Grayshift says it has defeated Apple's USB Restricted Mode allowing it to crack open any iPhone

Yesterday, we told you about a change Apple has said it will make in iOS 12 to the Lightning port's settings in order to reduce the ability of law enforcement and hackers to crack open a locked iPhone. Apple is calling this the USB Restricted Mode. Most cracking machines use the Lightning port to get around limits Apple has placed on the number of attempts cops and hackers have to figure out an iPhone user's password. This "brute force" process tries every possible combination of numbers and letters to open an iPhone. The change in iOS 12 stops the Lightning port from being used to communicate with another device if an iPhone has not been unlocked within the previous hour.

But before Apple could say "checkmate," Grayshift, the company that manufacturers the GrayKey cracking machine, says that it has already defeated the upcoming USB Restricted Mode. If true, that puts the ball squarely in Apple's court as pressure will mount inside Cupertino to respond with another way to prevent these machines from opening an iPhone so that law enforcement and hackers can access personal data inside it.

According to Motherboard, an email it has seen was sent this month by a forensics expert who was supposed to meet with Grayshift. The email says that Grayshift claims that it has defeated the Restricted USB Mode feature in a beta build of iOS 12. Additionally, the company made it clear that the GrayKey has many capabilities that it will be able to use in the future to stay one step ahead of Apple.

While Grayshift appears confident in its ability to defeat USB Restricted Mode, rival Cellebrite, not so much. VP of research at the Israeli firm, Shahar Tal, sent out a tweet today that read, "tmw (That moment when) 10 of the last 12 threads in my inbox have 'USB Restricted Mode' in the subject line, and you realize it's just the beginning."

source: Motherboard



1. TechNeck

Posts: 651; Member since: Aug 29, 2014

That was way too quick.

2. Papa_Ji

Posts: 851; Member since: Jun 27, 2016

Nothing surprising. iPhones are kids toy and Apple's everything is a gimmick.

5. iPhoneFanboy

Posts: 286; Member since: Apr 21, 2018

Android devices must be dog toys then, lol.

9. Dr.Phil

Posts: 2367; Member since: Feb 14, 2011

What security features does Android offer to stop hacks like this? I’m honestly curious.

12. RebelwithoutaClue unregistered

Brute force cracking over USB isn't possible by default since a user has to enable debugging over USB, which he only gets after enabling developer tools. Most users won't do that. And brute-forcing on the device itself is limited because, after a few tries, the phone will wipe itself. The locked bootloader is also a good step in preventing to access the data since it won't allow changing the recovery, boot and system partition. But there will be always flaws or bugs that hackers (or companies) can use to bypass security

17. yalokiy

Posts: 1000; Member since: Aug 01, 2016

And even with USB debug enabled, you get a pop-up on the phone to accept the key of device it has been connected to. With screen locked one would have to brake through that protection as well.

29. Dr.Phil

Posts: 2367; Member since: Feb 14, 2011

I did read an article on if the FBI had tried to hack an Android versus the iPhone in the San Bernardino attack and they found that Android is more susceptible to a remote attack versus physically having the phone. I’d think that Android being so open has that kind of drawback. But the other issue that Android has, as I’ve mentioned before, is the default messaging on an Android is text messaging which means you don’t even need physical access to get the info you need. Apple used iMessage which by default is encrypted and harder to obtain. Since majority of the information law enforcement need is what’s transmitted through texts I find this to be a huge deal that Android needs to address. They need to create a default encrypted messaging service.

30. RebelwithoutaClue unregistered

It's only encrypted when you message people that have an iPhone too. Otherwise, it would revert back to ordinary text messages. But I am pretty sure most people don't use text messages, at least not in my country where everybody uses Whatsapp. Btw iMessages are stored in the iCloud so while you are safe from hackers, the govt can ask Apple to reset the password and take a look at the messages in the iCloud. And you are right, especially older Android phones had major security flaws (like stagefright) that you don't even need physical access.

33. Dr.Phil

Posts: 2367; Member since: Feb 14, 2011

Yes but with the popularity of iPhones, the usage of iMessage is very prevalent. Also, iMessage storage in the iCloud could be disabled and it uses end to end encryption so that when it does touch iCloud servers it shouldn’t be decipherable until it’s opened by a decrypting key on the receiving device. If that were the case then the government wouldn’t have made a huge brouhaha over the San Bernardino iPhone and would’ve just simply asked Apple for the info on the servers. They were mostly interested in seeing what texts were being sent in case of a second person involved.

11. RebelwithoutaClue unregistered

Oh please grow up. You can say what you want about Apple, but their smartphone device is more secure than your average Android phone.

