On The Same Day The FBI Claimed No Vendor Could Crack IPhones, Another Way To Crack IPhones Made The News
from the way-to-stay-ahead-of-the-news-cycle,-Chris dept
At the same time the FBI director was claiming the private sector (other than Apple) couldn't help agents break into encrypted iPhones, the private sector was once again demonstrating it could do exactly that. Chris Wray's remarks to the press centered less on the underwhelming news that the FBI had conclusively linked the Pensacola Air Base shooter to al Qaeda than on Apple's supposed unhelpfulness.
The FBI claimed it had found a way to access data on the shooter's phones, but provided no details on its method. Maybe agents brute forced a passcode. Maybe they just found a side door that allowed them to exfiltrate the data they were looking for. Whatever it was, it wasn't something provided by a vendor. In fact, Chris Wray went so far as to claim the media was misleading the public about the availability of encryption-breaking/bypassing tech.
We canvassed every partner, and every company, that might have had a solution to access these phones. None did, despite what some claimed in the media.
Within a few hours of this assertion by Wray, the media was again reporting on another tech solution for encrypted iPhones. Here's Olivia Solon for NBC News:
[A]nother tool, previously unknown to the public, doesn't have to crack the code that people use to unlock their phones. It just has to log the code as the user types it in.
Software called Hide UI, created by Grayshift, a company that makes iPhone-cracking devices for law enforcement, can track a suspect's passcode when it's entered into a phone, according to two people in law enforcement, who asked not to be named out of fear of violating non-disclosure agreements.
The software is deployed by existing GrayKey devices -- the same ones Grayshift claims can crack iPhone passcodes by installing a user agent to bypass Apple's lockout countdown. This would be the same software/hardware Chris Wray claims can't do any of these things, despite extensive reporting on claims the manufacturer itself makes.
After dropping the surreptitious tracker on the targeted phone, the phone is returned to the suspect in hopes that they'll input their passcode.
For example, a law enforcement official could tell the suspect they can call their lawyer or take some phone numbers off the device. Once the suspect has done this, even if they lock their phone again, Hide UI will have stored the passcode in a text file that can be extracted the next time the phone is plugged into the GrayKey device. Law enforcement can then use the passcode to unlock the phone and extract all the data stored on it.
The software also disables airplane mode and disables wiping of the device. A snapshot of the system is taken to track any attempted deletion of phone contents.
This seems to do all the things the FBI claims no one can actually do. Sure, it won't scale -- especially since it requires a fair bit of subterfuge on the part of investigators and relies on the trust of criminal suspects who might find it suspicious their seized phone has suddenly been returned to them. But no technique for bypassing encryption ever will. And none of them should.
Asking a suspect for the combination to a safe will only unlock that safe, not every safe seized during searches. Phones are as unique as the individuals carrying them. So are the circumstances surrounding the attempted searches. One size should not fit all and the encryption backdoors Chris Wray wants only ensure everyone -- criminal or not -- will be negatively affected by law enforcement's newly-greased wheel.
Then there's the secrecy surrounding this tech. The NDAs Grayshift force on law enforcement customers means judges, defendants, and defense lawyers aren't being told what's being used to open up phones and search their contents. We've spent years detailing the opacity shrouding the deployment of Stingray devices -- something that has allowed law enforcement to avoid having warrant requirements imposed on them. The same thing is happening here. There's a legal way to do this. But the secrecy imposed by the tech provider tends to provide the cover officers need to operate these unlawfully. Here's the best case scenario, followed immediately by the most likely scenario.
“Law enforcement use of this ‘agent’ keylogger feature can be legal, so long as the warrant the government gets to search and seize the device spells out that the investigators are permitted to use it,” said Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford Law School’s Center for Internet and Society. “In general, I don't think that magistrate judges authorizing search warrants would expect that the government plans to implant malware on a device it has seized.”
There are solutions out there. And they're not legislative mandates compelling assistance breaking encryption or backdoors for law enforcement. There are ways to bypass or crack what Bill Barr and Chris Wray have decided to call "warrant-proof encryption." Pretending there isn't while using an investigation press conference as a grandstand for Apple bashing isn't moving the conversation forward. It's just giving everyone one more reason not to trust Bill Barr or Chris Wray.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: chris wray, cracks, encryption, fbi, hide ui, iphone
Companies: apple, grayshift
Reader Comments
Subscribe: RSS
View by: Time | Thread
Wait a minute...
