Apple to Shut I-phone Security Hole That Police Use to Crack Devices

The friction came into public view after the F.B.I. could not access the iPhone of a gunman who, along with his wife, killed 14 people in San Bernardino, Calif., in late 2015. A federal judge ordered Apple to figure out how to open the phone, prompting Timothy D. Cook, Apple’s chief executive, to respond with a blistering 1,100-word letter that said the company refused to compromise its users’ privacy. “The implications of the government’s demands are chilling,” he wrote.

The two sides fought in court for a month. Then the F.B.I. abruptly announced that it had found an undisclosed group to hack into the phone, for which it paid at least $1.3 million. An inspector general’s report this year suggested the F.B.I. should have exhausted more options before it took Apple to court.

Since then, two main companies have helped law enforcement hack into iPhones: Cellebrite, an Israeli forensics firm purchased by Japan’s Sun Corporation in 2006, and Grayshift, which was founded by a former Apple engineer in 2016. Law enforcement officials said they generally send iPhones to Cellebrite to unlock, with each phone costing several thousand dollars to open. In March, Grayshift began selling a $15,000 GrayKey device that the police can use to unlock iPhones themselves.

Apple has closed loopholes in the past. For years, the police used software to break into phones by simply trying every possible passcode. Apple blocked that technique by disabling iPhones after a certain number of wrong passcodes, but the Grayshift and Cellebrite software appear to be able to disable that Apple technology, allowing their devices to test thousands of passcodes, Mr. Green said.

Cellebrite declined to comment. Grayshift did not respond to requests for comment.

Opening locked iPhones through these methods has become more common, law enforcement officials said. Federal authorities, as well as large state and local police departments, typically have access to the tools, while smaller local agencies enlist the state or federal authorities to help on high-profile cases, they said.

Law enforcement agencies that have purchased a GrayKey device include the Drug Enforcement Administration, which bought an advanced model this year for $30,000, according to public records. Maryland’s state police have one, as do police departments in Portland, Ore., and Rochester, Minn., according to records.