On The Same Day The FBI Claimed No Vendor Could Crack IPhones, Another Way To Crack IPhones Made The News
from the way-to-stay-ahead-of-the-news-cycle,-Chris dept
At the same time the FBI director was claiming the private sector (other than Apple) couldn’t help agents break into encrypted iPhones, the private sector was once again demonstrating it could do exactly that. Chris Wray’s remarks to the press centered less on the underwhelming news that the FBI had conclusively linked the Pensacola Air Base shooter to al Qaeda than on Apple’s supposed unhelpfulness.
The FBI claimed it had found a way to access data on the shooter’s phones, but provided no details on its method. Maybe agents brute forced a passcode. Maybe they just found a side door that allowed them to exfiltrate the data they were looking for. Whatever it was, it wasn’t something provided by a vendor. In fact, Chris Wray went so far as to claim the media was misleading the public about the availability of encryption-breaking/bypassing tech.
We canvassed every partner, and every company, that might have had a solution to access these phones. None did, despite what some claimed in the media.
Within a few hours of this assertion by Wray, the media was again reporting on another tech solution for encrypted iPhones. Here’s Olivia Solon for NBC News:
[A]nother tool, previously unknown to the public, doesn’t have to crack the code that people use to unlock their phones. It just has to log the code as the user types it in.
Software called Hide UI, created by Grayshift, a company that makes iPhone-cracking devices for law enforcement, can track a suspect’s passcode when it’s entered into a phone, according to two people in law enforcement, who asked not to be named out of fear of violating non-disclosure agreements.
The software is deployed by existing GrayKey devices — the same ones Grayshift claims can crack iPhone passcodes by installing a user agent to bypass Apple’s lockout countdown. This would be the same software/hardware Chris Wray claims can’t do any of these things, despite extensive reporting on claims the manufacturer itself makes.
After dropping the surreptitious tracker on the targeted phone, the phone is returned to the suspect in hopes that they’ll input their passcode.
For example, a law enforcement official could tell the suspect they can call their lawyer or take some phone numbers off the device. Once the suspect has done this, even if they lock their phone again, Hide UI will have stored the passcode in a text file that can be extracted the next time the phone is plugged into the GrayKey device. Law enforcement can then use the passcode to unlock the phone and extract all the data stored on it.
The software also disables airplane mode and disables wiping of the device. A snapshot of the system is taken to track any attempted deletion of phone contents.
This seems to do all the things the FBI claims no one can actually do. Sure, it won’t scale — especially since it requires a fair bit of subterfuge on the part of investigators and relies on the trust of criminal suspects who might find it suspicious their seized phone has suddenly been returned to them. But no technique for bypassing encryption ever will. And none of them should.
Asking a suspect for the combination to a safe will only unlock that safe, not every safe seized during searches. Phones are as unique as the individuals carrying them. So are the circumstances surrounding the attempted searches. One size should not fit all and the encryption backdoors Chris Wray wants only ensure everyone — criminal or not — will be negatively affected by law enforcement’s newly-greased wheel.
Then there’s the secrecy surrounding this tech. The NDAs Grayshift force on law enforcement customers means judges, defendants, and defense lawyers aren’t being told what’s being used to open up phones and search their contents. We’ve spent years detailing the opacity shrouding the deployment of Stingray devices — something that has allowed law enforcement to avoid having warrant requirements imposed on them. The same thing is happening here. There’s a legal way to do this. But the secrecy imposed by the tech provider tends to provide the cover officers need to operate these unlawfully. Here’s the best case scenario, followed immediately by the most likely scenario.
“Law enforcement use of this ‘agent’ keylogger feature can be legal, so long as the warrant the government gets to search and seize the device spells out that the investigators are permitted to use it,” said Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford Law School’s Center for Internet and Society. “In general, I don’t think that magistrate judges authorizing search warrants would expect that the government plans to implant malware on a device it has seized.”
There are solutions out there. And they’re not legislative mandates compelling assistance breaking encryption or backdoors for law enforcement. There are ways to bypass or crack what Bill Barr and Chris Wray have decided to call “warrant-proof encryption.” Pretending there isn’t while using an investigation press conference as a grandstand for Apple bashing isn’t moving the conversation forward. It’s just giving everyone one more reason not to trust Bill Barr or Chris Wray.