Recently, The Night Owl wrote a piece about two gadgets that are reportedly capable of unlocking iPhones. One comes from an Israeli company, Cellebrite. The other emerges from a startup known as Grayshift, said to be run by former intelligence contractors and a former Apple security engineer.
A more recent report actually displays a photo of GrayKey in operation, and it strikes you as an old fashioned home built device without any effort at advanced industrial design. To me, it comes across as a gadget that might have been assembled back in the 1970s or 1980s.
Except from the front, where the sole modern implements consist of a pair of lighting cables.
According to MalwareBytes, GrayKey can work with two iPhones at the same time. The process of downloading special software, which is used to crack the device, takes two minutes or so. The operation is said to be similar to jailbreaking.
Regardless, decoding the actual password can take from hours to days depending on whether it’s a four-digit or six-digit passcode, but it will allegedly work regardless. What interests me is whether GrayKey is 100% effective or not. Obviously that cannot be proven without reports from independent reviewers with hands-on experience.
But in light of the reported success of Cellbrite, I wouldn’t doubt that the GrayKey technologies have the potential to succeed, yet the story is troubling in some ways.
First of all, Cellbrite and GrayKey are reportedly being sold strictly to law enforcement. I’ll assume they will follow the usual precautions to make sure customers of their products are authentic, and not criminal elements. On the other hand, how can they be absolutely sure that such devices aren’t being placed in the wrong hands, given to unsavory elements who want to hack iPhones? What about theft?
I understand about police and all, but what if thieves steal an iPhone to crack it? Maybe it’s owned by a chief software executive, or contains confidential blueprints for a new car or, perhaps, a top secret weapon. Sure, perhaps I’m just summating the plot, more or less, of any typical TV police procedural, but that doesn’t mean such things cannot happen.
Indeed, when the FBI asked Apple to create a back door for iOS in the wake of the San Bernardino, CA terrorist attack, the company warned that, even if the official hack was only meant for one user, its existence would create the potential for rogue countries and criminals to get ahold of that tool also. Apple’s vaunted security would be defeated.
Then again, if relatively inexpensive gadgets can routinely unlock iPhones, Apple is essentially off the hook when it comes to direct responsibility. I’d also wonder if Apple’s own security team is busy looking at such gear to figure out how they do what they do and to put a stop to it.
Not that I am opposed to allowing legitimate law enforcement authorities access to an encrypted tech device in order to solve a crime, protect the public. It’s one of the rights one cedes to some degree to save lives and property. If done with respect, it should be a normal part of the crime solving process. After all, Apple, Google and other tech companies do routinely work with law enforcement, and respond to subpoenas and other requests in order to provide an appropriate level of cooperation. But not access to encrypted gear.
That said, the relatively easy availability of hacking tools is sure to diminish security or the impression of security.
Then again, encrypted gear is something quite new in the scheme of things. Before such devices existed, there was no expectation that your mobile phone was secure. Before personal computers with security features appeared, there was no expectation that any electronics device was secure. If you didn’t have a safe — at least one not easily cracked — all of your stuff was prey to criminal elements.
Even if you have an iPhone X and all the privacy tools Apple can devise, nothing prevents a criminal from confronting you with a deadly weapon and demanding that you unlock it and let them examine it — or else! As I wrote in my original column on the subject, no security technique can possibly be perfect. Apple may be able to defeat these unlocking devices, and the manufacturers of these products will, in turn, find new schemes to regain control.
With all these stories, however, I wonder why it’s always all about Apple. Android isn’t even mentioned as an OS that requires specially-designed gear to allow the authorities to unlock such gear as part of an investigation. True, there’s a report this week that Google claims that its security level has finally matched that of the iPhone. Google has made lots of claims about Android, but it still has many of the same problems that have existed for years.
But even if Android has finally matched iOS, why are no companies touting tools to unlock a Samsung should the need arise? Is such a gadget necessary, or can the authorities unlock them with just a lone computer hacker at the local police station?