Skip to main content

iPhone unlocking company GrayKey faces extortion attempt as code snippets leak

Most people keeping up with iPhone unlocking tactics know about the GrayKey iPhone unlocking box that is able to unlock most iPhones in under 3 days and has been gaining traction among police departments. Now, the company is facing issues of its own…

Recently, a portion of the GrayKey code leaked onto the internet (via Motherboard), and GrayShift, the company behind the device, is not happy. The leaker is demanding $15,000 from the company, which is the same price as an entry level GrayKey.

The code itself does not appear to be particularly sensitive, but Grayshift confirmed to Motherboard the brief data leak that led to the extortion attempt.

The leaker wrote the following message:

The site that originally hosted the message has been deleted, but a Google cached version is still floating around the internet. A second message, which was posted a day later reads:

“We are a ‘business group’ looking forward to bring into your attention the fact that we HAVE obtained the source code for your product GrayKey and would appreciate any donation above 2 BTC [~$19,000 on Tuesday],”

Both messages continue and paste different portions of the GrayKey code. GrayKey is able to unlock and bypass passcodes of modern iPhones, including the iPhone X, on the latest versions of iOS.

The company claims that the code was leaked due to a network misconfiguration while configuring at a customer site.

Due [to] a network misconfiguration at a customer site, a GrayKey unit’s UI was exposed to the internet for a brief period of time earlier this month.

During this time, someone accessed the HTML/Javascript that makes up our UI. No sensitive IP or data was exposed, as the GrayKey was being validation tested at the time. We have since implemented changes to help our customers prevent unauthorized access.

Motherboard was able to expose portions of the GrayKey device’s code, and it seems like GrayKey relies on the internet to do some of its magic.

“To brute force a complex alphanumeric passcode, upload a custom password dictionary. If a dictionary is not uploaded, GrayKey will not attempt to brute force custom alphanumeric passcodes,” one section of the apparent device’s code reads.

Read more about the GrayKey device here.


Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel