iPhone spyware lets police log suspects' passcodes when cracking doesn't work
By: Olivia Solon (NBC News)
Apple faces a near-constant challenge: keeping its iPhones secure.
The company has spent years and untold millions of dollars squaring off against a small but talented industry that works to figure out ways to help law enforcement break into iPhones. Currently, security experts believe that tools sold to police struggle to crack iPhone passcodes longer than six digits.
But another tool, previously unknown to the public, doesn't have to crack the code that people use to unlock their phones. It just has to log the code as the user types it in.
Software called Hide UI, created by Grayshift, a company that makes iPhone-cracking devices for law enforcement, can track a suspect's passcode when it's entered into a phone, according to two people in law enforcement, who asked not to be named out of fear of violating non-disclosure agreements.
The spyware, a term for software that surreptitiously tracks users, has been available for about a year but this is the first time details of its existence have been reported, in part because of the non-disclosure agreements police departments sign when they buy a device from Grayshift known as GrayKey.
Those NDAs have helped keep Hide UI a secret. Because of the lack of public scrutiny of the feature as well as its covert behavior, defense attorneys, forensic experts and civil liberties advocates are concerned that Hide UI could be used without giving owners the due process of law, such as a warrant.
"This is messed up. Public oversight of policing is a fundamental value of democracy," said Jennifer Granick, an attorney from the ACLU. "With these kinds of novel tools we see a real desire for secrecy on the part of the government."
It's also the latest move in a cat-and-mouse game between law enforcement and Apple. The company famously refused to unlock an iPhone for the FBI in the case of the San Bernardino terrorist shooting, arguing that doing so would make its phones less secure. On Monday, the FBI said it was able to access the iPhone of a gunman who shot his fellow students at Pensacola Air Station in Florida. A person familiar with the situation who was not authorized to speak publicly said the phone was cracked by guessing its password, which is the more common way law enforcement has gotten into iPhones.
In the absence of help from Apple, law enforcement officials have relied on companies like Grayshift and Cellebrite to find vulnerabilities in Apple's software and hardware and build tools that can bypass the iPhone's security features.
Grayshift, an Atlanta-based company run by security engineers, declined to comment on the existence of Hide UI but stressed that it works to make sure its technology is used lawfully.
"Grayshift develops technology that allows law enforcement agencies to gain access to critical digital evidence during the course of criminal investigations," said David Miles, CEO of Grayshift. "We take every precaution to ensure that access to our technology is limited, and our customer agreements require that it be used lawfully. Our customers are law enforcement professionals of the highest caliber who use our tool only with appropriate legal authority."
Apple declined to comment.
The GrayKey device, first revealed by Forbes and detailed by security blog Malwarebytes, is a small box with two iPhone lightning cables sticking out of it that was launched in March 2018. Law enforcement officials can plug any recent model of iPhone into the cables to install an "agent" (a piece of software) on the device. The agent then attempts to crack the passcode, offering an estimate for how much time it might take.
It can take minutes to crack a four-digit pin and less than a day to crack a six-digit pin, according to calculations by cryptographer Matthew Green, an Associate Professor of Computer Science at the Johns Hopkins Information Security Institute. For eight- and 10-digit passcodes it can take weeks or years. It is under these circumstances that Hide UI provides a way to get access to the device more quickly.
"If the standard agent doesn't work, we can move to Plan B, which is Hide UI," said one law enforcement professional familiar with the system.
In order for this feature to work, law enforcement officials must install the covert software and then set up a scenario to put a seized device back into the hands of the suspect, said the people familiar with the system, who did not wish to be identified for fear of violating their NDA with Grayshift and having access to the device revoked.
For example, a law enforcement official could tell the suspect they can call their lawyer or take some phone numbers off the device. Once the suspect has done this, even if they lock their phone again, Hide UI will have stored the passcode in a text file that can be extracted the next time the phone is plugged into the GrayKey device. Law enforcement can then use the passcode to unlock the phone and extract all the data stored on it.
Hide UI installed on an iPhone X,via NBC News
"It's great technology for our cases, but as a citizen I don't really like how it's being used. I feel like sometimes officers will engage in borderline and unethical behavior," the law enforcement official said.
