iPhone spyware lets police log suspects' passcodes when cracking doesn't work

Via:  perrie-halpern  •  2 weeks ago  •  12 comments

By:   Olivia Solon (NBC News)

iPhone spyware lets police log suspects' passcodes when cracking doesn't work
Software called Hide UI, created by Grayshift, a company that makes iPhone-cracking devices for law enforcement, can track a suspect's passcode when it's entered into a phone, according to two people in law enforcement.

S E E D E D   C O N T E N T

Apple faces a near-constant challenge: keeping its iPhones secure.

The company has spent years and untold millions of dollars squaring off against a small but talented industry that works to figure out ways to help law enforcement break into iPhones. Currently, security experts believe that tools sold to police struggle to crack iPhone passcodes longer than six digits.

But another tool, previously unknown to the public, doesn't have to crack the code that people use to unlock their phones. It just has to log the code as the user types it in.

Software called Hide UI, created by Grayshift, a company that makes iPhone-cracking devices for law enforcement, can track a suspect's passcode when it's entered into a phone, according to two people in law enforcement, who asked not to be named out of fear of violating non-disclosure agreements.

The spyware, a term for software that surreptitiously tracks users, has been available for about a year but this is the first time details of its existence have been reported, in part because of the non-disclosure agreements police departments sign when they buy a device from Grayshift known as GrayKey.

Those NDAs have helped keep Hide UI a secret. Because of the lack of public scrutiny of the feature as well as its covert behavior, defense attorneys, forensic experts and civil liberties advocates are concerned that Hide UI could be used without giving owners the due process of law, such as a warrant.

"This is messed up. Public oversight of policing is a fundamental value of democracy," said Jennifer Granick, an attorney from the ACLU. "With these kinds of novel tools we see a real desire for secrecy on the part of the government."

It's also the latest move in a cat-and-mouse game between law enforcement and Apple. The company famously refused to unlock an iPhone for the FBI in the case of the San Bernardino terrorist shooting, arguing that doing so would make its phones less secure. On Monday, the FBI said it was able to access the iPhone of a gunman who shot his fellow students at Pensacola Air Station in Florida. A person familiar with the situation who was not authorized to speak publicly said the phone was cracked by guessing its password, which is the more common way law enforcement has gotten into iPhones.

In the absence of help from Apple, law enforcement officials have relied on companies like Grayshift and Cellebrite to find vulnerabilities in Apple's software and hardware and build tools that can bypass the iPhone's security features.

Grayshift, an Atlanta-based company run by security engineers, declined to comment on the existence of Hide UI but stressed that it works to make sure its technology is used lawfully.

"Grayshift develops technology that allows law enforcement agencies to gain access to critical digital evidence during the course of criminal investigations," said David Miles, CEO of Grayshift. "We take every precaution to ensure that access to our technology is limited, and our customer agreements require that it be used lawfully. Our customers are law enforcement professionals of the highest caliber who use our tool only with appropriate legal authority."

Apple declined to comment.

The software

The GrayKey device, first revealed by Forbes and detailed by security blog Malwarebytes, is a small box with two iPhone lightning cables sticking out of it that was launched in March 2018. Law enforcement officials can plug any recent model of iPhone into the cables to install an "agent" (a piece of software) on the device. The agent then attempts to crack the passcode, offering an estimate for how much time it might take.

It can take minutes to crack a four-digit pin and less than a day to crack a six-digit pin, according to calculations by cryptographer Matthew Green, an Associate Professor of Computer Science at the Johns Hopkins Information Security Institute. For eight- and 10-digit passcodes it can take weeks or years. It is under these circumstances that Hide UI provides a way to get access to the device more quickly.

"If the standard agent doesn't work, we can move to Plan B, which is Hide UI," said one law enforcement professional familiar with the system.

In order for this feature to work, law enforcement officials must install the covert software and then set up a scenario to put a seized device back into the hands of the suspect, said the people familiar with the system, who did not wish to be identified for fear of violating their NDA with Grayshift and having access to the device revoked.

