The Hacking Box This Resulted in a Golden-age of iPhone Investigations

0

The GrayKey tool can unlock an iPhone and extract emails, texts, contact lists and other data that was previously near-impossible to collect. Chris Ford, an investigator with the district attorney's office in Georgia’s Gwinnett County, used the GrayKey in about 30 investigations over the past month.

The GrayKey tool can unlock an iPhone and extract emails, texts, contact lists and other data that was previously near-impossible to collect. Chris Ford, an investigator with the district attorney’s office in Georgia’s Gwinnett County, used the GrayKey in about 30 investigations over the past month.


Photo:

Chris Ford

At a conference of law-enforcement forensics officials last week, someone asked David Miles what would happen if

Apple
Inc.


AAPL 0.19%

tried to ruin his business.

Mr. Miles heads an Atlanta startup called Grayshift LLC that sells a $15,000 iPhone-unlocking box to police and other authorities in the U.S. The device’s popularity has contributed to what some forensics investigators say is a golden age of iPhone investigations and led the conference attendee to ask what Grayshift could do if Apple tried to block it.

“That’s the question everyone’s asking,” Mr. Miles said to muted laughter, before returning to a demonstration of how his device, called a GrayKey, could break into an iPhone and download nearly all of the data available on the device.

Now Apple is indeed firing back, saying Wednesday it is testing a change to its iOS mobile software that, according to people familiar with the company’s plans, could stop the GrayKey from getting into iPhones. It’s a blow in the cat-and-mouse game between the world’s most valuable publicly traded company and a handful of forensic-tools makers, including Grayshift, that have found ways to penetrate the iPhone’s much-touted privacy defenses.

Related

The Hacking Box That Led to a Golden Age of iPhone Investigations



Photo:

Jaap Arriens/Zuma Press

Behind that skirmish is the larger debate over how to balance user privacy against the desire of law-enforcement officials to access information on devices they say could aid investigations and, in some cases, potentially save lives.

Apple fought an epic battle in 2016 over that issue with the Federal Bureau of Investigation, which asked a federal court to force the tech giant to unlock an iPhone used by one of the shooters in the 2015 San Bernardino, Calif., terrorist attacks.

Apple at the time said helping the FBI would risk creating a tool that could compromise the security of all its customers. The legal clash ended only after the FBI paid more than $1 million for a hacking tool to unlock the device.

Grayshift—with fewer than 20 employees and a router-sized gray box that even many local governments can afford—has made that 2016 fight and its resolution look antiquated.

The company, which started selling GrayKey earlier this year, won’t discuss the Apple flaws it leverages to get onto the iPhone. But at last week’s demonstration, it was an easy process. Mr. Miles plugged an iPhone X into the GrayKey’s Lightning cable, clicked a handful of options on a management screen and the device went to work.

Apple’s new software feature is designed to limit the window of opportunity for police to use the GrayKey to 60 minutes. The software feature prevents devices from accessing data on the iPhone via the Lightning port starting an hour after a phone was last unlocked. The company has also likely included software patches that will otherwise block the GrayKey’s effectiveness, security researchers say.

“There’s a punch-counterpunch narrative here that’s unfolding,” said Dan Guido, chief executive at the security consultancy Trail of Bits Inc. “Grayshift scored a really nice hook.”

Mr. Miles told attendees of the Myrtle Beach, S.C., conference that Grayshift plans more punches ahead. The company has invested heavily in research and development in its two years of existence, expecting that some techniques will be rendered obsolete over time. “It is an arms race,” Mr. Miles said.

Grayshift plans to deliver new iPhone-cracking methods to GrayKey users via software updates, Mr. Miles said. The GrayKey works only on Apple devices, which overall present a much greater level of challenge to law enforcement than Android phones do, forensics investigators say.

The company is doing this developing the new methods with the assistance of accomplished iPhone hackers, including at least one former member of Apple’s security team who left the company in 2012, according to people familiar with the company.

Apple declined to comment on GrayKey specifically, or to discuss its further plans for combating such efforts. “We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs,” Apple said Wednesday.

Apple has taken steps to work more closely with law enforcement. In March, an Apple executive took the unusual step of providing a presentation on digital forensics during an invitation-only international law-enforcement conference in the U.K. this past March.

While other companies offer ways to break into iPhones, Grayshift has become popular with U.S. law enforcement because of its low cost, effectiveness and ease of use, forensics experts say.

In Georgia’s Gwinnett County, local prosecutors have used GrayKey 30 times in the past month to extract emails, texts, contact lists and other data that previously had been near-impossible to collect from iPhones, according to Chris Ford, an investigator with the district attorney’s office. He credits it with helping crack homicide, armed-robbery, rape and other criminal cases.

“FBI agents from Atlanta were driving up to use this device because they didn’t have one yet,” Mr. Ford said.

The FBI declined to say whether it uses GrayKey.

Grayshift has kept a low profile, declining press requests for interviews and maintaining a bare-bones website with no details of its products. It lists an Atlanta-based UPS Store as its business address.

A rare public demonstration of Grayshift’s tech at a Myrtle Beach hotel was packed with dozens of investigators and other officials, who watched Mr. Miles plug the iPhone X into his box.

The GrayKey quickly went to work installing its passcode-guessing software onto the iPhone, which can circumvent the Apple password-guessing protections that can lock the phone permanently after too many failed attempts.

Guessing hundreds of passcode combinations a minute, the GrayKey in the demonstration took about 30 minutes to crack the iPhone’s easy-to-guess passcode of 967967 and download data. Extracting a more complex passcode could take days, Mr. Miles said.

Mr. Ford estimates the GrayKey correctly guesses the passwords of between 50% and 60% of the iPhones he tries it on. Some phones have passcodes too complex to be cracked in a reasonable amount of time.

At the conference, Grayshift’s booth was shadowed by an armed guard. “We’re very careful to make sure that the product only goes to those who are authorized to use it,” Mr. Miles said

Write to Robert McMillan at Robert.Mcmillan@wsj.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here