There’s a Shoden.io snapshot of when someone recently left their their $15,000-$30,000 GrayKey iPhone password cracking device exposed to internet. Whoops.

There is a hand-wavy article on Motherboard but we don’t care about that.

Some scammers want money:

Mr. David Miles, This is addressed to you and any other people interested in keeping GrayKey product secure and not available to the wide public. We are a “business group” looking forward to bring into your attention the fact that we HAVE obtained the source code for your product GrayKey and would appreciate any donation above 2 BTC sent to 1HGyaC8Yu9UtZbwxjYLhqVnwjVmT95aRDJ if you consider that keeping this information secure is crucial. Below BTC address will be monitored in the next 7 days waiting for any given donations. After the countdown ends, security on the available source code cannot be anymore assured by our group. You cannot contact us in any other form, rather than donation. Once donation is received, we’ll contact you [email protected] with further details. Any other wild bidders are welcomed to join the donation race to 1BZenT5iLCC1d8GFa1DfWTYkk89ea2r9af if you want full information to be publicly released. And yeah…just to make things clear from the beginning, let us state we’re talking real deal. Take a quick peek at some juicy stuff extracts we have and think if they ring the bell.

Boring — so what did the scammers find to try and blackmail with?

Here’s the features it offers that offers from its main UI:

ALPHANUMERIC_DICTIONARY To brute force a complex alphanumeric passcode, upload a custom password dictionary. If a dictionary is not uploaded, GrayKey will not attempt to brute force custom alphanumeric passcodes. The format of the dictionary is a plaintext file with one word per line. AUTOMATIC_DATA_DOWNLOAD If disabled, data extraction must be manually initiated from the GrayKey UI COLLECT_ROOTFS Collect the read-only system partition during data extraction. The system partition can be collected, but under normal circumstances is not able to be modified by the device user. DISABLE_SESHAT Persistently disable future enrollment in SE-bound passcodes on the device after initial access. DOWNLOAD_INACCESSIBLE_METADATA If an immediate extraction of accessible data is occurring, collect metadata for inaccessible files. The inaccessible files will appear empty, but the metadata will be accurate. This can occur in two instances - (1) SE-Bound and Before First Unlock or (2) \"Automatically perform data extraction\" is disabled and user has initiated an extraction before passcode discovery. DOWNLOAD_PROCMEM Enabling this setting will extract memory from all running processes after initial access. INITIAL_DOWNLOAD_SESHAT Perform immediate extraction of all accessible data when the device has an SE-bound passcode and is in the Before First Unlock state. This may be desired because bruteforce could take a very long time. STORE_STATE_NVRAM If checked, the agent will save bruteforce state in NVRAM every 6 hours. If device power is lost, when the agent is re-installed it will restart the passcode bruteforce at the last saved state. Once the agent is uninstalled (manually or automatically), the state will be removed from NVRAM. Writing to NVRAM has no effect on the device filesystem.

Since the scammers have slightly more than the Shoden capture, we can infer they actually visited the site before it was taken down. I however would bet a small amount of money they never get paid.

Related, I made a casual bet with a friend how long it will take for a relevant software patch or recall to be offered to patch this on iPhone. My Apple-loving mate reckons 2 months, I give it 12 — what do people think?