The Graykey Leak

Hey there, Joseph here with an unprecedented leak. We got the granular list of iPhone and Android devices that secretive phone unlocking tech Graykey can retrieve data from. We've seen leaks from Cellebrite before, but never Graykey. This is the best data yet on what phone cracking tools are actually capable of. The full story (and the documents themselves) follow below.

The Graykey, a phone unlocking and forensics tool that is used by law enforcement around the world, is only able to retrieve partial data from all modern iPhones that run iOS 18 or iOS 18.0.1, which are two recently released versions of Apple’s mobile operating system, according to documents describing the tool’s capabilities in granular detail obtained by 404 Media. The documents do not appear to contain information about what Graykey can access from the public release of iOS 18.1, which was released on October 28. 

The leak is unprecedented for Grayshift, the highly secretive company which made the Graykey before being acquired by Magnet Forensics, another digital forensics company. Although one of its main competitors Cellebrite has faced similar leaks before, this is the first time that anyone has published which phones the Graykey is able, or unable, to access. 

The documents, which also break down the Graykey’s capabilities against Android devices, provide never-before-seen insight into the current cat-and-mouse game between forensics and exploit development companies like Magnet and phone manufacturers Apple and Google. 

This segment is a paid ad. If you’re interested in advertising, let's talk.

The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Member-supported since 1990, EFF champions user privacy, free expression, and innovation. EFF fights to ensure that technology supports freedom, justice, and innovation for all people of the world. Show your support with shirts, hats, totes, socks, cards, and more. Exclusive for 404 Media readers, we’re offering 20% off all items in our shop using coupon code 404MEDIA at checkout.

With iOS 18.0, released to the public on September 16, Graykey has “partial” access to data from the iPhone 12 right up to the latest iPhone 16 series. The same is true for those iPhones running iOS 18.0.1, which was released on October 3, according to the document. 

The document does not list what exact types of data are included in a “partial” retrieval and Magnet declined to comment on what data is included in one. In 2018, Forbes reported that a partial extraction can only draw out unencrypted files and some metadata, including file sizes and folder structures.

Still, the new document indicates Graykey is not able to obtain all of the data from modern iPhones. 

A screenshot of one of the documents showing Graykey capabilities against iPhones running iOS 18.0 and 18.0.1.

Graykey has much less capability with iPhones running beta builds, with the document saying “None” for various betas of 18.1 across all modern iPhone iterations. It is not clear if this is because at the time of the document’s creation Magnet researchers had not invested time into developing attacks against 18.1, or if 18.1 presented a significant security upgrade.

Apple has not released official figures for how many iPhones are running iOS 18 or 18.1. In an interview with CNBC in October, Apple CEO Tim Cook said that users had been adopting 18.1 at “twice the rate” they had with 17.1. 

The Graykey’s capabilities against Android devices are more mixed, likely due to the high level of variance between different Android devices which are made by a wide spread of companies. With Google’s own Pixel range of phones, the Graykey is able to only extract partial data on the most recent Pixel devices, including the Pixel 9 released in August, according to the document. This is specifically when the phone is in an After First Unlock (AFU) state, which is when somebody, which in many cases could be the phone’s owner, has unlocked the device at least once since it was powered on. That document shows capabilities up until October.

404 Media spoke to Andrew Garrett, CEO of digital forensics company Garrett Discovery, whose company often works on court cases that use evidence taken from mobile phones. “Garrett Discovery experts work on more than 500 criminal defense cases each year and this list is consistent with the capabilities and reporting from the GrayKey software,” Garrett said in an email.

404 Media also showed the iPhone document to a forensics industry source who has previously used Graykey. They said the document looked similar to what they have seen before, although they could not verify its current capabilities.

The documents make multiple references to version numbers of “AppLogic,” which is a term used by Magnet. In one job listing available online, Magnet writes that “the GrayKey AppLogic Team is growing! With this growth, we are looking for an individual that can help us integrate across more of the Magnet Forensics product lines.” Magnet’s website also links to documentation about AppLogic that is behind a login wall.

404 Media also cross-referenced capabilities listed in the documents with snippets of information available online. For example, the Department of Homeland Security tested Graykey in 2022 and found it could extract full data from an iPhone 11 running iOS 15.1. The document also says this. Magnet has also regularly announced it has been able to access previous iOS versions over the years, including 16 and 17.

A screenshot of one of the documents showing Graykey capabilities against iPhones running versions of iOS 17.

Earlier this year, 404 Media reported on a similar leak from Magnet competitor Cellebrite. Those documents showed that Cellebrite was unable to retrieve data from a sizable chunk of modern iPhones as of April 2024. Shortly after, a user on a privacy-focused forum posted another updated set of apparent Cellebrite documents, which showed that the company had caught up somewhat and was able to retrieve data from devices running iOS 17.5 and iOS 17.5.1.

In other words, although tools like Graykey or Cellebrite may not be able to retrieve any data from phones running operating system versions released a month or two earlier, historically they have eventually caught up and managed to get partial information from the phones.

That dynamic encapsulates the ongoing tension between forensic companies and mobile manufacturers. In 2018, Forbes first reported the existence of Graykey, which sent shockwaves through the forensic and law enforcement communities. At the time iPhones were broadly perceived as being exceptionally difficult to access, in part because two years earlier Apple refused to build a capability for the FBI to access the iPhone of the San Bernardino shooter. The Department of Justice dropped its lawsuit against Apple when Azimuth Security, a little-known but highly important government contractor, hacked the device for U.S. authorities.

The same year as Graykey’s public reveal, Apple experimented with a feature called USB Restricted Mode, which disabled the Lightning port if the iPhone hadn’t been unlocked or connected to a computer after a certain period of time. “You cannot use it to sync or to connect to accessories. It is basically just a charging port at this point,” Braden Thomas, a former Apple security engineer who went on to work for Grayshift, explained in a customer-only message in 2018.

A screenshot of one of the documents showing Graykey capabilities against Google Pixel phones.

That caused some issues, but judging by the leaked Graykey and Cellebrite documents, the forensic companies found new solutions. Then earlier this month 404 Media reported that Apple quietly introduced code which was rebooting iPhones running iOS 18 and higher if they had not been unlocked for a certain period of time. The impact was that police were finding themselves locked out of devices they had seized for forensic examination. 

This is the status quo where the encryption debate has somewhat settled for the time being: forensics companies find exploits, Apple or Google fixes them or introduces new mitigations, and then the cycle continues. Arguably, that’s one reason large scale legal fights, like what happened in the aftermath of the San Bernardino attack, haven’t happened to the same extent again. 

Apple acknowledged a request for comment but stopped replying to emails seeking a statement. Google declined to comment. Rick Andrade, a spokesperson for Magnet Forensics, declined to comment. 

By 2020, Grayshift had launched a “mobile” version of its unlocking tool. In 2021, the company introduced support for cracking Android devices.

404 Media has uploaded versions of the documents here and here.