Cops Say Encryption Hinders Investigations. These Documents Say Otherwise.

Law enforcers have plenty of tools; they just want to paw through our data without effort or expense.


Despite much whining on the part of law enforcement about the alleged perils to public order posed by encryption, it's no secret that cops can often bypass measures intended to protect privacy. Now, documents obtained by Vice's Motherboard describe just how police agencies use one tool to extract data from Apple devices. It's more evidence that officials aren't stymied by encryption half as often as they claim, but just want to paw through our information without effort or expense.

"'How to unlock and EXTRACT DATA from Apple Mobile Devices with GrayKey,' the instructions, seemingly written by the San Diego Police Department, read," Vice's Joseph Cox reveals of the documentation obtained with a public records request. "The instructions describe the various conditions it claims allow a GrayKey connection: the device being turned off (known as Before First Unlock, or BFU); the phone is turned on (After First Unlock, or AFU); the device having a damaged display, and when the phone has low battery," he adds.

GrayKey's existence isn't a revelation, though the documentation provides interesting insight into its capabilities. Georgia-based Grayshift openly markets the product on its website, including a recently released version that works on Android phones.

"Annual licensing for GrayKey with iOS and Android support begins at USD $9,995," the company notes.

Malwarebytes Labs got a glimpse of a GrayKey device in 2018 and published images along with a description of its operation.

"GrayKey is a gray box, four inches wide by four inches deep by two inches tall, with two lightning cables sticking out of the front," Thomas Reed wrote for the security firm. "Two iPhones can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device, but are not yet cracked. Some time later, the phones will display a black screen with the passcode, among other information. The exact length of time varies, taking about two hours in the observations of our source."

That two-hour extraction time still seems valid based on information on the Grayshift website. GrayKey uses a brute-force approach to gain access to devices, and the instructions obtained by Vice reveal that alphanumeric passcodes offer greater challenges to the approach than number-only codes—especially if users avoid using real words. Even after a device is returned, the intrusion isn't necessarily over. "As part of a feature called HideUI, GrayKey also allows agencies to install the agent which surreptitiously records the user's passcode if authorities hand their phone back to them," Cox cautions.

But Grayshift wasn't the first company to help law enforcement agencies break into encrypted devices. In 2016, Apple repeatedly told the FBI to pound sand when asked to bypass the privacy protections on its phones. The FBI then turned to Cellebrite, based in Israel, to gain access to a locked iPhone.

"Cellebrite, the Israeli company, said its sales increased 38 percent in the first quarter to $53 million as more police departments bought its tools to hack into suspects' phones," The New York Times reported earlier this month, indicating the company is still active in that market (that very busy market, I'll add).

"[H]igh-profile cases in which law enforcement cannot access the contents of a phone overshadows a more significant change: the rise in law enforcement's ability to search the thousands of phones that they can access in a wide range of cases," according to an October 2020 report from Upturn, a nonprofit that scrutinizes police use of technology. "Our records show that at least 2,000 agencies have purchased a range of products and services offered by mobile device forensic tool vendors. Law enforcement agencies in all 50 states and the District of Columbia have these tools."

"We found that state and local law enforcement agencies have performed hundreds of thousands of cellphone extractions since 2015, often without a warrant," the report adds.

That doesn't mean that tech companies are complacent about hacking tools and flaws in their security. Grayshift "is constantly in a cat-and-mouse game with Apple, which tries to fix security issues that GrayKey takes advantage of," observes Vice's Cox. The result, undoubtedly, is improved technology all around, with vulnerabilities ultimately detected and closed off not only to law-enforcement contractors, but also to criminal hackers.

That said, police and intelligence agencies aren't restricted to waging technological cold war against cryptographers and tech companies; they also rely on old-fashioned sneakiness. After taking down Phantom Secure, an organization that specialized in offering secure communications to criminals, law enforcement set up a fake outfit to take its place.

"In an innovative effort, the FBI, with the help of the Australian Federal Police, launched their own encrypted communications platform and supplied more than 12,000 devices to hundreds of criminal organizations that operate around the globe," the FBI announced on June 8. Needless to say, the provided devices protected nobody's privacy and resulted in hundreds of arrests.

