This is part of an ongoing Motherboard series on the proliferation of phone cracking technology, the people behind it, and who is buying it. Follow along here.
Apple confirmed to The New York Times Wednesday it was going to introduce a new security feature, first reported by Motherboard. USB Restricted Mode, as the new feature is called, essentially turns the iPhone’s lightning cable port into a charge-only interface if someone hasn’t unlocked the device with its passcode within the last hour, meaning phone forensic tools shouldn’t be able to unlock phones.
Naturally, this feature has sent waves throughout the mobile phone forensics and law enforcement communities, as accessing iPhones may now be substantially harder, with investigators having to rush a seized phone to an unlocking device as quickly as possible. That includes GrayKey, a relatively new and increasingly popular iPhone cracking tool. But forensics experts suggest that Grayshift, the company behind the tech, is not giving up yet.
“Grayshift has gone to great lengths to future proof their technology and stated that they have already defeated this security feature in the beta build. Additionally, the GrayKey has built in future capabilities that will begin to be leveraged as time goes on,” a June email from a forensic expert who planned to meet with Grayshift, and seen by Motherboard, reads, although it is unclear from the email itself how much of this may be marketing bluff.
“They seem very confident in their staying power for the future right now,” the email adds.
“Grayshift has gone to great lengths to future proof their technology”
A second person, responding to the first email, said that Grayshift addressed USB Restricted Mode in a webinar several weeks ago.
Apple’s new feature is still alarming law enforcement, though.
“Of course they are concerned,” one source with access to restricted forums used by law enforcement told Motherboard. Motherboard granted several sources in this story anonymity to talk about sensitive industry developments.
“[That moment when] 10 of the last 12 threads in my inbox have ‘USB Restricted Mode’ in the subject line, and you realize it's just the beginning,” Shahar Tal, VP research at established phone unlocking firm Cellebrite tweeted on Thursday.
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, and Lorenzo Franceschi-Bicchierai on Signal on +1 917 257 1382. Details on our SecureDrop, a system to anonymously submit documents or information, can be found here.
Motherboard found Grayshift has relationships with federal, state, and local law enforcement agencies, including the FBI, DEA, and Secret Service. New emails show the New York State Police is in contact with Grayshift.
The GrayKey itself is a small box that has lighting cables for connecting two iPhones at once. Although technical details on how exactly GrayKey breaks into phones are generally unavailable, the device, expectedly, uses techniques to churn through different passcode combinations—or brute forcing in hacker lingo—according to demonstration slides seen by Motherboard.
According to company slides, the device has two strategies to access data on the phone: “Before First Unlock” or BFU, and “After First Unlock” or AFU. BFU is a “slow brute force,” meaning it takes 10 minutes per try. This gives access to “limited data.” That’s likely because the BFU strategy happens when the phone was off when seized. If that’s the case, when turned on, the iPhone has most of its data, including contacts, messages and other personal data still encrypted.
AFU, on the other hand is a “fast brute force” mode that presumably kicks in when the phone is locked but was turned on and unlocked at some point by the owner. In this case, it allows for 300,000 tries and allows “parallel extraction of pre-unlock data.” If AFU works, the slide adds, “95% of the user’s data is available instantly.” The slides were shown during a GrayKey presentation at a recent mobile forensics conference in Myrtle Beach, South Carolina.
But Apple’s new USB Restricted Mode may severely limit that type of attack, because the lighting port used to attack the phone will become largely useless once an hour passes without a phone unlock. As Motherboard reported earlier this month, the feature was included in the beta version of iOS 12, Apple’s upcoming mobile operating system update. The feature has not yet made its way into general iOS releases, but iOS 12 is expected to launch around June 26. (In Motherboard’s tests with an iOS beta version, USB Restricted Mode is turned on by default, but can be disabled).
“Some vendors are frustrated with GrayKey,” one researcher familiar with the forensics community told Motherboard. “They feel the media hype brought too much attention to the attack vector.”
Apple told Motherboard in a statement that it also provided to Reuters and the New York Times Wednesday“At Apple, we put the customer at the center of everything we design. We’re constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data. We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs,” .
Ryan Duff, a security researcher who has studied iPhone and is Director of Cyber Solutions at Point3 Security, told Motherboard that USB Restricted Mode is a pretty solid solution,” referring to USB Restricted Mode.
“I believe [Apple] when they say it’s to make the device more secure,” Duff said. “The attack it is preventing is one where an attacker has physical access to your device and has some means of getting access to your data from there. That is limited to people who have access to a computer you have already authorized to communicate to your phone, and people who have the ability to exploit your phone. Those are the only ways you're going to get data off a phone by plugging it into something.”
Maryland State Police has purchased the GrayKey technology. In a statement to Motherboard, agency spokesperson Elena Russo said “the Maryland State Police (MSP) Digital Forensics Lab has a variety of hardware and software tools to conduct criminal investigations, to include but not limited to the GrayShift product. We will continue to use all the tools available to MSP investigators to produce the best outcome for any active criminal investigation.”
David R. Bursten, chief public information officer at the Indiana State Police, which has also bought a GrayKey, told Motherboard in an email "technology is constantly evolving and law enforcement responds to those changes on a regular basis. When one investigative door closes, another one opens over time."
Grayshift declined to comment.
Correction: This piece has been updated to correct the location of the mobile forensics conference. It took place in South Carolina, not Virginia. This piece has also been updated to include comment from the Indiana State Police.