A second law enforcement official said that the software was "buggy" and that it was often easier to get the suspect to hand over their passcode during interrogation than to use the subterfuge required for Hide UI to work.
A screenshot of an iPhone X with Hide UI installed was shared with NBC News after it was posted in an online forum for digital forensics specialists. Its authenticity was confirmed by one of the law enforcement officials.
The screen shot showed a message on the screen of the iPhone stating that Hide UI also disables airplane mode and prevents anyone from wiping the device. This was corroborated by one of the law enforcement sources.
Legality and secrecy
Both of the law enforcement sources that NBC News spoke to said that they would only plug a phone into the GrayKey device if they had a search warrant.
However, forensic experts working with defense attorneys said they fear that Hide UI may be being used without a warrant by law enforcement officers looking for shortcuts, possibly by arguing "exigent circumstances," given some of the time restrictions Apple has imposed around getting data off its phones. NBC News has not independently confirmed that the feature has been used without a warrant.
It's not clear how often this feature is used, but hundreds of state and local law enforcement agencies across the U.S. — some of which have been tracked by Motherboard and Forbes — as well as the FBI, DEA, CBP, Secret Service and other agencies have access to GrayKey devices, according to public records. They cost between $15,000 and $36,000 per device, depending on the model.
GrayKey's marketing materials refer to "advanced features" but don't publicly refer to Hide UI. The feature — and others designed for intelligence gathering — are only explained to potential customers if they sign a non-disclosure agreement, saidthe law enforcement officials.
NBC News did not find any search warrants that outlined the capabilities of Hide UI, although GrayKey has occasionally been mentioned in court documents, including a search warrant of an iPhone 11 Pro Max, Apple's latest, most secure phone.
"Failure to disclose what they are doing in terms that would be understood by the court is a huge problem constitutionally," said Lance Northcutt, a Chicago-based lawyer and former prosecutor. "That's assuming there are no abuses going on, which seems ludicrous to me."
Some civil liberties groups including the ACLU are concerned that prosecutors could be dropping cases instead of disclosing how the technology works or subjecting it to public scrutiny. This previously happened with stingray devices, which spoof a cell tower to intercept phone calls and text messages made by devices nearby.
Even if a warrant is sought to search the device, it's not clear whether the subterfuge required to get the passcode from the suspect is being outlined to the prosecutor or judge.
"Law enforcement use of this 'agent' keylogger feature can be legal, so long as the warrant the government gets to search and seize the device spells out that the investigators are permitted to use it," said Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford Law School's Center for Internet and Society. "In general, I don't think that magistrate judges authorizing search warrants would expect that the government plans to implant malware on a device it has seized."
Some of the more specific warrants that might allow for Hide UI to be used include a "sneak and peek" warrant, which allows for the installation of surveillance devices in a suspect's house, or a Title III warrant typically used for intercepting electronic communications.
NBC News asked the Department of Justice if it had any guidelines for the use of GrayKey and Hide UI, similar to those issued for the use of stingrays. Department officials declined to comment, as did the National Sheriffs' Association and the International Association of Chiefs of Police.
Critics believe that the lack of transparency over GrayKey and Hide UI is another example of the increasingly uneven playing field in the world of digital forensics, where the government has access to flashy tools bound by NDAs or restrictions to use by law enforcement that defense teams can't access or afford.
"I'm in a fight with one arm tied behind my back," said Andrew Garrett, a digital forensics expert. "I'm not getting the same evidence because companies like Grayshift have created NDAs that prohibit law enforcement from being transparent."
One GrayKey non-disclosure agreement dating from 2018 and seen by NBC News requires law enforcement to notify Grayshift if details of the technology are likely to be disclosed through the judicial process — for example through a subpoena, summons or order — so that Grayshift has the opportunity to "obtain a protective order or otherwise oppose the disclosure."
Northcutt said this was "pretty shocking" because it indicates that the private interests of a third-party vendor could be interfering with due process.
"You can't just have law enforcement say, 'we have this magic box, plug your phone in, extract evidence and you have to trust us that this is accurate and that we are giving you all the stuff that's exculpatory,'" he said. "Not when the end product will result in the deprivation of people's liberty."