Tech

Cops Around the Country Can Now Unlock iPhones, Records Show

This is part of an ongoing Motherboard series on the proliferation of phone cracking technology, the people behind it, and who is buying it. Follow along here.

FBI Director Christopher Wray recently said that law enforcement agencies are “increasingly unable to access” evidence stored on encrypted devices.

Videos by VICE

Wray is not telling the whole truth.

Police forces and federal agencies around the country have bought relatively cheap tools to unlock up-to-date iPhones and bypass their encryption, according to a Motherboard investigation based on several caches of internal agency documents, online records, and conversations with law enforcement officials. Many of the documents were obtained by Motherboard using public records requests.

The news highlights the going dark debate, in which law enforcement officials say they cannot access evidence against criminals. But easy access to iPhone hacking tools also hamstrings the FBI’s argument for introducing backdoors into consumer devices so authorities can more readily access their contents.

“It demonstrates that even state and local police do have access to this data in many situations,” Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute, told Motherboard in a Twitter message. “This seems to contradict what the FBI is saying about their inability to access these phones.”

As part of the investigation, Motherboard found:

THE KEY

Grayshift has been shopping its iPhone cracking technology to police forces. The firm, which includes an ex-Apple security engineer on its staff, provided demonstrations to potential customers, according to one email.

“I attended your demo presentation recently held at the Montgomery County Police Headquarters and was pleased by your product’s potential,” an Assistant Commander from the Technical Investigations Section at the Maryland State Police wrote in an email to Grayshift in March.

The GrayKey itself is a small, 4×4 inches box with two lightning cables for connecting iPhones, according to photographs published by cybersecurity firm Malwarebytes. The device comes in two versions: a $15,000 one which requires online connectivity and allows 300 unlocks (or $50 per phone), and and an offline, $30,000 version which can crack as many iPhones as the customer wants. Marketing material seen by Forbes says GrayKey can unlock devices running iterations of Apple’s latest mobile operating system iOS 11, including on the iPhone X, Apple’s most recent phone.

Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

The issue GrayKey overcomes is that iPhones encrypt user data by default. Those in physical possession normally cannot access the phone’s data, such as contact list, saved messages, or photos, without first unlocking the phone with a passcode or fingerprint. Malwarebytes’ post says GrayKey can unlock an iPhone in around two hours, or three days or longer for 6 digit passcodes.

And police forces are ready to use GrayKey. David R. Bursten, chief public information officer from the Indiana State Police, wrote in an email to Motherboard that the force had only recently obtained the GrayKey device, but that “this investigative tool will be used, when legally authorized to do so, in any investigation where it may help advance an investigation to identify criminal actors with the goal of making arrests and presenting prosecutable cases to the proper prosecuting authority.”

Image: A photograph of the GrayKey device. Credit: Malwarebytes


Greg Shipley, Maryland State Police spokesperson, told Motherboard “the connection of electronic devices to a wide range of crimes continues to increase, so the need to obtain investigative information from these devices during a criminal investigation continues to grow.” Last week Maryland State Police told Motherboard that the force is in the early stage of procuring GrayKey; one of the documents obtained includes a price quote from GrayKey dated March 22.

Multiple employees of Grayshift did not respond to requests for comment. In response to a Freedom of Information Act request, the FBI refused to say whether it had purchased GrayKey.

But the FBI is looking to buy the tech, according to a March 8 procurement record. An attached Request for Quotation document says the FBI wants 6 of the offline GrayKey units.

“Only the GreyShift/GreyKey solution can meet the FBI’s technical requirements,” another document reads. It adds that GrayKey can “provide a more economical solution for iOS mobile device processing,” and that the device “fills a critical need.”

KICKING DOWN THE BACKDOOR

In 2016, the Department of Justice infamously tried to compel Apple to create a new operating system that would allow investigators to break into the iPhone 5C of one of the San Bernardino terrorists. The tweak, it was proposed, would allow the FBI to quickly churn through potential passcodes to open the device without triggering the device’s delay feature or wiping its contents. (After several incorrect passcode guesses, iPhones disable any further attempts for an increasing amount of time; some iPhones may delete a user’s data after too many failed guesses.) The Justice Department tried a similar legal approach in other cases involving iPhones.

Cryptographers and technologists generally refer to this addition as a backdoor; that is, a new way to circumvent the protections on a device. But the existence, purchase, and price of GrayKey puts serious doubt on whether law enforcement require any sort of iPhone backdoor.

“The availability and affordability of these tools undercuts law enforcement’s continual assertions that they need smartphone vendors to be forced to build ‘exceptional access’ capabilities into their devices,” Riana Pfefferkorn, cryptography fellow at the Stanford Center for Internet and Society, told Motherboard in a Twitter message.

To be clear, the FBI already makes heavy use of technology similar to GrayKey, and spends millions of dollars on equipment that cracks phones without using mandated backdoors. Motherboard previously found that the FBI bought over $2 million worth of forensics tools from established vendor Cellebrite. Back in 2016, the Bureau’s General Counsel said the FBI could unlock most phones it seized.

“Adding backdoors isn’t so much a question of adding a secure door to the walls of a stone castle. It’s like adding extra holes in the walls of a sandcastle.”

In March, the New York Times reported that FBI and Justice Department officials have reignited the hunt for backdoors, and have been quietly meeting with security researchers. And earlier this month, Cyberscoop reported that staffers of the Senate Judiciary Committee have been contacting US tech companies regarding potential future legislation around encryption.

Adding an iPhone backdoor, by its nature, adds new vulnerabilities into a otherwise fairly secure phone that provides robust encryption by default. GrayKey’s existence and widespread availability “means that adding backdoors isn’t so much a question of adding a secure door to the walls of a stone castle. It’s like adding extra holes in the walls of a sandcastle,” Green, the Johns Hopkins cryptographer, said. “It seems totally reckless to add additional mandatory vulnerabilities.”

Instead of backdoors, some technologists say the current system of hacking is the best we can hope for: a phone is released; companies such as Grayshift look for ways to access the device; for a time their tools work; then the phone manufacturer issues a fix or a new operating system version, and the cycle repeats.

“The success of companies like Grayshift in finding and exploiting ways to gain access to even the latest, most secure smartphone models demonstrates that flaws will always exist despite manufacturers’ best efforts,” Pfefferkorn said.

But to be clear, GrayKey is not the end of this debate. Whatever exploits GrayKey is taking advantage of may stop working at some point. The FBI wanted to force Apple to tweak the San Bernardino iPhone running in February 2016; Cellebrite announced it could crack devices running iOS 9—the particular iOS version the phone was using—in July 2016. Even when phone crackers eventually catch up, there can still be a period of time when agencies may indeed be dark on a suspect’s phone.

This is, presumably, the reason the DOJ and FBI would like backdoors: they provide more guaranteed access over a period of time, rather than catching up with each iteration of a phone cracking product. Cost might be a factor too—forcing tech companies to facilitate access could be cheaper than buying more cracking tools.

“The FBI does not comment on specific tools or technologies; however, there is no one size fits all solution to Going Dark,” an FBI spokesperson told Motherboard in a statement.

In March, FBI Director Wray said the Bureau had nearly 7,800 phones it could not unlock last year. Maybe the FBI could get in touch with the country’s local police forces.

Update: This piece has been updated to include that the FBI refused to say whether it has bought GrayKey or not in a Freedom of Information Act request response, and that the FBI is looking to purchase the technology, according to online records.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.