Law enforcement interest in iPhone encryption-cracking hardware from two new companies is a strong indication that Apple no longer claims the mobile security high ground.
“What this means, if it’s true, is that people who thought all of their communications were totally secure shouldn’t feel so confident going forward,” said Jack Gold, principal analyst with J. Gold Associates. “But, then security has always been a tug of war between the ones implementing it and the ones trying to break it.”
In February, reports surfaced that an Israel-based technology vendor, Cellebrite, had discovered a way to unlock encrypted iPhones running iOS 11 and were marketing the product to law enforcement and private forensics firms around the world. According to a police warrant obtained by Forbes, the U.S. Department of Homeland Security had been testing the technology.
Shortly thereafter, Grayshift emerged as a different company that had developed an inexpensive black box that could unlock any iPhone; this week Motherboard reported that local and regional U.S. police departments and the federal government have been purchasing the technology.
Grayshift reportedly hired a former Apple security engineer.
Motherboard confirmed the use of Grayshift’s GrayKey de-encrypting device – a 4-in. x 4-in. box with two iPhone-compatible lightening cables – by reviewing police department interest via public records requests and emails obtained from federal agencies that revealed purchases of the device. The GrayKey box can apparently unlock an iPhone in about two hours if the owner used a four-digit passcode and three days or longer if a six-digit passcode was used.
If the devices didn’t work, police wouldn’t be buying them
Nate Cardozo, a senior staff attorney with the Electronic Frontier Foundation (EFF), a non-profit digital rights group, said he believes the reports that the iPhone’s encryption has been cracked. Otherwise, if it were not true, law enforcement agencies wouldn’t be purchasing the hacking technology.
“The FBI huffed and puffed and said couldn’t get into the iPhone, and then we found out that’s not true…the literal night before the court hearing [to decide the case],” Cardozo said.
He was referring to the investigation of San Bernardino gunman Syed Rizwan Farook. Until last month, FBI Director Christopher Wray had maintained his agency was unable to crack the passcode on an iPhone used by Farook.
The Justice Department had petitioned the courts to force Apple to comply with an order to unlock the device; a judge granted the request, but delayed making a final decision until hearing arguments from both sides. The evening before a court hearing to decide the matter, the agency announced it had gotten help from an outside group. That now appears not to be true.
The FBI’s attempts to get Apple to help with unencrypting the iPhone were rebuffed. Apple maintained that to break into one iPhone would weaken security for all others.
The news that two iPhone unencrypting methods are now widely available to government agencies did not surprise analysts, who said it was inevitable.
“There is no such thing as unbreakable encryption,” Gold said. “The idea is to make it as hard as possible by adding layers of encryption or long keys to encode, decode. But a determined decoder can crack it, given enough tools and enough time.”
The GrayKey box retails for $15,000. That model is geofenced to a specific location, requiring an internet connection that enables up to 300 unlocks. There is also a $30,000 GrayKey model that can be used independent of internet connectivity and offers an unlimited number of device unlocks, according to Motherboard.
Conversely, Cellebrite charges $5,000 to unlock a single iPhone, according to Malwarebytes.
EFF’s Cardozo said consumers shouldn’t be overly concerned that iPhone breaking technology has become real because law enforcement agencies must still obtain a court-issued warrant to unlock a device.
But those concerned about privacy rights should realize that once cracking technology is available, it’s reasonable to believe law enforcement agencies won’t be the only ones to gain access to it.
If you believe the only people will access to GreyKey or Celebrate are the cops, I’ve got a bridge to sell you,” Cardozo said.
Apple’s possible attempt at limiting law enforcement access
Apple may be taking its own steps to further limit unauthorized access to locked iOS devices. In its beta release of iOS 11.3, Apple introduced a feature known as USB Restricted Mode.
Security software vendor Elcomsoft first discovered the new feature, which was buried deep within the beta release documentation. The feature was apparently cut from iOS 11.3 before it was released publicly.
The documentation described the new feature as a way “to improve security.”
“For a locked iOS device to communicate with USB accessories you must connect an accessory via Lightning connector to the device while unlocked — or enter your device passcode while connected — at least once a week.”
If an iOS device is not unlocked after seven days, an iPhone’s or iPad’s lightning port turns into nothing more than a charging port, locking out any data connection at the USB-interface level, according to Elcomsoft’s description.
“Its effect on passcode unlocking techniques developed by Cellerbrite and GreyShift is yet to be seen,” Elcomsoft explained in its blog post.
Apple did not immediately respond to a request for comment.
It’s unclear if the feature will be included in iOS 11.4, which has not yet been rolled out publicly.
Senior Reporter Lucas Mearian covers financial services IT (including blockchain), healthcare IT and enterprise mobile issues (including mobility management, security, hardware and apps).