Grayshift Customer Leaves iPhone Cracking Box Exposed, Data Breach Ensues

2 minute read
| Editorial

iPhone cracking box Grayshift has a customer or two who don’t know how to secure their Grayshift boxes, with the result being a data breach. Color me surprised. No, wait. Not surprised. What’s that other one? Oh, right. Completely unsurprised in any shape, manner, or form.

iPhone X with GrayKey password hacker

A Grayshift GrayKey on an iPhone

Crooked R Us

And the data breach resulted in a semi-public attempt at extortion by the not-very-good-at-extortion thieves. They asked for the princely sum of 2 Bitcoins—or more, if Grayshift felt like paying more—to keep this little matter quiet. That was about $18,500 at the time of the attempt, or a little more than the price of the cheapest Grayshift box.

Pro Tip: Nothing says “I don’t really have anything you want” than not asking all that much for it.

In any event, Vice‘s Motherboard covered all this, including ferreting out an image of the ransom note:

GrayShift Extortion Letter

TEH AWSEOME RAMSON NOT

According to Motherboard’s reporting and Grayshift’s statement, it was a Grayshift customer who didn’t have their GrayKey cracking box configured correctly, and that left some GUI code exposed, but not anything important. Here’s that Grayshift statement:

During this time, someone accessed the HTML/Javascript that makes up our UI. No sensitive IP or data was exposed, as the GrayKey was being validation tested at the time. We have since implemented changes to help our customers prevent unauthorized access.

Backdoors Bad

OK, let’s assume they’re telling the truth, and that none of the important code that makes a GrayKey do what it does—crack open iPhones—was stolen. The incident would still be a pitch-perfect rendition of why having backdoors (or cracks) is such a bad idea, even if limited to law enforcement. Someone is going to mishandle it—at best—or abuse it—at worst.

We already know, for instance, that $30,000 versions of the GrayKey that can run anywhere have been walking out the other kind of backdoor, the one that leads to someone with access selling the box to someone who shouldn’t have access.

And Grayshift itself gets a lot more of the blame than they’d like for allowing this dangerous device to be misconfigured so easily. Motherboard, for instance, found at least one more GrayKey similarly exposed on the Interwebs in the course of researching this story. The company says they “implemented changes,” but maybe a device that can crack open an iPhone should have been harder out of the box.

Crime Doesn’t Pay

The good news is that Grayshift didn’t pay the would-be ransomeers—at least the Bitcoin addresses supplied for the payoff haven’t gotten any Bitcoin. That suggests the company was being honest about the breach not getting any of the good stuff.

2
Leave a Reply

Please Login to comment
2 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
pjs_bostonwab95 Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
wab95
Member
wab95

The good news is that GrayShift didn’t pay the would-be ransomeers—at least the Bitcoin addresses supplied for the payoff haven’t gotten any Bitcoin. That suggests the company was being honest about the breach not getting any of the good stuff. Whew! Thank goodness we dodged that bullet, eh Bryan? I don’t know about you, but I’m feeling better already, knowing that all the rest of these GrayKey thingees are only in the hands of responsible, incorruptible, scrupulous, trustworthy people with the highest integrity, and that all are duly accounted for. No telling what might happen if weren’t so, eh? Now,… Read more »

pjs_boston
Member
pjs_boston

Hey Grayshift, has anyone ever told you that Karma is a b*tch?