For example, a law enforcement official could tell the suspect they can call their lawyer or take some phone numbers off the device. Once the suspect has done this, even if they lock their phone again, Hide UI will have stored the passcode in a text file that can be extracted the next time the phone is plugged into the GrayKey device. Law enforcement can then use the passcode to unlock the phone and extract all the data stored on it.

Hide UI installed on an iPhone X,via NBC News

"It's great technology for our cases, but as a citizen I don't really like how it's being used. I feel like sometimes officers will engage in borderline and unethical behavior," the law enforcement official said.

A second law enforcement official said that the software was "buggy" and that it was often easier to get the suspect to hand over their passcode during interrogation than to use the subterfuge required for Hide UI to work.

A screenshot of an iPhone X with Hide UI installed was shared with NBC News after it was posted in an online forum for digital forensics specialists. Its authenticity was confirmed by one of the law enforcement officials.

The screen shot showed a message on the screen of the iPhone stating that Hide UI also disables airplane mode and prevents anyone from wiping the device. This was corroborated by one of the law enforcement sources.

Legality and secrecy

Both of the law enforcement sources that NBC News spoke to said that they would only plug a phone into the GrayKey device if they had a search warrant.

However, forensic experts working with defense attorneys said they fear that Hide UI may be being used without a warrant by law enforcement officers looking for shortcuts, possibly by arguing "exigent circumstances," given some of the time restrictions Apple has imposed around getting data off its phones. NBC News has not independently confirmed that the feature has been used without a warrant.

It's not clear how often this feature is used, but hundreds of state and local law enforcement agencies across the U.S. — some of which have been tracked by Motherboard and Forbes — as well as the FBI, DEA, CBP, Secret Service and other agencies have access to GrayKey devices, according to public records. They cost between $15,000 and $36,000 per device, depending on the model.

GrayKey's marketing materials refer to "advanced features" but don't publicly refer to Hide UI. The feature — and others designed for intelligence gathering — are only explained to potential customers if they sign a non-disclosure agreement, saidthe law enforcement officials.

NBC News did not find any search warrants that outlined the capabilities of Hide UI, although GrayKey has occasionally been mentioned in court documents, including a search warrant of an iPhone 11 Pro Max, Apple's latest, most secure phone.

"Failure to disclose what they are doing in terms that would be understood by the court is a huge problem constitutionally," said Lance Northcutt, a Chicago-based lawyer and former prosecutor. "That's assuming there are no abuses going on, which seems ludicrous to me."

Some civil liberties groups including the ACLU are concerned that prosecutors could be dropping cases instead of disclosing how the technology works or subjecting it to public scrutiny. This previously happened with stingray devices, which spoof a cell tower to intercept phone calls and text messages made by devices nearby.

Even if a warrant is sought to search the device, it's not clear whether the subterfuge required to get the passcode from the suspect is being outlined to the prosecutor or judge.

"Law enforcement use of this 'agent' keylogger feature can be legal, so long as the warrant the government gets to search and seize the device spells out that the investigators are permitted to use it," said Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford Law School's Center for Internet and Society. "In general, I don't think that magistrate judges authorizing search warrants would expect that the government plans to implant malware on a device it has seized."

Some of the more specific warrants that might allow for Hide UI to be used include a "sneak and peek" warrant, which allows for the installation of surveillance devices in a suspect's house, or a Title III warrant typically used for intercepting electronic communications.

NBC News asked the Department of Justice if it had any guidelines for the use of GrayKey and Hide UI, similar to those issued for the use of stingrays. Department officials declined to comment, as did the National Sheriffs' Association and the International Association of Chiefs of Police.

Critics believe that the lack of transparency over GrayKey and Hide UI is another example of the increasingly uneven playing field in the world of digital forensics, where the government has access to flashy tools bound by NDAs or restrictions to use by law enforcement that defense teams can't access or afford.

"I'm in a fight with one arm tied behind my back," said Andrew Garrett, a digital forensics expert. "I'm not getting the same evidence because companies like Grayshift have created NDAs that prohibit law enforcement from being transparent."

One GrayKey non-disclosure agreement dating from 2018 and seen by NBC News requires law enforcement to notify Grayshift if details of the technology are likely to be disclosed through the judicial process — for example through a subpoena, summons or order — so that Grayshift has the opportunity to "obtain a protective order or otherwise oppose the disclosure."

