An increasing number of police departments and federal authorities have bought devices that can unlock iPhones, according to a report from Motherboard. Using public-records requests, Motherboard determined that both local and regional police forces obtained units of a machine called GrayKey, and that the State Department has GrayKeys as well.
Specifically, Motherboard names the Maryland and Indiana State Police, Miami-Dade police and the U.S. State Department as having purchased the device. Many others, including the Drug Enforcement Administration and other local polices forces, have received purchase quotes or have sent emails showing interest in purchasing it. The FBI refused to disclose to Motherboard whether it had purchased the machine.
GrayKey was detailed on the MalwareBytes blog (opens in new tab) back in March and works on iPhones, including the most recent iPhone 8 and iPhone X, up to at least iOS 11.2.5. (Whether it works with later versions of iOS is unknown.) A $15,000 version of GrayKey requires an internet connection and allows 300 unlocks, while the $30,000 version cracks as many iPhones as you would like.
For a six-digit passcode, it takes the device around three days to crack a single iPhone, but weaker numerical passcodes can be cracked in under two hours. Long alphanumerical passcodes will in all likelihood take much longer than three days to crack.
In 2016, the FBI demanded that Apple specially write new code so that the agency could get into an iPhone used by one of the married shooters in the San Bernardino terrorist attack. Apple refused, which resulted in a long and ugly battle between Apple and the FBI over user privacy, which the FBI ultimately dropped when Apple wanted to let it go to court and the FBI found a (possibly Israeli) company that could get into the shooter's phone.
Ultimately, Apple may be able to patch whatever exploit GrayKey is using to crack iPhones. (The device seems to bypass Apple's restrictions on the number and frequency of wrong passcode entries.) But as Motherboard's full report (which you should read here) shows, law-enforcement agencies want to retain their (perfectly legal, with a warrant) access to suspects' mobile devices to aid in investigations, and the people over in Cupertino might not be too happy about that.