Breaking News Emails
In early April, the police department in Rochester, Minnesota, bought an obscure piece of technology that would allow its investigators to break into iPhones, joining a growing number of police agencies that have hired hacking companies to help bypass Apple security in their search for evidence of crimes.
The city’s detectives didn’t get much time to use it.
This week, Apple released an update that patched the security gap that allowed the technology to work — shutting down a technique used by the FBI to unlock a cellphone left behind in the 2015 terror attack in San Bernardino, California, and since adopted by federal, state and local police in an array of cases, from murder to child porn to drugs.
But the patch won’t slow the relentless pursuit among hackers and law enforcement agencies to pry data out of Americans’ everyday devices — and tech companies’ attempts to thwart those exploits.
“It’s a cat-and-mouse game,” said John Sherwin, Rochester’s interim police chief and head of the department’s investigative division.
And yet Sherwin said he wasn’t too concerned. That’s because his department uses a variety of other “forensic tools” to access devices and Grayshift — or some other company — will probably come up with another method to break through, he said.
“There’s always going to be someone to figure a way around it,” Sherwin said.
For decades, authorities and security professionals have scrambled to keep up with pranksters and criminals — and secretive technology companies — that break into computer networks and figure out how to sidestep the latest security technology.
The stakes, however, continue to grow. Today almost everyone has a computer in their pocket — and that device contains just about anything anyone would want to know about them.
That’s important to criminals. It is also important to crime-fighters, who see phones as holding information that could help solve or deter crimes. And it’s important for tech companies — some of whom have been shamed by revelations of their cooperation with national spy agencies — to be seen as protectors of their customers’ personal data.
As companies deploy encryption and other bulwarks against government prying, law enforcement authorities have grown increasingly frustrated. They call their struggle to obtain data locked away in phones as “going dark.”
The issue exploded as a national concern after the San Bernardino attack, when the FBI said that it couldn’t access a phone left behind by one of the killers. Apple refused to help. The Justice Department asked a judge to force Apple to provide access to the phone. A PR battle erupted, with the heads of many top tech companies and civil rights groups backing Apple, and many public officials — and then-presidential candidate Donald Trump — saying Apple ought to comply.
But the court showdown never happened. The FBI suddenly dropped its lawsuit and said it had paid someone else to hack the phone. Adding to the intrigue, news organizations demanded in court that the government reveal how it was done, but a judge ruled that the method should remain secret. A source, however, told NBC News at the time that the mystery contractor was an Israeli firm called Cellebrite.
Since then, the battle over access to iPhones has continued to simmer, as more law enforcement agencies sought out help from hacking firms.
Cybersecurity experts now believe the FBI’s contractor — whoever it was — used the same techniques that Apple’s update closed off.
Grayshift, based in Atlanta, and Cellebrite are the two companies known to sell that technology to law enforcement. It uses an iPhone’s so-called Lightning port, which connects the phone to chargers and USB devices, to evade password and fingerprint protections and extract encrypted data, including photos, emails, messages and internet searches, according to investigations conducted by Vice’s tech-focused Motherboard website and independent security firms.
Those investigations have uncovered what the Grayshift system — named GrayKey — looks like and found evidence of the company’s arrangements with police agencies in Indiana, Oregon, Maryland, and Minnesota, as well as several federal agencies.
Grayshift did not return a message seeking comment. A Cellebrite representative declined to comment.
E.J Hilbert, a former agent in the FBI’s cybercrime division, compared the Lightning port to a house’s mail slot, and the hacking technique to inserting a tool that pops the lock on the door. In this case, the technology injects code that tricks the phone into providing access, he said.
“That’s what hacking is,” said Hilbert, the CEO of Path Network, which monitors internet traffic. “It’s talking to computer or code in such a way that it decides to share more than should be sharing.”
Law enforcement officials say that their attempts to access phones isn’t illegal. Any search of a phone has to be approved by a judge — although those warrants are typically sealed.
Apple said in a statement that when it discovered the vulnerability in the Lightning port, it created a “USB Restricted Mode” to block potential attacks when owners weren’t using their phones. With that upgrade installed, the Lightning port can be used only for charging after the phone has been locked for an hour, Apple said.
The company stressed that the move was intended to protect customers from “hackers, identity thieves and intrusions into their personal data” — not the police.
“We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs," Apple spokesman Fred Sainz said in an email.
Jay Kaplan, a former anti-terrorism hacker for the National Security Agency, said it was extremely unlikely that the two companies — or other unknown groups that have exploited the Lightning port vulnerability — will now give up.
“These companies are guiding their entire business around this,” said Kaplan, who now runs the cybersecurity firm Synack. “Don’t think for a second that this is the only avenue that they have to circumvent Apple’s security. This is not the only avenue of attack. My guess is they will shift to whatever is next on their tool belt.”
That may already be happening. Vice’s Motherboard reported that Grayshift has indicated to clients that it is working on a way around the new patch.
Hilbert predicted that law enforcement agencies would develop their own workaround: seeking “emergency” warrants that will allow them to access phones right away, before the USB Restricted Mode kicks in.
That is because police investigators have come to rely on phones as sources of evidence — especially in cases involving very serious crimes, such as terrorism, crimes against children and serial murders, Hilbert said.
“Is there going to be evidence on that phone that you can’t find anywhere else? Maybe,” he said. “But you don’t know until you open the phone.”