In February, rumors surfaced that Cellebrite, and Israel based tech firm, had discovered a way to unlock encrypted iPhones running iOS 11 and were marketing the product to law enforcement and private forensics firms around the world. It was also leaked that U.S. Department of Homeland Security had been testing the technology.
Shortly thereafter, a different tech firm, Grayshift, developed an inexpensive black box that could unlock any iPhone and has reportedly hired a former Apple engineer. It has now been reported that local and regional U.S. police departments and the federal government have been purchasing the technology to use in their stations.
Grayshift’s GrayKey de-encrypting device – a 4-in. x 4-in. box with two iPhone-compatible lightening cables – can unlock iPhones to reveal any personal information. The GrayKey box can apparently unlock an iPhone in about two hours if the owner used a four-digit passcode and three days or longer if a six-digit passcode was used.
What does this mean?
Digital security experts believe it to be true that the iPhone encryption has been cracked. If it were not true, law enforcement agencies wouldn’t be purchasing the hacking technology.
The FBI had maintained that they could hack into an iPhone until this technology was revealed the night before the San Bernardino gunman trial was set to go to court. That is when this iPhone hacking technology came to the forefront. Until last month, FBI Director Christopher Wray had maintained his agency was unable to crack the passcode on an iPhone used by Farook.
The Justice Department had petitioned the courts to force Apple to comply with an order to unlock the device; a judge granted the request, but delayed making a final decision until hearing arguments from both sides. The evening before a court hearing to decide the matter, the agency announced it had gotten help from an outside group.
Apple has stood firm that to break into one iPhone would weaken security for all others. The news that two iPhone unencrypting methods are now widely available to government agencies did not surprise analysts, who said it was inevitable. Experts believe that there is no such thing as an “impenetrable” encryption. The right decoder, with the right tools and enough time, will eventually break through security.
The GrayKey box retails for $15,000. That model is geofenced to a specific location, requiring an internet connection that enables up to 300 unlocks. There is also a $30,000 GrayKey model that can be used independent of internet connectivity and offers an unlimited number of device unlocks. According to reports Cellebrite charges $5,000 to unlock a single iPhone.
Consumers shouldn’t be overly concerned that iPhone hacking technology has become real because law enforcement agencies must still obtain a court-issued warrant to unlock a device. Consumers should realize that once cracking technology is available, it’s reasonable to believe law enforcement agencies won’t be the only ones to gain access to it.
Apple May Try To Limit Access
Apple may be taking its own steps to further limit unauthorized access to locked iOS devices. In its beta release of iOS 11.3, Apple introduced a feature known as USB Restricted Mode. The documentation described the new feature as a way to improve security. The feature was described in the fine print of the software update as: “For a locked iOS device to communicate with USB accessories you must connect an accessory via Lightning connector to the device while unlocked — or enter your device passcode while connected — at least once a week.” If an iOS device is not unlocked after seven days, an iPhone’s or iPad’s lightning port turns into nothing more than a charging port, locking out any data connection at the USB-interface level.
Apple will continue to find new ways to innovate its security measures to maintain their status as most security mobil phone manufacturer. However, as digital threats increase and hackers become more savvy it will become increasingly difficult to maintain security. Datasmith encourages every mobil tech user to take the necessary steps to protect their data including: single sign on, protected internet networks, and cloud based storage.