The latest FBI encryption scrap involves an iPhone 7 and iPhone 5. These should be easy to unlock with forensic hacking tools
The FBI isn’t happy with Apple – again. For the second time since 2016, officials have demanded the firm unlock iPhones belonging to an alleged high profile criminal. But unlike in the case of Syed Farook, law enforcement agencies have a few more tricks they can pull.
This time, the FBI has asked Apple to help it get around the passcodes on two iPhones that are thought to belong to Mohammed Saeed Alshamrani. He has been named as the alleged gunman who killed three people in a shooting at a navy base in Florida that injured eight others. Alshamrani was shot and killed by law enforcement as the incident unfolded in December 2019.
The FBI and US attorney general William Barr have asked Apple to access the phones so they can access data and messages, including those from encrypted messaging apps. Barr said iPhones have been “engineered to make it virtually impossible to unlock them without the password”. President Donald Trump chimed in on Twitter: “They will have to step up to the plate and help our great Country, NOW”
The two phones, according to New York Times sources, aren’t thought to be new devices. It’s believed they’re an iPhone 7, released in 2016 and the penultimate model with TouchID, and an iPhone 5, which was launched as far back as 2012. The public demands from US law enforcement echo those from 2016, when Apple and the FBI faced a legal standoff over access to an iPhone 5C.
But things have changed. “Assuming that reporting is accurate, the current outcry about Apple and encryption over the shootings on the Florida naval base seems a bit ridiculous,” says Thomas Reed, the director of mac and mobile at security firm Malwarebytes. “Because they are older, those devices should be easily accessed by tools from Cellebrite or Grayshift that it is believed that the FBI already has in their possession.”
Both companies that Reed points to – Cellebrite and Grayshift – are one big difference between this spat and the one from 2016. They’re both secretive but produce forensic tools for inspecting and breaking into smartphones. Forensic devices usually attach to phones or desktop PCs and provide an automated way for data to be retrieved. Their popularity with government agencies and law enforcement has increased over the last few years.
Based in Israel, Cellebrite is a subsidiary of Japan’s Sun Corp, and makes big claims about its forensic phone tools. The company was reported to have helped unlock the 2016 iPhone after the FBI failed to access the device. Through its advanced services division, it says it can provide “unlocking and extraction” for iPhones from the 4S to the XS and XR, when the devices are running iOS 5 to iOS 12.
On January 14 the firm published a blog post saying how it can exploit the checkm8 iPhone jailbreak that has the potential to impact millions of devices. Cellebrite also updated its UFED Physical Analyser software to allow more information to be accessed from devices.
“For the first time ever, a wealth of previously untapped data sets from iOS devices can be leveraged to change the course of investigations,” Shahar Tal, a vice president at the company wrote in an email to its customers. These include the FBI, US Department of Defense, US Army and other law enforcement agencies around the world.
“These tools have definitely made the job of law enforcement easier, as these organisations are able to use vulnerabilities in the hardware or in iOS to gain a very different level of access to data than a publicly-available jailbreak,” Reed says. “This is especially applicable on older devices, where there are known vulnerabilities that will never be patched.”
Apple is in a constant battle with companies trying to break into its products. Since the 2016 San Bernardino encryption fight, the firm has had an increased focus on privacy and security. To limit the capabilities of forensic devices that plug into phones, Apple introduced a USB restricting mode that requires a password to be entered every time a cable is connected.
In the case of Alshamrani, Apple says it provided investigators with access to his iCloud account and payment details, just not access to his physical devices. The company regularly works with law enforcement agencies, saying it has a team that works 24 hours a day, seven days a week answering questions from authorities around the world.
That hasn’t stopped forensic companies trying to break the latest iPhones. Grayshift’s technology is sold in two models: a $15,000 (£11,000) licence that allows 300 phones to be unlocked and an offline version that unlocks an unlimited number of devices. Its cheapness means smaller regional police forces, including those in the UK, have purchased licences to get into password protected iPhones.
And it’s been successful. Court documents show the FBI has been able to pull information from new devices. As first reported by Forbes, last year investigators in Ohio used Grayshift’s GrayKey to unlock an iPhone 11 Pro Max. The apparent ability to unlock newer phones has led to questions around whether Alshamrani’s phones are being used as tools for a bigger anti-encryption political battle.
“My personal take on this is that it’s is being used as a lever against encryption, rather than actually being a real issue,” Reed says. “If the FBI really is having trouble with cracking those devices, I’m sure there are many iOS researchers outside Cellebrite or Grayshift who could do the job for them.”
All Rights Reserved for Matt Burgess