How does law enforcement install this HideUI software onto the phone if it's locked? And if law enforcement can unlock the phone to install software, then why give it back to the owner? I've never used Apple products, so what am I missing?
[ link to this | view in chronology ]
Re: Wait a minute...
Good question. The article says "passcode in a text file that can be extracted the next time the phone is plugged into the GrayKey device" so that seems like the spyware is installed via previous wired connection to the GrayKey device.
Can any tech gurus explain what appears to be a gaping hole in iPhone security? I guess I am missing something, too.
[ link to this | view in chronology ]
Re: Re: Wait a minute...
Is it a hole or an unadvertised feature?
[ link to this | view in chronology ]
Re: Re: Wait a minute...
I'm now convinced that the article is a little deceptive. The magic is not that they built a keylogger, that's certainly old news to us. The REAL magic is that they've found an exploit whereby someone with physical access can install software. And although this installed software does not have unlimited privileges, it is enough to perform a keylogger. The article must have left out this important part.
[ link to this | view in chronology ]
Re: Re: Re: Wait a minute...
People find bugs that may require complicated exploits. They don't always report them as a CVE. The article doesn't leave out an important part, this is the Graykey business secret and part of a reason for NDAs. The article never claimed, nor would it, that the bug and exploit(s) were known.
P.S. one does not necessarily need to "install software", unless you call things like manually inserting stuff into memory, etc., as "installing software".
[ link to this | view in chronology ]
'Unless we have everything we don't have anything'
It's not so much that no vendor can provide what access to a phone(they very much can), it's that the companies making the devices are so far stubbornly refusing to provide access to all of the phones.
The FBI doesn't want access to individual devices they want access to all of them, without any work on their end beyond 'give us access' and without the ability of the accused to refuse or ideally even know that the FBI now has access.
[ link to this | view in chronology ]
I think you're misinterpreting Wray
I think he means that no vendor has the ability to crack an iPhone if the phone's user is unavailable/dead. The exploit this article covers requires that the phone's user be available.
[ link to this | view in chronology ]
You have it all wrong
The cops claiming there was no way into the phones was because they wanted a court to issue ruling granting them official access. That's all.
They already had and probably had used those commercial tools to gain access BUT that evidence is problematic to use without a court saying it's OK. And the best way to get a court to do that, and ensure that it always works, is to get them to force Apple to do what they want. It's not that they really need Apple to cooperate. They don't want cooperating. They want to force them so they don't have to do more than ask and it's done.
But the song and dance about not having a way in is just PR BS designed to make Joe Q. Public feel like the gubmint is not already fully capable of getting into the stupid private phones full of lunch photos and porn fanfics. If the public relaxes and takes their eyes off the fight, then it's that much easier to get it done. Meanwhile, Apple knows the game is already over and doesn't want the court pushing them around. So they fight it to make themselves look good, to keep up the illusion of privacy which makes the fans rabid and drooling, and a third thing I forgot. It's been a long day.
[ link to this | view in chronology ]
Digging It's Hole Ever Deeper
DoJ/FBI have shown zero evidence of having cracked an iPhone. They have offered unsubstantiated claims of paying exorbitant prices to third parties for cracking services. They whine: 1) it's too hard for us; 2) it slows our prosecution of the war on evil; 3) it's soooo expensive - think of the tax-payer.
1) It's supposed to be hard - good (keeps out bad guys without nation-state levels of funding to target individuals).
2) Being required to get warrants and follow The Law in general slows police processes - that's how our system is supposed to work.
3) The whole U.S. legal system is vastly expensive by design - that's what it takes to avoid crushing the innocent at the risk of letting bad guys go free on occasion (an intent more than a little imperfectly realized in practice).
The interesting possibility here is that DoJ/FBI's pretense of access to resources that CAN overwhelm hard encryption gives us mere citizen types another basis for rejecting backdoors. Not only are backdoors the potential ruination of secure e-commerce on a global scale, but the cracking is an entirely viable option for a price that's a bargain at the level of nation-state funding.
[ link to this | view in chronology ]
Red herring
Implicit in the law enforcement claim that they need access to a phone in order to see who the phone's user has been contacting is hilariously false. Carriers keep records of connections they make for their customers.
[ link to this | view in chronology ]
Funny how it's always about cracking iPhones being such an issue, but where's Android? You never hear anything about having problems cracking Android phones. It's never mentioned. So clearly Android is not a big deal. It's always iPhone.
[ link to this | view in chronology ]