Why Is a Government Contractor Trying to Buy iPhone Hacking Tech From Us?

On January 24 we received a pretty unusual email. The sender, a procurement officer from government contractor Cirrus Systems, wanted to buy multiple licenses for Graykey, the iPhone and Android hacking technology widely used by U.S. law enforcement and agencies. 

“Hello sales Team, I hope this email finds you well,” the email started. “I would be grateful if you provide us with best/lowest price quote for the following items for Federal’s demand. Please assist in me in the below.”

This was a government contractor trying to buy a phone hacking tool directly from a group of journalists. So, pretty weird.

The email included a table laying out how many licenses Cirrus Systems is after (it looks like four). A statement of work (SOW) then lists what specific capabilities the desired system must be capable of doing. They include “full forensic acquisition capability for the latest generations of iOS as implemented on the latest iPhone (iPhone 16 at this time) cellular telephones,” and the same for “the latest generations of Android.”

Graykey, owned by the company Magnet Forensics, is a staple across local, state, and federal U.S. law enforcement agencies, with officials using it constantly to unlock and extract data from seized mobile phones. Recently 404 Media published a never-before-seen list of what specific devices Graykey was able to access. On its website, Magent says that “Graykey is restricted to select countries. Graykey is not available to the private sector.”

The end user, the email said, would be Washington Headquarters Services (WHS), an agency that provides human resources, personnel security, and other services to the Office of the Secretary of Defense and other Department of Defense components. The date of closing was February 13, the email added. 

The contractor does business as Cirrus Systems but the company itself is called FSR Consulting LLC, according to the email. FSR Consulting’s customers include the U.S. Coast Guard, the Department of Energy, the National Institutes of Health, the Federal Bureau of Prisons, the Navy, the Air Force, and other government agencies, according to public procurement records.

Weirdly, this isn’t the first time someone has tried to buy something from me that is typically limited to just governments. In 2019 a Saudi cybersecurity company wanted to source zero day exploits from me. 

I don’t know whether WHS got the Graykeys it was after. Plenty of other agencies have, though. One procurement record this month points to Graykey license renewals for U.S. Immigration and Customs Enforcement.

Neither Cirrus Systems or the DoD responded to a request for comment.