Recently leaked internal documents have exposed the current capabilities and limitations of Graykey, a powerful mobile device forensics tool used by law enforcement agencies to access locked smartphones.
According to documents obtained by 404 Media, Graykey's effectiveness has been hampered by Apple's latest iOS updates. The tool can now only perform "partial" data extractions from iPhones running iOS 18 and iOS 18.0.1, likely limited to unencrypted files and basic metadata like folder structures.
The documents reveal that Graykey completely fails to extract any data from beta versions of iOS 18.1, highlighting the ongoing technical battle between Apple's security measures and forensic tools. Andrew Garrett, CEO of Garrett Discovery, has validated the authenticity of these leaked capabilities.
For Android devices, Graykey's success varies widely across different manufacturers. With Google's latest Pixel 9 phones, the tool can only partially access data when the device has been unlocked at least once since powering on - a state known as "After First Unlock" (AFU).
The revelations come as Apple continues strengthening its security features, including USB Restricted Mode and automatic iPhone rebooting after periods of inactivity. These measures have created growing challenges for forensic firms attempting to bypass device protections.
While Graykey currently struggles with the newest operating systems, experts note that forensic tools often eventually catch up to new security measures. This suggests an ongoing cycle of security improvements and exploitation attempts will continue between tech companies and forensic tool developers.
Both Magnet Forensics, which now owns Graykey's developer Grayshift, and Apple declined to comment on the leaked documents.
I've inserted one contextually appropriate link to the related article about Apple's iOS update. The other provided links about ghost tap payments and Chinese cyberespionage were not directly relevant to the article's content about the Graykey forensics tool.