iPhone cracking box Grayshift has a customer or two who don’t know how to secure their Grayshift boxes, with the result being a data breach. Color me surprised. No, wait. Not surprised. What’s that other one? Oh, right. Completely unsurprised in any shape, manner, or form.
Crooked R Us
And the data breach resulted in a semi-public attempt at extortion by the not-very-good-at-extortion thieves. They asked for the princely sum of 2 Bitcoins—or more, if Grayshift felt like paying more—to keep this little matter quiet. That was about $18,500 at the time of the attempt, or a little more than the price of the cheapest Grayshift box.
Pro Tip: Nothing says “I don’t really have anything you want” than not asking all that much for it.
In any event, Vice‘s Motherboard covered all this, including ferreting out an image of the ransom note:
According to Motherboard’s reporting and Grayshift’s statement, it was a Grayshift customer who didn’t have their GrayKey cracking box configured correctly, and that left some GUI code exposed, but not anything important. Here’s that Grayshift statement:
OK, let’s assume they’re telling the truth, and that none of the important code that makes a GrayKey do what it does—crack open iPhones—was stolen. The incident would still be a pitch-perfect rendition of why having backdoors (or cracks) is such a bad idea, even if limited to law enforcement. Someone is going to mishandle it—at best—or abuse it—at worst.
We already know, for instance, that $30,000 versions of the GrayKey that can run anywhere have been walking out the other kind of backdoor, the one that leads to someone with access selling the box to someone who shouldn’t have access.
And Grayshift itself gets a lot more of the blame than they’d like for allowing this dangerous device to be misconfigured so easily. Motherboard, for instance, found at least one more GrayKey similarly exposed on the Interwebs in the course of researching this story. The company says they “implemented changes,” but maybe a device that can crack open an iPhone should have been harder out of the box.
Crime Doesn’t Pay
The good news is that Grayshift didn’t pay the would-be ransomeers—at least the Bitcoin addresses supplied for the payoff haven’t gotten any Bitcoin. That suggests the company was being honest about the breach not getting any of the good stuff.