By Robert McMillan
The escalation of a long-running encryption conflict between the
Justice Department and Apple Inc. has puzzled security experts who
say that new hacking tools have made it possible to gain access to
many of the company's devices in criminal investigations.
Attorney General William Barr ratcheted up pressure on Apple on
Monday, painting the company as unhelpful to the government as it
seeks to unlock two iPhones belonging to an aviation student from
Saudi Arabia who authorities say killed three people at a Florida
Navy base last month. Mr. Barr described the phones as "engineered
to make it virtually impossible to unlock them without the
Justice Department officials said they spent a month seeking
ways to access two phones used by Second Lt. Mohammed Alshamrani, a
member of the Saudi air force who allegedly opened fire in a
classroom at Naval Air Station Pensacola on Dec. 6 before being
shot and killed by sheriff's deputies. After consulting with
experts and vendors and failing to break into the devices -- an
iPhone 5 and an iPhone 7 -- investigators reached out to Apple
directly, officials said.
In a statement Monday, Apple said the company was notified a
week ago that the Federal Bureau of Investigation needed additional
assistance. Apple was contacted on the day of the shooting and
provided iCloud backups, account information and transactional data
for one iPhone, a spokesman said. On Wednesday Jan. 8, Apple
received a subpoena related to a second iPhone, he said.
Just a few years ago, many iPhones were almost impossible to
crack, but that is no longer true, security experts and forensic
examiners say. Companies including Grayshift LLC, Israel's
Cellebrite Mobile Synchronization Ltd. and others offer methods to
retrieve data from recent iPhones.
"We've got the tools to extract data from an iPhone 5 and 7
now," said Andy Garrett, a chief executive of Garrett Discovery, a
forensics investigation firm. "Everybody does."
Four years ago in the final year of the Obama administration,
the Justice Department tried to force Apple to create a software
update -- a so-called "backdoor" -- that would allow law
enforcement to gain access to a phone linked to a dead gunman
responsible for a 2015 terrorist attack in San Bernardino,
Apple refused, and it continues to refuse to grant access via a
software update, saying it could be exploited by others. The FBI
turned to a third party, spending more than $1 million to obtain
data from an encrypted Apple iPhone 5C.
Today, the bureau could likely obtain that data for $15,000 or
less, thanks to new forensics tools it has purchased over the past
two years that have made breaking into an iPhone much less
The changing security dynamics have undermined the Justice
Department's argument that Apple's security is hampering
investigations, forensics experts say.
"It's a cat-and-mouse game. Apple locks things, but if someone
wants to find a way to get into these devices, they will find a
way," said Sarah Edwards, a digital forensics instructor with the
SANS Institute, an organization that trains cybersecurity
In 2018, Grayshift began selling an iPhone hacking device for as
little as $15,000 to law enforcement customers in the U.S. The
Grayshift device leveraged bugs in Apple's products to access the
phone. Today, Israel's Cellebrite offers software that can also
retrieve data from recent iPhones.
In the past two years, Grayshift has sold its products to the
U.S. Bureau of Prisons, the Drug Enforcement Administration, the
Internal Revenue Service and the FBI. The FBI has spent more than
$1 million on Grayshift products, according to federal procurement
Georgia's Gwinnett County, for example, started using the
Grayshift device in 2018 and gained access to about 300 phones that
year. Now, Chris Ford, an investigator with the district attorney's
office is using the device to reopen cases that had gone cold due
to phones that were previously unreadable.
His office is now producing about three times as much forensics
data as it did before Grayshift, Mr. Ford said.
"It's really opened the door for us in our investigation," he
Grayshift representatives didn't return messages seeking
comment. Cellebrite representatives didn't return messages seeking
comment for this article.
Cellebrite has been able to gain access to data on the iPhone 5
since at least 2015, according to forensic investigators and an
online training video. The other phone involved in the Pensacola
shooting -- an iPhone 7, according to sources familiar with the
investigation -- is also more easily readable than it once was.
Forensic tools used to hack into iPhones have been enhanced
recently, thanks to software called Checkm8 that exploits a
vulnerability in Apple's hardware. It allows forensics tools to
download data, such as deleted files, that is often hidden from
even the users of the iPhone, security professionals say.
A forensics tool built with Checkm8 works on all iPhone devices
from the iPhone 5s to the iPhone X, and exploits a hardware bug
that Apple is unable to patch, they say.
Investigators caution that there are many factors that can limit
the data available to investigators on an iPhone, such as the
version of the operating system, the complexity of the user's
passcode and the state of the iPhone itself.
If the phones were powered off when the FBI obtained them, then
investigators would have to crack the iPhone's passcode before they
could obtain detailed data on the phone, said Ms. Edwards, the
digital forensics instructor.
But cracking the passcode is something that both Cellebrite and
Grayshift's device are designed to do, forensics experts say. "It
may just take a while to crack the passcode," Ms. Edwards said.
Sadie Gurman contributed to this article.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
January 14, 2020 09:10 ET (14:10 GMT)
Copyright (c) 2020 Dow Jones & Company, Inc.
Historical Stock Chart
From Aug 2020 to Sep 2020
Historical Stock Chart
From Sep 2019 to Sep 2020