Hide UI, the new Grayshift tool, lets you extract passcode from locked iPhone
The GrayKey tool, designed to allow police and other entities to access locked iPhones, has acquired new features with which you can capture device lock code. A fact that would be achieved by installing malware on the phone before returning it to the suspect.
From brute force to ignorance
We have known about GrayKey for a long time, a tool developed by the Grayshift company that allows brute force attacks on the phone to access and access data. In terms of complexity of password access time varies. It takes about two hours to access a phone protected by a six-digit code, for a six-digit code the wait can be up to three days. Passwords with letters and numbers, even if they are only six characters long, would represent years, if not centuries.
Given the situation, Grayshift developed new software which he named Hide UI. With this software, there is no need to attack the password by brute force, but capture it when user enters it.
NBC explains it like this:
Law enforcement officials must install the undercover software and then prepare the ground for returning a seized device to the suspect, people familiar with the system said.
For example, a law enforcement official might tell the suspect that he can call his lawyer or get the phone numbers for the device. Once the suspect has done this, even if you lock your phone again, Hide UI will have stored the password in a text file which can be extracted the next time the phone connects to the GrayKey device. Law enforcement can use the password to unlock the phone and extract any data stored on it.
Undoubtedly, the practice, as John Gruber comments, is based on lack of owner knowledge From the device:
Anyone who trusts their device after knowing it’s in the hands of the police is a fool. You’d have to be stupid enough to fall in love with it, but there are a lot of stupid people out there.
Although police forces are only supposed to have access to information if they have a warrant NBC could not find a search warrant indicating that hide user interface.
How to audit our passwords for websites and apps
There is no doubt that the debate between access by search warrant and abuse is divided by a very thin line. Apple has been clear on this: “you can’t create access just for good,” the bad will sooner or later find it.