The escalation of a long-term encryption conflict between the Department of Justice and
He has intrigued security experts who say the new piracy tools have allowed access to many of the company’s devices in criminal investigations.
On Monday, the pressure on Apple increased, and he described the company as unhelpful for the government, as it seeks to unlock two iPhones belonging to a Saudi aviation student who, according to authorities, killed three people at a base in the Florida Navy last month. Mr. Barr described the phones as “designed to make it virtually impossible to unlock them without the password.”
Justice Department officials said they spent a month looking for ways to access two phones used by
Second Lieutenant Mohammed Alshamrani,
a member of the Saudi air force who allegedly opened fire in a classroom at the Pensacola Naval Air Station on December 6 before being shot and killed by sheriff’s agents. After consulting with experts and suppliers and not being able to enter the devices, an iPhone 5 and an iPhone 7, the researchers contacted Apple directly, authorities said.
In a statement on Monday, Apple said the company was notified a week ago that the Federal Bureau of Investigation needed additional assistance. Apple was contacted on the day of the shooting and provided iCloud backups, account information and transaction data for an iPhone, a spokesman said. On Wednesday, January 8, Apple received a subpoena related to a second iPhone, he said.
Only a few years ago, many iPhones were almost impossible to decipher, but that is no longer true, say security experts and forensic examiners. Companies like Grayshift LLC, Cellebrite Mobile Synchronization Ltd. of Israel and others offer methods to recover data from recent iPhones.
“We have the tools to extract data from an iPhone 5 and 7 now,” said Andy Garrett, executive director of Garrett Discovery, a forensic investigation firm. “Everybody does it.”
Four years ago, in the last year of the Obama administration, the Justice Department tried to force Apple to create a software update, a “backdoor”, that would allow law enforcement to gain access to a connected phone to a dead gunman responsible for a 2015 terrorist attack in San Bernardino, California.
Apple refused, and continues to refuse to grant access through a software update, saying it could be exploited by others. The FBI turned to a third party, spending more than $ 1 million to obtain data from an encrypted Apple iPhone 5C.
Today, the office could probably get that data for $ 15,000 or less, thanks to the new forensic tools it has bought in the last two years that have made intrusion into an iPhone much less daunting.
Changing security dynamics have undermined the Justice Department’s argument that Apple’s security is hampering investigations, forensic experts say.
“It’s a cat and mouse game. Apple blocks things, but if someone wants to find a way to get into these devices, they will find it,” said Sarah Edwards, digital forensic instructor at the SANS Institute, an organization that trains cybersecurity researchers .
In 2018, Grayshift began selling an iPhone hacking device for just $ 15,000 to clients of law enforcement in the U.S. UU. The Grayshift device took advantage of errors in Apple products to access the phone. Today, Israel’s Cellebrite offers software that can also retrieve data from recent iPhones.
In the past two years, Grayshift has sold its products to the US Bureau of Prisons. UU., The Drug Control Administration, the Internal Revenue Service and the FBI. The FBI has spent more than $ 1 million on Grayshift products, according to federal procurement records.
Gwinnett County of Georgia, for example, began using the Grayshift device in 2018 and gained access to about 300 phones that year. Now, Chris Ford, an investigator at the district attorney’s office, is using the device to reopen cases that had been blocked due to phones that could not be read before.
His office is now producing approximately three times more forensic data than before Grayshift, Ford said.
“It really opened the door for us in our investigation,” he said.
Grayshift representatives did not respond to messages seeking comment. Cellebrite representatives did not respond to messages seeking comments for this article.
Cellebrite has been able to access data on the iPhone 5 since at least 2015, according to forensic investigators and an online training video. The other phone involved in the shooting of Pensacola, an iPhone 7, according to people familiar with the investigation, is also easier to read than before.
The forensic tools used to hack iPhones have been improved recently, thanks to software called Checkm8 that exploits a vulnerability in Apple’s hardware. It allows forensic tools to download data, such as deleted files, that are often hidden even for iPhone users, security professionals say.
They say that a forensic tool created with Checkm8 works on all iPhone devices, from the iPhone 5s to the iPhone X, and exploits a hardware error that Apple cannot repair.
Researchers warn that there are many factors that can limit the data available to researchers on an iPhone, such as the version of the operating system, the complexity of the user’s access code and the status of the iPhone.
If the phones turned off when the FBI obtained them, investigators would have to crack the iPhone’s access code before they could get detailed data on the phone, said Edwards, the digital forensic instructor.
But decrypting the access code is something for which both the Cellebrite device and the Grayshift device are designed, say forensic experts. “It can take a while to crack the access code,” Edwards said.
“Sadie Gurman contributed to this article.”
Write to Robert McMillan at [email protected]
Copyright © 2019 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8