So, law enforcement would seem to be doing just fine, sucking the information out of the vast majority of targeted devices (often indiscriminately) while occasionally running up against the occasional tougher nut. Even in those cases, some jurisdictions allow for the issuance of warrants to compel the surrender of passwords, or else. That's a lot of arrows in cop quivers.

But governments still insist that "tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format," as a multi-national manifesto signed by the United States reiterated just last fall. Privacy protections of any sort, no matter how frequently bypassed, just seem to offend the sort of people who go into government.

That said, turnabout is fair play. Matthew Rosenfield, the security researcher who, as Moxie Marlinspike, created the Signal secure messaging app, says it's possible to install software on your own device that will compromise the technology police use to extract data.

"[W]e found that it's possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed," he wrote in April of this year.

The privacy wars won't be cooling down anytime soon.

NEXT: Eau de Space

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite.

    Fell off a truck.

    1. A rutabaga truck, no doubt. Or was it carrying turnips?

      1. Making money online more than 15$ just by doing simple work from home. I have received $18376 last month. Its an easy and simple job to do and its earnings are much better than regular office job and even a little child can do this and earns money. Everybody must try this job by just use the info
        on this page.....VISIT HERE

        1. I am making 70 to 60 dollar par hour at home on laptop ,, This is make happy But now i'm Working four hour Dailly and make forty dollar Easily .. This is enough for me to glad my circle of relatives..How ?? I'm making this so u can do it Easily
          HERE...... Work202

  2. I remember reading a description of some phone's protection against brute force password cracking by erasing the phone after 10 failed attempts, or something like that. Immediately occurred to me that even if turning the phone off and back on resets the counter, it's still going to slow you down, and that a better way is to copy all internal storage to your own write-once read-mostly storage and fool the phone into using that memory instead of the real stuff so it can't erase itself. I wonder if Apple tries to prevent that?

    I've read of chips which have meltable internal links so they can literally fry themselves, and others which have small amounts of some kind of not-quite-explosive which self-destructs the chip if it is unsoldered from the board, presumably meant for military uses. No idea how reliable any of those are, or if the public can get them, or how much they cost. Could you trigger an actual chip melt-down to fry the processor or memory, and how could it detect being run from a variant which can't melt itself?

    The only real protection is a good long pass phrase which can't be brute-forced. Numeric pins don't cut it.

    1. Burner phone.

      1. No phone

    2. You just have to clone the part of the phone that does the checking, then brute force it offline - then you come back to the original device once you've discovered the password.

  3. I have a hard time taking you at face value on the subject since you and the rest of the staff here threw your support behind the ACAB crowd working diligently to minimize their crimes. I can no longer read you and think you want better accountability, but rather that this is another angle for you to tear down western civilization.

    1. Great word salad.

  4. Enemy of the State?

  5. Meh. We need some case law that establishes the use of any encryption as sufficient evidence of guilt.

  6. The government would have a better argument of 'acting appropriate legal authority' if it hadn't tarnished such a reputation by repeatedly abusing said authority on several levels of government.

    1. this x 1000

  7. So let's say the OS companies build in an option to let users select whether police may access the records of one's machine's whereabouts for the last so-many hours. This does not mean that the device was necessarily in one's possession tjethe whole time. Nor does it necessarily mean that the records in question were not altered. There's no data that can't be spoofed nor altered prior to time of equipment detainment.

    So what makes this data valuable in the first place if it cannot be considered reliable? And that would be user ignorance, uh-huh.

    But on a good day, if police use GPS records of the device to determine that it was nowhere near Devil's Tower, when J. Smith was murdered at 1015, then this could potentially be the quickest way to become a person of no interest.

    So why wouldn't it be in the best interests of some owners to offer privacy data selectively to police, if that means faster return of equipment?

    I suspect that police do not operate like that, and that they would image the internal & external disks, then log those onto optical disc or SSD for the investigation, and only then give the device back to its rightful owner. Because -- whatever the law allows.

    1. Optical…disc? What time zone are you in?

Please to post comments

Comments are closed.