Over 2,000 law enforcement agencies have iPhone encryption-breaking tools
Law enforcement agencies across the United States have tools to access data stored on encrypted iPhones, a report claims, with at least 2,000 agencies in the country now having the means to gain access to further their criminal investigations.
A forensics tool from Cellebrite used to access iPhones and other smartphones
The long-running encryption debate has always centered around the idea that members of law enforcement were not able to acquire evidence from devices and services due to the use of encryption, necessitating requests for backdoors to be put in place. In a new report, it seems that the calls for backdoor access may not be needed at all.
According to a report by Washington nonprofit Upturn seen by the New York Times, it is claimed that at least 2,000 law enforcement agencies across all 50 states have tools to be able to access locked and encrypted smartphones. The information was determined by analyzing years of public records relating to the agencies and their investigations.
It is thought that at least 49 out of the 50 largest police departments in the United States have the tools to gain access, as well as a number of smaller towns and counties. For areas that do not own the tools, they often turn the smartphones over to state or federal crime labs that typically do have them.
These tools can take the form of GrayShift's GrayKey, a small device capable of unlocking secured iPhones. Federal law enforcement and local police departments have been buying the tool for a few years, paying tens of thousands of dollars for the hardware.
In cases where the tools don't do the job, the devices can be sent to services such as Cellebrite for unlocking. Invoices reveal Cellebrite charges around $2,000 per device unlock, and sold a premium tool to the Dallas Police Department for $150,000.
The ease of access to the tools has also emboldened law enforcement's use of the equipment, ranging from major crimes such as homicides and rape to lesser crimes, including instances of shoplifting. Such minor cases include warrants to search phones in Fort Worth concerning marijuana valued at approximately $220, as well as a fight at a McDonald's in Coon Rapids, Minn. over $70.
It is reckoned hundreds of thousands of smartphones have been searched over the last five years.
Despite the number of agencies possessing the tools and actively using them, some still find the existence of tough encryption to be a problem. The expense and the time it takes to unlock a device are still issues to law enforcement, with Manhattan district attorney Cyrus R. Vance Jr testifying to Congress in December 2019 "We may unlock it in a week, we may not unlock it for two years, or we may never unlock it."
The existence of the tools "have served as a kind of a safety valve for the encryption debate," Stanford University researcher Riana Pfefferkorn suggests, but it has changed what law enforcement demands. "Instead of saying 'We are unable to get into devices,' they now say 'we are unable to get into these devices expeditiously."
This need for speed of access has enabled law enforcement officials to continue calls for changes that would force companies like Apple and Google to add backdoors to their services, such as bills proposed in Congress to create such items.
In October, the US Department of Justice working with other "Five Eyes" nations issued a statement demanding the creation of backdoors, insisting they get created to "act against illegal content and activity effectively with no reduction in safety. In effect, the creation of a backdoor that only law enforcement could access that maintains security for everyone else.
Critics argue that the very creation of a backdoor weakens encryption as a whole, as bad actors would simply attack the backdoor as an easier point of access to the data.
A forensics tool from Cellebrite used to access iPhones and other smartphones
The long-running encryption debate has always centered around the idea that members of law enforcement were not able to acquire evidence from devices and services due to the use of encryption, necessitating requests for backdoors to be put in place. In a new report, it seems that the calls for backdoor access may not be needed at all.
According to a report by Washington nonprofit Upturn seen by the New York Times, it is claimed that at least 2,000 law enforcement agencies across all 50 states have tools to be able to access locked and encrypted smartphones. The information was determined by analyzing years of public records relating to the agencies and their investigations.
It is thought that at least 49 out of the 50 largest police departments in the United States have the tools to gain access, as well as a number of smaller towns and counties. For areas that do not own the tools, they often turn the smartphones over to state or federal crime labs that typically do have them.
These tools can take the form of GrayShift's GrayKey, a small device capable of unlocking secured iPhones. Federal law enforcement and local police departments have been buying the tool for a few years, paying tens of thousands of dollars for the hardware.
In cases where the tools don't do the job, the devices can be sent to services such as Cellebrite for unlocking. Invoices reveal Cellebrite charges around $2,000 per device unlock, and sold a premium tool to the Dallas Police Department for $150,000.
The ease of access to the tools has also emboldened law enforcement's use of the equipment, ranging from major crimes such as homicides and rape to lesser crimes, including instances of shoplifting. Such minor cases include warrants to search phones in Fort Worth concerning marijuana valued at approximately $220, as well as a fight at a McDonald's in Coon Rapids, Minn. over $70.
It is reckoned hundreds of thousands of smartphones have been searched over the last five years.
Despite the number of agencies possessing the tools and actively using them, some still find the existence of tough encryption to be a problem. The expense and the time it takes to unlock a device are still issues to law enforcement, with Manhattan district attorney Cyrus R. Vance Jr testifying to Congress in December 2019 "We may unlock it in a week, we may not unlock it for two years, or we may never unlock it."
The existence of the tools "have served as a kind of a safety valve for the encryption debate," Stanford University researcher Riana Pfefferkorn suggests, but it has changed what law enforcement demands. "Instead of saying 'We are unable to get into devices,' they now say 'we are unable to get into these devices expeditiously."
This need for speed of access has enabled law enforcement officials to continue calls for changes that would force companies like Apple and Google to add backdoors to their services, such as bills proposed in Congress to create such items.
In October, the US Department of Justice working with other "Five Eyes" nations issued a statement demanding the creation of backdoors, insisting they get created to "act against illegal content and activity effectively with no reduction in safety. In effect, the creation of a backdoor that only law enforcement could access that maintains security for everyone else.
Critics argue that the very creation of a backdoor weakens encryption as a whole, as bad actors would simply attack the backdoor as an easier point of access to the data.
Comments
More, if these tools exist, what is the reason for the DOJ to be doggedly pursuing back doors from the tech companies?
I wonder why it seems that everyone thinks that the government breaks the law to charge and convict people. There sure are a lot of people that think the government is a criminal enterprise. The US government is "of the people, by the people, for the people" not "against the people".
It's the same as you physically walking from point A to point B, it will be quicker the fewer obstacles in your way.
So, yes, having access to a physical port is usually an advantage.
But… that doesn't mean that a physical port is a necessity.
Without a physical port certain attacks will be prevented, but some will not be affected as all, and there might even be some new vulnerabilities introduced.
Without a physical port a physical attack will still be possible, though, it will just require the device to be physically opened up. Depending on how the wireless stuff is implemented it might even be possible to simply replace it with a physical port; and then things are back to where they used to be.
At the end of the day it's just another day in the game, where all sides will keep on making progress and negate the progress of the other sides.
Edit: Also, don't forget that a wireless connection opens up for the potential weakness of it being able to be hacked through otherwise protective layers; like having your device automatically hacked simply by standing next to a bad person on public transport etc.