Second shady company claims to have broken iPhone encryption

Posted Mar 9, 2018 by James Walker
Two new cybersecurity companies have reportedly broken Apple's iPhone encryption and are selling unlocking services. Last week, Israeli U.S. firm Cellebrite said it had developed the tech. Another company is now also providing unlocking services.
Apple Store on Fifth Avenue in New York
Apple Store on Fifth Avenue in New York
Kena Betancur, AFP
According to Forbes, the new company, called Grayshift, has successfully found a way to bypass the security protections on iOS 10 and iOS 11. Grayshift is actively selling its $15,000 unlocking kit, GrayKey, to interested police departments and government bodies. Each kit is licensed for 300 uses, with an unlimited option available for $30,000.
Forbes reports a source, who remained anonymous, confirmed they'd seen a demo of the GrayKey and that it successfully granted access to an iPhone X. Grayshift claims to be able to open any device running recent versions of iOS. It's currently working on making the GrayKey compatible with Apple's older iOS 9 platform, which Cellebrite already targets.
Breaking Apple's encryption has long been a matter of interest for police forces seeking data believed to be stored on devices. Apple has consistently refused to provide law enforcement with a backdoor to its phones. The company has maintained that there is no way to add a backdoor in a manner which couldn't also be exploited by attackers.
READ NEXT: Machine learning thwarted "massive" Windows crypto-jacking attack
With both Cellebrite and Grayshift now claiming to have cracked Apple's Secure Enclave, iOS users may not be able to rely on their device's encryption. Police forces with the cash to spare are seemingly able to unlock devices, without having to involve Apple. The Secure Enclave, introduced with the iPhone 5s, has previously been successful in guarding the cryptographic keys that protect iPhone data.
Details of how the unlock tools work aren't clear. Neither Cellebrite or Grayshift have publicly released any information on their products. Grayshift's website is a simple landing page, which states that GrayKey "is not for everyone." It includes a contact form to request access to the tool, which requires the interested individual to provide information on themselves and their organisation.
The company's mysterious outward presence is typical of cybersecurity companies that intend to work closely with law enforcement or the government. While this makes it difficult to confirm the authenticity of the tech, there is evidence to suggest Grayshift's claims are genuine. Forbes discovered that the company's staff includes seasoned cybersecurity professionals and an ex-Apple security engineer, which implies Grayshift likely has the skills to provide the services it claims to offer.