In spite of what some law enforcement agencies say, it’s becoming easier for them to unlock our mobile devices. Several reports now indicate that technology companies are providing police with ways to unlock an iPhone, the most secure of all popular mobile devices. Agencies have complained that Apple has prevented them from accessing iPhones during their investigations and say they have no other options.
Android phones have always been less of a problem to unlock because there are many more manufacturers with varying levels of the Android OS, the apps are less secure, and most of the phones rarely get updated when a vulnerability is found. That was noted earlier this week when it was reported that Facebook scraped Android phone users’ phone and message logs.
Apple has also taken the greatest care among the leading device manufacturers to protect its customers’ confidentiality. One of their arguments for not providing a backdoor to unlock their phones has been that once their phones are susceptible to being unlocked, that capability will be used not only by law enforcement agencies, but also by criminals, putting their customers at risk.
Apple’s position is:
We believe security shouldn’t come at the expense of individual privacy.
What we’re commonly asked for and how we respond.
Apple receives various forms of legal process requesting information from or actions by Apple. Apple requires government and private entities to follow applicable laws and statutes when requesting customer information and data. We contractually require our service providers to follow the same standard we apply to government information requests for Apple data.
Our legal team reviews requests to ensure that the requests have a valid legal basis. If they do, we comply by providing the narrowest possible set of data responsive to the request. If a request does not have a valid legal basis, or if we consider it to be unclear, inappropriate, or overly broad, we challenge or reject the request.
We report on the requests every six months.
We’ll continue working for greater transparency and data security protections on behalf of our customers.
Apple has never created a backdoor or master key to any of our products or services.
We have also never allowed any government direct access to Apple servers. And we never will.
One company, Cellebrite, told Forbes that it can unlock all iOS versions up to version 11.2.6, the most recent iteration of Apple’s operating system. “With its service offering, Cellebrite can retrieve (without needing to root or jailbreak the device) the full file system to recover downloaded emails, third-party application data, geolocation data and system logs,” the company said.
Being able to break into iOS11 means being able to unlock all iPhones including the iPhone X, iPad, iPad mini, iPad Pro, and iPod touch.
Cellebrite, which is an Israeli firm and a subsidiary of Japan’s Sun Corporation, hasn’t made any formal announcements but has begun advertising its capabilities to law enforcement agencies and private security companies around the world. To use the service, customers need to send the phone to the company and pay about $1500 per unlock.
And a second company, GreyKey, is also offering a solution. According to Motherboard, police forces, such as the Maryland State Police, the Miami-Dade County Police, and the Indiana State Police, are now procuring a technology product that’s able to break into iPhones, including the iPhone X running the latest operating system, iOS 11. They’ve noted that GreyKey has been purchased by law enforcement agencies across the country. In addition, it’s been reported that the State Department and FBI have purchased this technology and that the Secret Service is planning to buy at least half a dozen GreyKey boxes to unlock iPhones.
The GreyKey device consists of a small box, 4 x 4 inches, and two Apple lightning connectors that connect to iPhones or iPads. The device is available in two versions, one that costs $15,000 and provides 300 unlocks and another version that costs $30,000 and unlocks an unlimited number of devices. According to reports, it can take anywhere from two hours to three days to unlock a phone with a digital password.
These devices are designed to overcome the encryption that Apple applies to user data. By encrypting all data, Apple will only allow user data to be accessed by someone with a password, fingerprint, or face identity, depending on the phone and user’s setup.
The ongoing debate has been about whether companies such as Apple should provide a “backdoor” that allows law enforcement agencies to access a phone to find evidence against a criminal. Now, with easy access to iPhone hacking tools such as the two described above, the FBI’s argument for introducing backdoors into consumer devices loses some weight.
Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute, told Motherboard in a Twitter message, “It demonstrates that even state and local police do have access to this data in many situations….This seems to contradict what the FBI is saying about their inability to access these phones.” That opinion was echoed by Riana Pfefferkorn, cryptography fellow at the Stanford Center for Internet and Society, who said, “The availability and affordability of these tools undercuts law enforcement’s continual assertions that they need smartphone vendors to be forced to build ‘exceptional access’ capabilities into their devices.”
The issue of accessibility to iPhones surfaced in 2016 when the Department of Justice tried to force Apple to help them break into the iPhone 5C of one of the San Bernardino terrorists. They asked that Apple modify the security system to let the FBI quickly scroll through a sequence of passcodes to open the device without causing the iPhone’s delay feature to activate and without the phone automatically wiping its contents. Apple refused. With these new solutions from the Israeli firm and GreyKey, it may be that such a request is no longer needed.
While adding an iPhone backdoor is what law enforcement wants, Apple will continue to refuse to do it. In fact, it’s likely they will update their security systems to try to defeat these two new products. It will continue to be a cat and mouse game.