A previously undisclosed Grayshift tool allows law enforcement agencies to capture an iPhone passcode when the owner uses it to unlock their phone. This is done by surreptitiously installing malware on the device before handing it back to the suspect.

We knew Grayshift’s GrayKey box could brute-force iPhone passcodes, but we’re learning for the first time about this additional capability, which has seemingly been available for at least a year …

The average time taken by GrayKey to crack an iPhone passcode was reportedly around two hours, but it could sometimes take three days or more for a 6-digit passcode. Longer passcodes using a combination of letters, numbers and symbols cannot be brute-forced in any practical timeframe.

NBC reports this it is this fact which prompted demand for an alternative approach.

Another tool, previously unknown to the public, doesn’t have to crack the code that people use to unlock their phones. It just has to log the code as the user types it in.

Software called Hide UI, created by Grayshift, a company that makes iPhone-cracking devices for law enforcement, can track a suspect’s passcode when it’s entered into a phone, according to two people in law enforcement […]

Law enforcement officials must install the covert software and then set up a scenario to put a seized device back into the hands of the suspect, said the people familiar with the system […]

For example, a law enforcement official could tell the suspect they can call their lawyer or take some phone numbers off the device. Once the suspect has done this, even if they lock their phone again, Hide UI will have stored the passcode in a text file that can be extracted the next time the phone is plugged into the GrayKey device. Law enforcement can then use the passcode to unlock the phone and extract all the data stored on it.

As John Gruber observes, the deception relies on criminals being dumb.

Anyone who trusts their device after they know it’s been in the hands of law enforcement is a fool. You’d have to be pretty stupid to fall for this, but there are a lot of stupid people out there.

A police friend once observed that criminals pretty much have to be dumb: in most cases, their average income is below minimum wage, and they risk imprisonment for it.

Law enforcement officials with experience of Hide UI say that they only use it to capture an iPhone passcode when they have a search warrant, but doubts have been expressed about the legality of the approach.

NBC News did not find any search warrants that outlined the capabilities of Hide UI […]

“Failure to disclose what they are doing in terms that would be understood by the court is a huge problem constitutionally,” said Lance Northcutt, a Chicago-based lawyer and former prosecutor. “That’s assuming there are no abuses going on, which seems ludicrous to me” […]

Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford Law School’s Center for Internet and Society, [agreed].

“Law enforcement use of this ‘agent’ keylogger feature can be legal, so long as the warrant the government gets to search and seize the device spells out that the investigators are permitted to use it. In general, I don’t think that magistrate judges authorizing search warrants would expect that the government plans to implant malware on a device it has seized.”

FTC: We use income earning auto affiliate links. More.

Incipio Organicore iPhone case

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy's favorite gear