GrayKey is a device made by Grayshift (now part of Magnet Forensics following the 2023 merger) used by law enforcement to unlock and extract data from iPhones. Around the size of a small router, sits in forensic labs and field operations. Exploits vulnerabilities in iOS to bypass the device passcode through brute force, the rate of which depends on Apple’s current iOS protections, the device generation, and whether the phone is in BFU or AFU state.
What it means in practice
GrayKey’s effectiveness depends on the iOS version and the strength of the passcode. A six-digit numeric PIN can be brute-forced in hours or days, even with iOS’s exponential delay between failed attempts. A long alphanumeric passphrase (10+ characters) takes significantly longer and may be practically infeasible within the time constraints of most border detentions or short-term seizures. Apple patches the vulnerabilities GrayKey exploits with each iOS update, creating an arms race where Grayshift’s capability against current iOS lags by weeks to months and recovers; the public capability against the latest iOS is opaque by design.
Who uses it, and against whom
Customer base: federal agencies (FBI, ICE, DEA, ATF, USSS), state and local police across the US, customs and border services, and confirmed sales to law enforcement in the UK, Singapore, and several EU countries. The device is sold under non-disclosure terms that prevent buyers from publicly confirming use, which has led prosecutors to drop charges rather than disclose GrayKey use in court. Against whom: anyone whose iPhone is in the custody of a buyer agency, whether through arrest, border detention, civil discovery, or warrant-based seizure. The threat is most acute at borders (where warrant standards do not apply) and in jurisdictions where seizure standards are low.
What you can change today
Three actions before any high-risk situation. Switch from a 6-digit PIN to an alphanumeric passphrase of 10+ characters (Settings, Face ID and Passcode, Change Passcode, Passcode Options, Custom Alphanumeric Code). Power the device fully off (not lock screen, fully off) before any border crossing or anticipated seizure so it lands in BFU state on next boot, where GrayKey’s effectiveness is sharply reduced. Enable USB Restricted Mode (Settings, Face ID and Passcode, USB Accessories off) so the Lightning or USB-C port refuses data transfer one hour after the last unlock, which blocks GrayKey’s primary attack vector during the seizure window.