iPhone spyware lets police log suspects’ passcodes when cracking doesn’t work
Apple faces a near-constant challenge: keeping its iPhones secure.
The company has spent years and untold millions of dollars squaring off against a small but talented industry that works to figure out ways to help law enforcement break into iPhones. Currently, security experts believe that tools sold to police struggle to crack iPhone passcodes longer than six digits.
But another tool, previously unknown to the public, doesn’t have to crack the code that people use to unlock their phones. It just has to log the code as the user types it in.
Software called Hide UI, created by Grayshift, a company that makes iPhone-cracking devices for law enforcement, can track a suspect’s passcode when it’s entered into a phone, according to two people in law enforcement, who asked not to be named out of fear of violating non-disclosure agreements.
The spyware, a term for software that surreptitiously tracks users, has been available for about a year but this is the first time details of its existence have been reported, in part because of the non-disclosure agreements police departments sign when they buy a device from Grayshift known as GrayKey.
Those NDAs have helped keep Hide UI a secret. Because of the lack of public scrutiny of the feature as well as its covert behavior, defense attorneys, forensic experts and civil liberties advocates are concerned that Hide UI could be used without giving owners the due process of law, such as a warrant.
“This is messed up. Public oversight of policing is a fundamental value of democracy,” said Jennifer Granick, an attorney from the ACLU. “With these kinds of novel tools we see a real desire for secrecy on the part of the government.”
It’s also the latest move in a cat-and-mouse game between law enforcement and Apple. The company famously refused to unlock an iPhone for the FBI in the case of the San Bernardino terrorist shooting, arguing that doing so would make its phones less secure. On Monday, the FBI said it was able to access the iPhone of a gunman who shot his fellow students at Pensacola Air Station in Florida. A person familiar with the situation who was not authorized to speak publicly said the phone was cracked by guessing its password, which is the more common way law enforcement has gotten into iPhones.
In the absence of help from Apple, law enforcement officials have relied on companies like Grayshift and Cellebrite to find vulnerabilities in Apple’s software and hardware and build tools that can bypass the iPhone’s security features.
Grayshift, an Atlanta-based company run by security engineers, declined to comment on the existence of Hide UI but stressed that it works to make sure its technology is used lawfully.
“Grayshift develops technology that allows law enforcement agencies to gain access to critical digital evidence during the course of criminal investigations,” said David Miles, CEO of Grayshift. “We take every precaution to ensure that access to our technology is limited, and our customer agreements require that it be used lawfully. Our customers are law enforcement professionals of the highest caliber who use our tool only with appropriate legal authority.”
Apple declined to comment.
The GrayKey device, first revealed by Forbes and detailed by security blog Malwarebytes, is a small box with two iPhone lightning cables sticking out of it that was launched in March 2018. Law enforcement officials can plug any recent model of iPhone into the cables to install an “agent” (a piece of software) on the device. The agent then attempts to crack the passcode, offering an estimate for how much time it might take.
It can take minutes to crack a four-digit pin and less than a day to crack a six-digit pin, according to calculations by cryptographer Matthew Green, an Associate Professor of Computer Science at the Johns Hopkins Information Security Institute. For eight- and 10-digit passcodes it can take weeks or years. It is under these circumstances that Hide UI provides a way to get access to the device more quickly.
“If the standard agent doesn’t work, we can move to Plan B, which is Hide UI,” said one law enforcement professional familiar with the system.
In order for this feature to work, law enforcement officials must install the covert software and then set up a scenario to put a seized device back into the hands of the suspect, said the people familiar with the system, who did not wish to be identified for fear of violating their NDA with Grayshift and having access to the device revoked.
For example, a law enforcement official could tell the suspect they can call their lawyer or take some phone numbers off the device. Once the suspect has done this, even if they lock their phone again, Hide UI will have stored the passcode in a text file that can be extracted the next time the phone is plugged into the GrayKey device. Law enforcement can then use the passcode to unlock the phone and extract all the data stored on it.
“It’s great technology for our cases, but as a citizen I don’t really like how it’s being used. I feel like sometimes officers will engage in borderline and unethical behavior,” the law enforcement official said.
A second law enforcement official said that the software was “buggy” and that it was often easier to get the suspect to hand over their passcode during interrogation than to use the subterfuge required for Hide UI to work.
A screenshot of an iPhone X with Hide UI installed was shared with NBC News after it was posted in an online forum for digital forensics specialists. Its authenticity was confirmed by one of the law enforcement officials.
The screen shot showed a message on the screen of the iPhone stating that Hide UI also disables airplane mode and prevents anyone from wiping the device. This was corroborated by one of the law enforcement sources.
Legality and secrecy
Both of the law enforcement sources that NBC News spoke to said that they would only plug a phone into the GrayKey device if they had a search warrant.
However, forensic experts working with defense attorneys said they fear that Hide UI may be being used without a warrant by law enforcement officers looking for shortcuts, possibly by arguing “exigent circumstances,” given some of the time restrictions Apple has imposed around getting data off its phones. NBC News has not independently confirmed that the feature has been used without a warrant.
More Top Stories
Florida recorded more than 12,600 new coronavirus cases on Monday, its second-highest daily total since the outbreak began, coinciding with the state’s attempt to revive …read more
President Donald Trump on Monday took swipes at health experts in his government leading the U.S. response to the coronavirus outbreak, as his relationship further …read more
U.S. stock index futures rose on Monday as Pepsi kicked off the second-quarter earnings season on a bright note, with a multi-billion dollar semiconductor deal …read more
The NFL’s Washington team announced on Monday it will retire its Redskins name and logoread more
Southwest Airlines Chief Executive Gary Kelly told employees on Monday it needs a dramatic jump in passenger demand or it will be forced to take …read more
Private investment firms that manage the fortunes of wealthy individuals and their kin were approved for millions of dollars in taxpayer-funded relief loans designed to …read more