As Justice Department Pressures Apple, Investigators Say iPhone Easier to Crack
As Justice Department
Pressures Apple, Investigators Say iPhone Easier to Crack
Security
experts question necessity of latest battle over encryption as new tools emerge
By Robert McMillan Jan. 14,
2020 8:55 am ET
The escalation of a long-running encryption conflict
between the Justice Department and Apple Inc. has
puzzled security experts who say that new hacking tools have made it possible
to gain access to many of the company’s devices in criminal investigations.
Attorney General William Barr ratcheted up pressure on Apple on Monday, painting the
company as unhelpful to the government as it seeks to unlock two iPhones
belonging to an aviation student from Saudi Arabia who authorities say killed three people at a Florida Navy base last
month. Mr. Barr described the phones as “engineered to make it virtually
impossible to unlock them without the password.”
Justice Department officials said they spent a month seeking
ways to access two phones used by Second Lt. Mohammed Alshamrani, a member of
the Saudi air force who allegedly opened fire in a classroom at Naval Air
Station Pensacola on Dec. 6 before being shot and killed by sheriff’s deputies.
After consulting with experts and vendors and failing to break into the
devices—an iPhone 5 and an iPhone 7—investigators reached out to Apple
directly, officials said.
In a statement Monday, Apple said the company was notified a
week ago that the Federal Bureau of Investigation needed additional assistance.
Apple was contacted on the day of the shooting and provided iCloud backups,
account information and transactional data for one iPhone, a spokesman said. On
Wednesday Jan. 8, Apple received a subpoena related to a second iPhone, he
said.
Just a few years ago, many iPhones were almost impossible to
crack, but that is no longer true, security experts and forensic examiners say.
Companies including Grayshift LLC, Israel’s Cellebrite Mobile Synchronization
Ltd. and others offer methods to retrieve data from recent iPhones.
“We’ve got the tools to extract data from an iPhone 5 and 7
now,” said Andy Garrett, a chief executive of Garrett Discovery, a forensics
investigation firm. “Everybody does.”
Four years ago, in the final year of the Obama administration,
the Justice Department tried to force Apple to create a software update—a
“backdoor”—that would allow law enforcement to gain access to a phone linked to
a dead gunman responsible for a 2015 terrorist attack in San Bernardino, Calif.
Apple refused, and it continues to refuse to grant access via a
software update, saying it could be exploited by others. The FBI turned to a third party, spending more than $1
million to obtain data from an encrypted Apple iPhone 5C.
Today, the bureau could likely obtain that data for $15,000 or
less, thanks to new forensics tools it has purchased over the past two years
that have made breaking into an iPhone much less daunting.
The changing security dynamics have undermined the Justice
Department’s argument that Apple’s security is hampering investigations,
forensics experts say.
“It’s a cat-and-mouse game. Apple locks things, but if someone
wants to find a way to get into these devices, they will find a way,” said
Sarah Edwards, a digital forensics instructor with the SANS Institute, an
organization that trains cybersecurity investigators.
In 2018, Grayshift began selling an iPhone hacking device for as
little as $15,000 to law enforcement customers in the U.S. The Grayshift device
leveraged bugs in Apple’s products to access the phone. Today, Israel’s
Cellebrite offers software that can also retrieve data from recent iPhones.
In the past two years, Grayshift has sold its products to the
U.S. Bureau of Prisons, the Drug Enforcement Administration, the Internal
Revenue Service and the FBI. The FBI has spent more than $1 million on
Grayshift products, according to federal procurement records.
Georgia’s Gwinnett County, for example, started using the
Grayshift device in 2018 and gained access to about 300 phones that year. Now,
Chris Ford, an investigator with the district attorney’s office, is using the
device to reopen cases that had gone cold due to phones that were previously
unreadable.
His office is now producing about three times as much forensics
data as it did before Grayshift, Mr. Ford said.
“It’s really opened the door for us in our investigation,” he
said.
Grayshift representatives didn’t return messages seeking
comment. Cellebrite representatives didn’t return messages seeking comment for
this article.
Cellebrite has been able to gain access to data on the iPhone 5
since at least 2015, according to forensic investigators and an online training
video. The other phone involved in the Pensacola shooting—an iPhone 7,
according to people familiar with the investigation—is also more easily
readable than it once was.
Forensic tools used to hack into iPhones have been enhanced
recently, thanks to software called Checkm8 that exploits a vulnerability in
Apple’s hardware. It allows forensics tools to download data, such as deleted
files, that is often hidden from even the users of the iPhone, security
professionals say.
A forensics tool built with Checkm8 works on all iPhone devices
from the iPhone 5s to the iPhone X, and exploits a hardware bug that Apple is
unable to patch, they say.
Investigators caution that there are many factors that can limit
the data available to investigators on an iPhone, such as the version of the
operating system, the complexity of the user’s passcode and the state of the
iPhone itself.
If the phones were powered off when the FBI obtained them, then
investigators would have to crack the iPhone’s passcode before they could
obtain detailed data on the phone, said Ms. Edwards, the digital forensics
instructor.
But cracking the passcode is something that both Cellebrite and
Grayshift’s device are designed to do, forensics experts say. “It may just take
a while to crack the passcode,” Ms. Edwards said.
—Sadie
Gurman contributed to this article.
Comments
Post a Comment