Despite much whining on the part of law enforcement about the alleged perils to public order posed by encryption, it's no secret that cops can often bypass measures intended to protect privacy. Now, documents obtained by Vice's Motherboard describe just how police agencies use one tool to extract data from Apple devices. It's more evidence that officials aren't stymied by encryption half as often as they claim, but just want to paw through our information without effort or expense.
"'How to unlock and EXTRACT DATA from Apple Mobile Devices with GrayKey,' the instructions, seemingly written by the San Diego Police Department, read," Vice's Joseph Cox reveals of the documentation obtained with a public records request. "The instructions describe the various conditions it claims allow a GrayKey connection: the device being turned off (known as Before First Unlock, or BFU); the phone is turned on (After First Unlock, or AFU); the device having a damaged display, and when the phone has low battery," he adds.
GrayKey's existence isn't a revelation, though the documentation provides interesting insight into its capabilities. Georgia-based Grayshift openly markets the product on its website, including a recently released version that works on Android phones.
"Annual licensing for GrayKey with iOS and Android support begins at USD $9,995," the company notes.
Malwarebytes Labs got a glimpse of a GrayKey device in 2018 and published images along with a description of its operation.
"GrayKey is a gray box, four inches wide by four inches deep by two inches tall, with two lightning cables sticking out of the front," Thomas Reed wrote for the security firm. "Two iPhones can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device, but are not yet cracked. Some time later, the phones will display a black screen with the passcode, among other information. The exact length of time varies, taking about two hours in the observations of our source."
That two-hour extraction time still seems valid based on information on the Grayshift website. GrayKey uses a brute-force approach to gain access to devices, and the instructions obtained by Vice reveal that alphanumeric passcodes offer greater challenges to the approach than number-only codes—especially if users avoid using real words. Even after a device is returned, the intrusion isn't necessarily over. "As part of a feature called HideUI, GrayKey also allows agencies to install the agent which surreptitiously records the user's passcode if authorities hand their phone back to them," Cox cautions.
But Grayshift wasn't the first company to help law enforcement agencies break into encrypted devices. In 2016, Apple repeatedly told the FBI to pound sand when asked to bypass the privacy protections on its phones. The FBI then turned to Cellebrite, based in Israel, to gain access to a locked iPhone.
"Cellebrite, the Israeli company, said its sales increased 38 percent in the first quarter to $53 million as more police departments bought its tools to hack into suspects' phones," The New York Times reported earlier this month, indicating the company is still active in that market (that very busy market, I'll add).
"[H]igh-profile cases in which law enforcement cannot access the contents of a phone overshadows a more significant change: the rise in law enforcement's ability to search the thousands of phones that they can access in a wide range of cases," according to an October 2020 report from Upturn, a nonprofit that scrutinizes police use of technology. "Our records show that at least 2,000 agencies have purchased a range of products and services offered by mobile device forensic tool vendors. Law enforcement agencies in all 50 states and the District of Columbia have these tools."
"We found that state and local law enforcement agencies have performed hundreds of thousands of cellphone extractions since 2015, often without a warrant," the report adds.
That doesn't mean that tech companies are complacent about hacking tools and flaws in their security. Grayshift "is constantly in a cat-and-mouse game with Apple, which tries to fix security issues that GrayKey takes advantage of," observes Vice's Cox. The result, undoubtedly, is improved technology all around, with vulnerabilities ultimately detected and closed off not only to law-enforcement contractors, but also to criminal hackers.
That said, police and intelligence agencies aren't restricted to waging technological cold war against cryptographers and tech companies; they also rely on old-fashioned sneakiness. After taking down Phantom Secure, an organization that specialized in offering secure communications to criminals, law enforcement set up a fake outfit to take its place.
"In an innovative effort, the FBI, with the help of the Australian Federal Police, launched their own encrypted communications platform and supplied more than 12,000 devices to hundreds of criminal organizations that operate around the globe," the FBI announced on June 8. Needless to say, the provided devices protected nobody's privacy and resulted in hundreds of arrests.
So, law enforcement would seem to be doing just fine, sucking the information out of the vast majority of targeted devices (often indiscriminately) while occasionally running up against the occasional tougher nut. Even in those cases, some jurisdictions allow for the issuance of warrants to compel the surrender of passwords, or else. That's a lot of arrows in cop quivers.
But governments still insist that "tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format," as a multi-national manifesto signed by the United States reiterated just last fall. Privacy protections of any sort, no matter how frequently bypassed, just seem to offend the sort of people who go into government.
That said, turnabout is fair play. Matthew Rosenfield, the security researcher who, as Moxie Marlinspike, created the Signal secure messaging app, says it's possible to install software on your own device that will compromise the technology police use to extract data.
"[W]e found that it's possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed," he wrote in April of this year.
The privacy wars won't be cooling down anytime soon.