Instructions Show How Cops Use GrayKey to Brute Force iPhones

Newly released documents provide new insight into the capabilities of the iPhone unlocking tech.
Image: FCC
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

New written instructions for the iPhone unlocking tech GrayKey obtained by Motherboard provide more insight into the capabilities of the device, including whether GrayKey can unlock iPhones that are turned off or when the iPhone's battery is running low.

"How to unlock and EXTRACT DATA from Apple Mobile Devices with GrayKey," the instructions, seemingly written by the San Diego Police Department, read. Motherboard obtained the documents via a public records request.


Do you work at Grayshift or know anything else about the company’s products? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on, or email

GrayKey, made by Austin-based Grayshift, is designed to unlock modern iOS devices and extract their contents. iOS devices are encrypted by default, meaning someone needs to have, or guess, the device's passcode to access some of the data stored on it. iOS devices protect themselves from brute force attacks, where a piece of software rapidly churns through passcode possibilities, but GrayKey can successfully brute force iOS devices in some cases. The company is constantly in a cat-and-mouse game with Apple, which tries to fix security issues that GrayKey takes advantage of. Local police around the country have bought GrayKey units, Motherboard has shown.


A list of options for GrayKey. Image: Motherboard.

The instructions open with asking readers to make sure they do have legal authorization to search the device; this can be in the form of a search warrant.


"Prior to connecting any Apple mobile device to GrayKey, determine if proper search authority has been established for the requested Apple mobile device," the document reads.

The instructions describe the various conditions it claims allow a GrayKey connection: the device being turned off (known as Before First Unlock, or BFU); the phone is turned on (After First Unlock, or AFU); the device having a damaged display, and when the phone has low battery.

"GrayKey known to install agent with 2 to 3% battery life," the document reads, referring to the "brute force agent" GrayKey installs on the phone in order to unlock the device.


Instructions on how to use GrayKey to brute force an alphanumeric passcode. Image: Motherboard.

When running the GrayKey, users have various options around what sort of data they want to collect from a linked iOS device or how they want to extract it, the instructions show. Those include extracting metadata for inaccessible files, and "immediate extraction when SE-bound passcode," presumably referring to the Secure Enclave, the part of iOS devices that stores sensitive material such as passcodes.

One section of the instructions also describes how to brute force an alphanumeric passcode. Many iPhone users have purely numerical passcodes, only made up of numbers. An alphanumeric passcode also uses letters, so has more characters options, and can generally be more resilient to brute force attempts if it uses a random series of characters. If the device uses an alphanumeric passcode containing real words however, that may make cracking the passcode easier thanks to word lists; long lists of human readable words.


Instructions describing what conditions allow for a GrayKey connection. Image: Motherboard.

"An alphanumeric passcode on Apple Mobile Device will be automatically detected by GrayKey and require additional actions by the analyst," the instructions read. The instructions say that the analyst will have the option to use the default wordlist called "crackstation-human-only.txt," perhaps referring to a wordlist released by the password security website Crackstation. That archive includes around 1.5 billion words. The instructions say GrayKey users can also import their own custom wordlists, but only one wordlist can be loaded at a time.

"If the brute force agent has successfully installed, Airplane mode will be activated, and the Apple mobile device can be disconnected or remain connected to the GrayKey unit for data extraction," the instructions read.

As part of a feature called HideUI, GrayKey also allows agencies to install the agent which surreptitiously records the user's passcode if authorities hand their phone back to them, NBC News reported.

Grayshift did not respond to a request for comment on the GrayKey instructions.

Subscribe to our new cybersecurity podcast, CYBER.