This is part of an ongoing Motherboard series on the proliferation of phone cracking technology, the people behind it, and who is buying it. Follow along here .
GrayShift is a new company that promises to unlock even iPhones running the latest version of iOS for a relatively cheap price.
In a sign of how hacking technology often trickles down from more well-funded federal agencies to local bodies, at least one regional police department has already signed up for GrayShift’s services, according to documents and emails obtained by Motherboard.
As Forbes reported on Monday, GrayShift is an American company which appears to be run by an ex-Apple security engineer and others who have long held contracts with intelligence agencies. In its marketing materials, GrayShift offers a tool called GrayKey, an offline version of which costs $30,000 and comes with an unlimited number of uses. For $15,000, customers can instead buy the online version, which grants 300 iPhones unlocks.
This is what the Indiana State Police bought, judging by a purchase order obtained by Motherboard. The document, dated February 21, is for one GrayKey unit costing $500, and a “GrayKey annual license—online—300 uses,” for $14,500. The order, and an accompanying request for quotation, indicate the unlocking service was intended for Indiana State Police’s cybercrime department. A quotation document emblazoned with GrayShift’s logo shows the company gave Indiana State Police a $500 dollar discount for their first year of the service.
Importantly, according to the marketing material cited by Forbes, GrayKey can unlock iPhones running modern versions of Apple’s mobile operating system, such as iOS 10 and 11, as well as the most up to date Apple hardware, like the iPhone 8 and X.
With that in mind, the Indiana State Police were keen to get hold of GrayKey as quickly as possible, according to emails obtained by Motherboard.
“This is a RUSH request because item is needed ASAP for evidence gathering for current cases. Please review and forward for approval,” one Indiana State Police official dealing with the purchase wrote in an email to a colleague on February 20. Motherboard obtained the cache of files through the Indiana Access to Public Records Act, which works in a similar way to the more well-known Freedom of Information Act (FOIA).
"This solution will be used from high profile murder cases to crimes against children cases where suspects are hiding their content from law enforcement. Even though law enforcement has a signed warrant from a judge we cannot gain access into the devices," one of the documents reads.
Braden Thomas, the former Apple engineer now at GrayShift, and David Miles, who is named as a member and co-founder of GrayShift in the documents, did not respond to requests for comment sent by Twitter direct message and email. A message sent through GrayShift’s website was not immediately answered.
That a particular company can unlock modern iPhones is not that interesting in and of itself. Over the years, other mobile phone forensics companies, and especially Cellebrite, have continued to reliably gain access to devices running more up to date versions of iOS—though Cellebrite has admitted that hacking iPhones has gotten harder. The cat-and-mouse game between consumer product developers like Apple, and those pushing to maintain access such as Cellebrite is an established dynamic, and forensic firms cracking into recent products should not come as a surprise.
What does make GrayShift’s iPhone unlocking service more important is the price. Whereas the FBI infamously paid around $1 million dollars to unlock an iPhone 5C running iOS 9 in 2016, authorities can now afford to break into up-to-date devices for around 1 percent of that price. Clearly, $15,000 is much more within the budget constraints of a regional or local police force, leading to all sorts of consequences for investigators working on crimes with locked phones, or perhaps the security advice given to protesters who may want to keep their phone’s contents secure. For context, one of the documents says Cellebrite quoted the Indiana State Police over $200,000 for a similar service.
And GrayShift is likely to rake in more customers from its decision to sell iPhone cracking tech at low prices. The cache of documents obtained by Motherboard also includes a sole source letter from GrayShift, explaining that GrayShift LLC is the only provider of its products, and that GrayShift owns exclusive distribution and marketing rights. For comparison, when Motherboard conducted a wide-spanning investigation of the proliferation of phone cracking technology across state police forces, we found a number of agencies purchased forensic gear through resellers.
“If there is anything else that is needed, just let me know. Thanks very much!” Miles wrote in an email to the Indiana State Police in February.
Update: This piece has been updated to include more information from the cache of documents.