Northcutt said this was "pretty shocking" because it indicates that the private interests of a third-party vendor could be interfering with due process.

"You can't just have law enforcement say, 'we have this magic box, plug your phone in, extract evidence and you have to trust us that this is accurate and that we are giving you all the stuff that's exculpatory,'" he said. "Not when the end product will result in the deprivation of people's liberty."


jrDiscussion - desc
smarty_function_ntUser_is_admin: user_id parameter required
Buzz of the Orient
1  Buzz of the Orient    2 weeks ago

Is BIG BROTHER listening to you?  In America?  What's next, a social credit system?

1.1  igknorantzrulz  replied to  Buzz of the Orient @1    2 weeks ago
Is BIG BROTHER listening to you?

maybe he can figure out, and tell me what i'm sayin...?

2  TᵢG    2 weeks ago

One should conduct one's life with the assumption that nothing is private unless it is contained solely within one's mind.

2.1  Freefaller  replied to  TᵢG @2    2 weeks ago
unless it is contained solely within one's mind.

Lol for now

3  evilgenius    2 weeks ago
The company [Apple] famously refused to unlock an iPhone for the FBI in the case of the San Bernardino terrorist shooting...

This is lazy reporting and incorrect. Apple agreed to unlock the phone with an appropriate warrant. They even went as far as to agree to send a tech to the FBI office to so. What the government wanted was Apple to write a new OS update that would allow the FBI to circumvent encryption security. The FBI had a third party unlock the phone only to find no helpful information.

Steve Ott
4  Steve Ott    2 weeks ago

Back doors never remain in the hand of only the 'right' people.

Microsoft Accidentally Provides Example of Dangers of Encryption 'Back Doors'

The hackers are very blunt about their reasons for revealing how this works: They're trying to get people   at the FBI and in Congress to understand   that any attempt to require a "golden key" to allow officials to bypass encryption, even with the best of intentions, can and eventually will go terribly, terribly awry. They note:

"About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a "secure golden key" is very bad! Smarter people than me have been telling this to you for so long, it seems you have your fingers in your ears. You seriously don't understand still? Microsoft implemented a "secure golden key" system. And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a "secure golden key" system? Hopefully you can add 2+2…"

In the hands of those with sinister intent (either hackers or rogue authorities), a mechanism to bypass encryption can utterly devastate the privacy of citizens and expose them to criminal mischief and secret surveillance.

The larger question is whether or not lawmakers and government leaders actually care about the risks as long as it gets them the information they want. As I've noted repeatedly at Reason,   surveillance-loving senators   like Dianne Feinstein (D-Calif) and Richard Burr (R-N.C.) and Great Britain's new Prime Minister   Theresa May   seem to have absolutely no interest in whether encryption back doors actually compromise everybody's security as long as it allows the government to access whatever data it demands.

4.1  evilgenius  replied to  Steve Ott @4    2 weeks ago
Back doors never remain in the hand of only the 'right' people.

And who's there to support us when our information is stolen and used for nefarious reasons? Hint: I'll never see my promised $125.00 Equafax settlement check. The banks got their money and the lawyers got theirs. Customers got shafted again.

4.1.1  MUVA  replied to  evilgenius @4.1    2 weeks ago

You are really waiting for 125 bucks?

4.1.2  XDm9mm  replied to  evilgenius @4.1    2 weeks ago
Hint: I'll never see my promised $125.00 Equafax settlement check.


THANKS for the reminder.   I guess I'm in the same boat.  

I think tomorrow I start to piss them of by harassing THEM!!

4.1.3  evilgenius  replied to  MUVA @4.1.1    2 weeks ago
You are really waiting for 125 bucks?

No, not really. 

4.1.4  evilgenius  replied to  XDm9mm @4.1.2    2 weeks ago
I think tomorrow I start to piss them of by harassing THEM!!

The FCC made the deal and then panicked when too many people signed up and changed the terms.

Steve Ott
4.1.5  Steve Ott  replied to  evilgenius @4.1    2 weeks ago

No one, obviously.

Which is exactly why government should stop barking about needing a back door. There are no secrets on the 'net.


Who is online


41 visitors