As of iOS 8, Apple’s 8th generation mobile device operating system, Apple no longer has the ability to gain access to their mobile devices.
Despite requests from law enforcement agencies, the tech giant can’t assist with investigations as device encryption is handled locally on the device itself by the user’s passcode. Only the passcode can access the device; there is no master key or hidden back door.
Some may remember back to late 2015, when the FBI recovered an iPhone belonging to one of the perpetrators of the December 2015 San Bernardino terrorist attack. Apple iPhones are known to be incredibly secure once locked with a passcode and the following months saw announcements that the FBI was attempting to force Apple to assist in breaking the encryption securing the device.
The event was a topic of great discussion among tech communities. The FBI later took Apple to court, demanding that a new version with bypassed security features be developed. However, in March of 2016, the FBI announced that they had successfully unlocked the phone via an undisclosed third party.
More recently, US start-up Grayshift has emerged stating they have developed a device known as “GrayKey” that is capable of unlocking even the latest iOS devices with iOS versions as recent as 11.2.5 installed as of the writing of this article.
GrayKey is believed to exploit a vulnerability in iOS’s passcode security, which bypasses the delays in between attempting passcodes (for example, a user might have to wait 30 seconds after five failed attempts), enabling the GrayKey to initiate a brute force attack against the targeted iOS device.
GrayKey can very easily crack the passcode to the targeted device, even if the device is disabled, and extract the complete file system. GrayKey is currently unavailable to the general public, instead, it is being targeted toward law enforcement agencies presumably to keep the vulnerabilities that the GrayKey uses a secret. Little else is known about exactly how GrayKey works. Marketing materials leaked from private online police and forensics groups are the only sources of information. A Forbes source has stated that they witnessed the device successfully unlocking an iPhone X.
Such a device does come at a cost with each license limited to 300 unlocks costing an agency USD$15,000 and an unlimited license costing USD$30,000 which might seem expensive, however, it is rumoured that the FBI spending approximately USD$1 million to the contracted third party in the San Bernardino investigation.
It is likely that many law enforcement agencies will be interested in such a device, however, it is unknown how long it will take before Apple is made aware of the vulnerability that GrayKey exploits.
The topic of whether or not governments should be able to unlock a mobile device, particularly in a criminal investigation is a heavily debated. Should the general public have access to complex encryption? Many believe that in the wake of recent terrorist activities that law enforcement having the ability to unlock suspect devices is in the best interest of public safety. Though many fear that such ability could be used nefariously, for activities such as secret mass surveillance.
For more information on how to avoid a security hack on your mobile device speak with the team from Agilient today or click here for information on security measures to keep your data private permanently.