DriveSavers launches passcode-beating iPhone cracking service for the public

Posted:
in iPhone edited November 2018
Data recovery firm DriveSavers is now selling a "passcode lockout recovery" service claimed to be the first for the general public able to crack any iPhone.

iPhone X passcode


The company's technology purportedly ensures a "100 percent success rate" with iPhones, regardless of passcode length, according to marketing. DriveSavers doesn't say what exact means it's using, or offer an upfront price. Forensic-level recovery is typically expensive however -- Grayshift for example charges a minimum of $15,000 to law enforcement agencies.

To ensure people such as thieves don't abuse its service, DriveSavers is promising to validate legal rights to data during "all phases" of a recovery attempt.

Apple and forensics firms have been engaged in an unspoken race in which the latter exploit security vulnerabilities until Apple can fix them. Once a passcode is enabled iPhones are protected with full-disk encryption, and trying to brute-force a passcode risks losing data completely if someone has chosen to enable a self-wipe after 10 failed attempts.

In October, a report revealed that Grayshift's GrayKey had been disrupted by iOS 12, limiting it to a "partial" extraction of unencrypted files and metadata.

For some law enforcement agencies it may be more practical to force a suspect to unlock a device via Face ID or Touch ID. U.S. police can't legally demand that someone turn over their passcode, but they can use biometrics. In some cases this approach has even been used with the dead.
«1

Comments

  • Reply 1 of 35
    I am really pleased to see these companies producing products like this. We need genuinely secure encryption but we also need people trying (and succeeding) to break that encryption. These products also prove that law enforcement isn’t helpless in the face of encryption and therefore need backdoors, and so they rather should be investing in techniques to legally break the encryption.
    edited November 2018 cornchipsupadav031983airnerdrepressthisjony0
  • Reply 2 of 35
    radarthekatradarthekat Posts: 2,935moderator
    The company hasn’t provided info on the manes by which the unlock works? Could it be you have to install something on the device when you sign up, so that it can be accessed when you later find yourself locked out?  Because if this is a vulnerability, for sure Apple will close it.  
    magman1979cornchipberndogmwhitenewBelieverSpamSandwichwatto_cobrajony0
  • Reply 3 of 35
    So, is someone from AI going to call them and see if they can recover data from a “test” device? Or at least report back what they are told about the procedure and how much it costs?
    magman1979tokyojimuairnerdrob53lkruppSpamSandwichbonobobwatto_cobrajony0
  • Reply 4 of 35
    MplsPMplsP Posts: 1,008member
    For some law enforcement agencies it may be more practical to force a suspect to unlock a device via Face ID or Touch ID. U.S. police can't legally demand that someone turn over their passcode, but they can use biometrics. In some cases this approach has even been used with the dead.
    That may not be practical - you can force a FaceID iPhone to require the password by pressing the side buttons for 2 seconds and it will automatically require it after it after 48 hours/.
    airnerd
  • Reply 5 of 35
    I call BS on anybody that claims “100 percent success rate” for anything. Snake oil until they show us a PoC with a random security configuration sample set (audited by a 3rd party to ensure no funny business). Also, what is the use case here for a consumer that supposedly has legal access to the data? Dementia, death of a family member, an underage member of the family, etc? The legal ramifications alone make this a sketchy proposition.
    magman1979dhawkins541Rayz2016mwhiteairnerdcharlesatlaswatto_cobrajony0
  • Reply 6 of 35
    mfrydmfryd Posts: 111member
    All they need is Apple's private encryption key.  With that they could run whatever software they want on the device.   This would allow them to bypass delays between subsequent password attempts, disable auto-erase, and turn off the remote wipe feature.

    If they have reverse-engineered Apple's private key from the public key, then their claims are quite believable.  If they've been using their corporate spare computer cycles over the past few years to look for this, perhaps they have gotten lucky?
  • Reply 7 of 35
    Their website seems legit and professional.

    We need a volunteer which some spare money.


  • Reply 8 of 35
    I'm sure Apple will send someone and figure out the "how" and the "how much".
    watto_cobra
  • Reply 9 of 35
    viclauyyc said:
    Their website seems legit and professional.

    We need a volunteer which some spare money.


