with five categories of risk and reward:

• Vulnerabilities in secure boot firmware components: Up to $200,000
• Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
• Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
• Access to iCloud account data on Apple servers: Up to $50,000
• Access from a sandboxed process to user data outside the sandbox: Up to $25,000

To be eligible for a reward, researchers will need to provide a proof-of-concept on the latest iOS and hardware. Although each category of vulnerability maxes out at the given rate, Apple will determine the exact reward amount based on several factors: the clarity of the vulnerability report; the novelty of the problem and the likelihood of user exposure; and the degree of user interaction necessary to exploit the vulnerability.

Though it seems that Apple is a bit selfish in paying out security researchers https://9to5mac.com/2017/07/06/apple-bug-bounty-program-payouts/

Edited April 25, 2018 by captain_to_fire

[MotionFlex]

5 hours ago, captain_to_fire said:

Though it seems that Apple is a bit selfish in paying out security researchers https://9to5mac.com/2017/07/06/apple-bug-bounty-program-payouts/

The worst thing about that, is it seems their bug bounty program is still invite-only. So even if you find something, you might not even get paid.

[captain_to_fire]

4 hours ago, VegetableStu said:

man things like these. when does moralities end and justful retaliation begin...?

(personal question, by the way)

I guess if the ends justify the means? It’s just me speculating Apple stooping low. 

3 hours ago, MotionFlex said:

The worst thing about that, is it seems their bug bounty program is still invite-only. So even if you find something, you might not even get paid.

Well for the long time Apple has a strained relationship with security researchers. 

[BuckGup]

16 hours ago, RorzNZ said:

They should try for real money. 

How stupid. BTC is real money and it's  hard to trace. Yeah hey can you paypal me $15K to JohnSmithWhoLivesIhOhio@gmail.com K thankz

[AresKrieger]

Well then it will either be leaked or this was a bluff, either way it would be moronic to pay them.

[AnonymousGuy]

16 hours ago, djdwosk97 said:

That can't possibly prevent the attack.....can it? If it incremented the counter then it would be terrible for brute forcing an iPhone even without that restriction anyway due to the timeouts.

Comments in the article say that the automatic erase and incremental delay is from the OS talking to the secure enclave, and that if this tool directly interacts with the secure enclave through some hacked OS that it can do 1 guess per 80ms unrestricted.  Apple is probably just going to make the secure enclave independently be able to self destruct and enforce more security on the lightning port.