18. yalokiy

Posts: 1000; Member since: Aug 01, 2016

I wish there were smartphone pwn2own fests organized for iphones, pixels and galaxies. galaxies have knox, wonder how much that improves the security. With monthly updates I guess android security should be on par with ios (or even better?). After all, android is based on linux kernel, which has selinux and all type of government security standards certifications (speaking of redhat EL).

25. yalokiy

Posts: 1000; Member since: Aug 01, 2016

True, but generally, the pwn2own is more about browsers.

3. AVVA1

Posts: 228; Member since: Aug 01, 2017

Either they're bluffing or damage control. Besides iOS 12 is still not on GM or officially released the fact that this still in beta means Apple can close the possible "exploit" which grayshift uses before official release in fall. Also, Apple can actually take advantage of this and patch it, similar to what Apple did to Jailbreak they made it pretty difficult to JB idevices (but still possible).

4. drunkenjay

Posts: 1671; Member since: Feb 11, 2013

doubt it. where theres always a way to crack it even if apple patches it. thats why jailbreaking still work and hackers are still make billions.

6. mootu

Posts: 1520; Member since: Mar 16, 2017

How can Apple close the "exploit" when Grayshift have not stated how they are doing it. I highly doubt it's bluffing or damage control, hackers like these guys are usually one step ahead.

7. Leo_MC

Posts: 7432; Member since: Dec 02, 2011

They can't be one step ahead a security method that is yet to be implemented.

13. Back_from_beyond

Posts: 1421; Member since: Sep 04, 2015

If they have managed to defeat the feature in the beta build of iOS12, odds are they can do the same in the final build, especially if they keep the method hidden for the time being. It's no different from the jailbreaking community saying they had enough exploits to keep jailbreaking iOS for years and they still do. Keep those exploits hidden from Apple and you're set.

23. Leo_MC

Posts: 7432; Member since: Dec 02, 2011

In the released beta, Apple has already implemented a security method, which means the hackers are one step BEHIND.

26. Back_from_beyond

Posts: 1421; Member since: Sep 04, 2015

Yeah the new feature is the one they claim they've already defeated. The one where you have to unlock your phone to allow data transfer via USB, that supposed new security feature is the one they can get past already without unlocking it. What are you not getting about that?

34. Leo_MC

Posts: 7432; Member since: Dec 02, 2011

That particular feature is already implemented (even in beta, it means that it's an implemented feature) so the hackers are BEHIND. There is going to be a future protection method that hackers will have to find a way to hack, but they will also be doing that AFTER Apple implements it. Which means that the hackers will always be one step behind.

19. yalokiy

Posts: 1000; Member since: Aug 01, 2016

As the security method is not yet applied on any device, so far hackers can crack any ios device.

10. Dr.Phil

Posts: 2367; Member since: Feb 14, 2011

Even if it were to be the case, Grayshift works off brute force. If you use an alphanumeric it’ll take years to hack your device, as I’ve mentioned in articles before. Considering your passcode is just a backup in case you can’t get in via fingerprint or Face ID, I would highly recommend an alphanumeric password as a login. It ensures that if you ever had your phone seized that it would take years to unlock which hopefully by that time they just give up.

20. yalokiy

Posts: 1000; Member since: Aug 01, 2016

If it is indeed by brute force, I totally agree! Should be at least 10 chars long and preferably using lower and upper case letters + digits.

8. Leo_MC

Posts: 7432; Member since: Dec 02, 2011

This is going to make Apple to allow data transfer through lightning only after the user inputs the password or uses touch ID.

14. Back_from_beyond

Posts: 1421; Member since: Sep 04, 2015

And what good will that do if the method used by them, uses an exploit that has nothing at all to do with the actual security feature? Putting it behind password protection or Touch ID won't make any difference then.

24. Leo_MC

Posts: 7432; Member since: Dec 02, 2011

If the USB data transfer is physically activated only by TID or the security code, there's nothing a hacker can do. It's just like someone trying to send a data package to a device with closed WiFi.

27. Back_from_beyond

Posts: 1421; Member since: Sep 04, 2015

Of course there are ways to get past that block, it could be any number of things, whether a possible hardware exploit or a firmware exploit. iOS validates hardware upon connection so there already is some kind of data transfer. So chances are they found an exploit to use to get around the unlock feature.

35. Leo_MC

Posts: 7432; Member since: Dec 02, 2011

You're right, but I'm saying that nothing stops Apple from activating the USB hardware part of lightning only after entering TID/pass code.

31. tedkord

Posts: 17357; Member since: Jun 17, 2009

That's what was apparently already defeated.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit for samples and additional information.