    They have been around since 1985. So yeah they’re legit and professional.  They can retrieve data off of liquid damaged and dead iOS devices, but they’re pricey. 
    watto_cobra
  • Reply 10 of 35
    mfryd said:

    If they have reverse-engineered Apple's private key from the public key, then their claims are quite believable.  If they've been using their corporate spare computer cycles over the past few years to look for this, perhaps they have gotten lucky?
    A few problems with this thesis:

    1. Apple's private encryption key is more valuable on the black market than having to solicit orders from random end users with questionable means to pay.
    2. The sale of a company's private encryption key on the black market is likely to attract law enforcement.
    3. The computing power necessary to derive Apple's private encryption key is unlikely to be found in a single, non-state actor.
    4. If a solution to #3 can be found, the solution is more valuable than the private key itself. Indeed, it would make the person who discovered it the richest person alive.

    racerhomie3airnerdjimh2watto_cobrajony0
  • Reply 11 of 35
    Soon to be blocked by Apple...end of story.
    watto_cobra
  • Reply 12 of 35
    What an extraordinary thing to produce, presumably only to show you can.  All very odd.
    watto_cobra
  • Reply 13 of 35
    19831983 Posts: 1,146member
    georgie01 said:
    I am really pleased to see these companies producing products like this. We need genuinely secure encryption but we also need people trying (and succeeding) to break that encryption. These products also prove that law enforcement isn’t helpless in the face of encryption and therefore need backdoors, and so they rather should be investing in techniques to legally break the encryption.
    Interesting point.
  • Reply 14 of 35
    georgie01 said:
    I am really pleased to see these companies producing products like this. We need genuinely secure encryption but we also need people trying (and succeeding) to break that encryption. These products also prove that law enforcement isn’t helpless in the face of encryption and therefore need backdoors, and so they rather should be investing in techniques to legally break the encryption.
    So which law enforcement agency do you work for? 
    In an ideal world, sure, I get it. Regrettably, state actors have consistently and determinedly ignored our collective right to privacy. Any ability to break encryption will be disseminated faster than the Salt Bae meme. Due process and legal oversight will be dispersed just as frivolously. 
    racoleman29mac_dogviclauyycwatto_cobra
  • Reply 15 of 35
    lkrupplkrupp Posts: 6,621member
    viclauyyc said:
    Their website seems legit and professional.

    We need a volunteer which some spare money.


    That would be AppleInsider submitting a locked iPhone to them for their service, followed by a complete analysis of what actually happened, if the claims are true, and if there any “yeah but” conditions that must be met first. How about a pole to encourage AppleInsider to do just that?
    viclauyycwatto_cobra
  • Reply 16 of 35
    I worked in IT for a couple of decades. I am exceedingly dubious of any tech firm that claims 100% success on anything. First rule of IT: no matter how good you are s*** happens.
    viclauyycwatto_cobra
  • Reply 17 of 35
    jimh2jimh2 Posts: 101member
    brisance said:
    mfryd said:

    If they have reverse-engineered Apple's private key from the public key, then their claims are quite believable.  If they've been using their corporate spare computer cycles over the past few years to look for this, perhaps they have gotten lucky?
    A few problems with this thesis:

    1. Apple's private encryption key is more valuable on the black market than having to solicit orders from random end users with questionable means to pay.
    2. The sale of a company's private encryption key on the black market is likely to attract law enforcement.
    3. The computing power necessary to derive Apple's private encryption key is unlikely to be found in a single, non-state actor.
    4. If a solution to #3 can be found, the solution is more valuable than the private key itself. Indeed, it would make the person who discovered it the richest person alive.

    #4 says it all. No one would give a crap about unlocking iPhones if they could break encryption keys.
  • Reply 18 of 35
    Just a guess BUT It would not surprise me IF you have to enroll the device before taking advantage of the service. Perhaps installing something on your device now, in case you need to use this retrieval method, later. Perhaps a monthly subscription and such
    watto_cobra
  • Reply 19 of 35
    gatorguygatorguy Posts: 19,818member
    lkrupp said:
    viclauyyc said:
    Their website seems legit and professional.

    We need a volunteer which some spare money.


    That would be AppleInsider submitting a locked iPhone to them for their service, followed by a complete analysis of what actually happened, if the claims are true, and if there any “yeah but” conditions that must be met first. How about a pole to encourage AppleInsider to do just that?
    Rather than a poll how about a collection plate? Since it's a $3900 service maybe all those interested AI members will pony up a couple hundred each towards it to make it happen? ;)

    Anyway this looks like it's geared more towards someone who's suffering dementia, comatose, or passed away and family members need access to that person's phone. There's a whole bunch'a hoops to jump thru proving the need (ex. Death certificate for a deceased, several forms of personal ID for the living, etc) before the device is accepted. 
    edited November 2018
  • Reply 20 of 35
    Rayz2016Rayz2016 Posts: 4,556member
    DAalseth said:
    I worked in IT for a couple of decades. I am exceedingly dubious of any tech firm that claims 100% success on anything. First rule of IT: no matter how good you are s*** happens.

    I attended a presentation once where the company sales director said his development team could guarantee their software was 100% bug free.

    We didn't partner with him because he was obviously lying.
    hailthehamsterwatto_cobra
Sign In or Register to comment.