An obscure private company based in Atlanta called Grayshift is said to have developed the technology.
According to a director of the company Malwarebytes, the Grayshift business was founded in 2016, and has fewer than 50 employees. It was started by long-time US intelligence agency contractors and an ex-Apple security engineer.
The company is highly secretive, the front page of its website states 'Grayshift is not for everyone' and is protected by a portal that screens for law enforcement affiliation.
GrayKey is the company's flagship product. It's a portable device that can break into iPhones within minutes.
Marketing materials for the product were sent around private police and forensic groups. They offered two options: an online version that can be used 300 times and costs $15,000 or an unlimited offline version that costs $30,000.
The information claimed that GrayKey could work on the latest version of iPhones including the 8 and X.
The materials don't reveal what vulnerabilities GrayKey targets to access the phones but experts are saying that it most likely uses brute-force - a trail and error method used by programs to decode encrypted data.
'GrayKey is a gray box, four inches wide by four inches deep by two inches tall, with two lightning cables sticking out of the front,' Thomas Reed, a director at Malwarebytes said in a blog post.
'Two iPhones can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device, but are not yet cracked.
'Some time later, the phones will display a black screen with the passcode, among other information.
'It can take up to three days or longer for six-digit passcodes, according to Grayshift documents, and the time needed for longer passphrases is not mentioned. Even disabled phones can be unlocked.'
Reed explains that after the iPhone is unlocked the it's full contents are downloaded onto the GrayKey device and can be accessed online.
Mathew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute crunched the numbers to work out how long it would take the program to break in.
Unsurprisingly, the more digits a passcode had the longer it took to crack. A ten-digit passcode would take an average of 4629 days to crack but phones with four-digit passcodes could be broken within 6.5 minutes.
'Let’s not talk about the 4-digit option,' he tweeted below the results.
Concerned experts are worried about the implications of such a device for personal data.
While it is currently being used by law enforcement the device could be used to access personal data of innocent persons.
Users looking for extra security can also turn on a setting that wipes all data from the phone after 10 failed passcode attempts.
The Daily Mail
More about: Apple