The escalation of a long-running encryption conflict between the Justice Department and Apple Inc. AAPL 2.14% has puzzled security experts who say that new hacking tools have made it possible to gain access to many of the company’s devices in criminal investigations.
Attorney General William Barr ratcheted up pressure on Apple on Monday, painting the company as unhelpful to the government as it seeks to unlock two iPhones belonging to an aviation student from Saudi Arabia who authorities say killed three people at a Florida Navy base last month. Mr. Barr described the phones as “engineered to make it virtually impossible to unlock them without the password.”
Justice Department officials said they spent a month seeking ways to access two phones used by Second Lt. Mohammed Alshamrani, a member of the Saudi air force who allegedly opened fire in a classroom at Naval Air Station Pensacola on Dec. 6 before being shot and killed by sheriff’s deputies. After consulting with experts and vendors and failing to break into the devices—an iPhone 5 and an iPhone 7—investigators reached out to Apple directly, officials said.
In a statement Monday, Apple said the company was notified a week ago that the Federal Bureau of Investigation needed additional assistance. Apple was contacted on the day of the shooting and provided iCloud backups, account information and transactional data for one iPhone, a spokesman said. On Wednesday Jan. 8, Apple received a subpoena related to a second iPhone, he said.
Just a few years ago, many iPhones were almost impossible to crack, but that is no longer true, security experts and forensic examiners say. Companies including Grayshift LLC, Israel’s Cellebrite Mobile Synchronization Ltd. and others offer methods to retrieve data from recent iPhones.
“We’ve got the tools to extract data from an iPhone 5 and 7 now,” said Andy Garrett, a chief executive of Garrett Discovery, a forensics investigation firm. “Everybody does.”
Four years ago in the final year of the Obama administration, the Justice Department tried to force Apple to create a software update—a so-called “backdoor”—that would allow law enforcement to gain access to a phone linked to a dead gunman responsible for a 2015 terrorist attack in San Bernardino, Calif.
Apple refused, and it continues to refuse to grant access via a software update, saying it could be exploited by others. The FBI turned to a third party, spending more than $1 million to obtain data from an encrypted Apple iPhone 5C.
Today, the bureau could likely obtain that data for $15,000 or less, thanks to new forensics tools it has purchased over the past two years that have made breaking into an iPhone much less daunting.
The changing security dynamics have undermined the Justice Department’s argument that Apple’s security is hampering investigations, forensics experts say.
“It’s a cat-and-mouse game. Apple locks things, but if someone wants to find a way to get into these devices, they will find a way,” said Sarah Edwards, a digital forensics instructor with the SANS Institute, an organization that trains cybersecurity investigators.
In 2018, Grayshift began selling an iPhone hacking device for as little as $15,000 to law enforcement customers in the U.S. The Grayshift device leveraged bugs in Apple’s products to access the phone. Today, Israel’s Cellebrite offers software that can also retrieve data from recent iPhones.
In the past two years, Grayshift has sold its products to the U.S. Bureau of Prisons, the Drug Enforcement Administration, the Internal Revenue Service and the FBI. The FBI has spent more than $1 million on Grayshift products, according to federal procurement records.
Georgia’s Gwinnett County, for example, started using the Grayshift device in 2018 and gained access to about 300 phones that year. Now, Chris Ford, an investigator with the district attorney’s office is using the device to reopen cases that had gone cold due to phones that were previously unreadable.
His office is now producing about three times as much forensics data as it did before Grayshift, Mr. Ford said.
“It’s really opened the door for us in our investigation,” he said.
Grayshift representatives didn’t return messages seeking comment. Cellebrite representatives didn’t return messages seeking comment for this article.
Cellebrite has been able to gain access to data on the iPhone 5 since at least 2015, according to forensic investigators and an online training video. The other phone involved in the Pensacola shooting—an iPhone 7, according to sources familiar with the investigation—is also more easily readable than it once was.
Forensic tools used to hack into iPhones have been enhanced recently, thanks to software called Checkm8 that exploits a vulnerability in Apple’s hardware. It allows forensics tools to download data, such as deleted files, that is often hidden from even the users of the iPhone, security professionals say.
A forensics tool built with Checkm8 works on all iPhone devices from the iPhone 5s to the iPhone X, and exploits a hardware bug that Apple is unable to patch, they say.
Investigators caution that there are many factors that can limit the data available to investigators on an iPhone, such as the version of the operating system, the complexity of the user’s passcode and the state of the iPhone itself.
If the phones were powered off when the FBI obtained them, then investigators would have to crack the iPhone’s passcode before they could obtain detailed data on the phone, said Ms. Edwards, the digital forensics instructor.
But cracking the passcode is something that both Cellebrite and Grayshift’s device are designed to do, forensics experts say. “It may just take a while to crack the passcode,” Ms. Edwards said.
—Sadie Gurman contributed to this article.
Write to Robert McMillan at [email protected]
The post As Justice Department Pressures Apple, Experts Say iPhone Easier to Crack appeared first on WSJ.