Apple does not take kindly to law-enforcement agencies circumventing its device protections. And now the company may have shut down at least one workaround.
Credit: Tom's Guide
Apple's latest mobile operating system, iOS 12, reportedly blocks the GrayKey iPhone-unlocking boxes used by many police departments, Forbes is reporting, citing "sources familiar" with GrayKey technology.
If this is true, the defeat of GrayKey removes a useful tool from ordinary police agencies' digital-forensics arsenal, and may slow down or kill many ongoing investigations. (The National Security Agencies and other intelligence agencies presumably have other ways of getting into iPhones.)
In March, Forbes discovered that an American company named Grayshift had devised a way to brute-force iOS lockscreen passcodes with a relatively inexpensive device called GrayKey, which is a small box with two Lightning cable poking out.
Grayshift sells GrayKey boxes to law-enforcement agencies in North America and the U.K. to aid them in their investigations. A $15,000 GrayKey is good for up to 300 iPhone unlocks; for $30,000, you get unlimited unlocks.
That may seem expensive, but it's a lot cheaper and easier than competing technology offered by Israeli firm Cellebrite, which charges $5,000 for a single iPhone unlock and generally requires cops to send the iPhone to a Cellebrite facility. With GrayKey, police can run the unlocking procedure themselves.
A GrayKey iPhone-unlocking device. Credit: Malwarebytes
According to the Forbes report, GrayKey can still extract "partial" information, such unencrypted information and metadata, from iPhones and iPads running iOS 12.
Previously, GrayKey was able to extract both unencrypted and encrypted data from the devices by somehow overcoming Apple's rate limitations on brute-force screen-passcode guesses. A four-digit PIN might take a couple of hours to "brute force"; a six-digit PIN, which Apple now makes mandatory, could take up to three days. Long alphanumeric passcodes would take much longer.
Ordinarily, typing in an iPhone lockscreen passcode incorrectly more than three or four times in succession requires a brief "cooling off" period before you can try again. The more incorrect guesses you make, the longer the "time out" becomes.
It's not clear how Grayshift figured out how to bypass Apple's incorrect-guess rate limitations, or whether Cellebrite uses similar methods. Nor is it clear, despite some attempts by Grayshift and others, to figure out how Apple defeated GrayKey.
Security expert Vladimir Katalov, who heads up Russian forensic security company Elcomsoft, told Forbes that he has "no idea" what Apple did to overcome the GrayKey workaround. He suggested Apple might have improved the operating system's kernel or strengthened its configuration profiles, which give users the ability to create customized app experiences.
Katalov's professed ignorance is significant because Elcomsoft discovered back in May that Apple was experimenting with something called "USB Restricted Mode." That feature, which first showed up in a beta version of iOS 11.4.1 and now is part of iOS 12, disables the data-transfer capabilities of an iPhone's Lightning connector if the phone stays locked for more than an hour.
Somehow, Katalov doesn't think USB Restricted Mode is what's stymied GrayKey, even though that's exactly what the new feature seems to have been designed to do.
Apple has been one of the most vocal supporters of device encryption and privacy in the technology industry. Despite the insistence from law-enforcement officials and politicians that access to digital devices -- with a search warrant -- is essential to letting police and other investigators do their jobs, Apple continues to improve device security.