Ride the Lightning

Feds Are Spending Millions to Hack Into Locked Phones

May 14, 2019

The Washington Post (sub.req.) reported on May 13th that federal agencies are spending millions to hack into locked phones.

A $1.2 million tab for iPhone hacking technology at U.S. Immigration and Customs Enforcement underscores how pervasively law enforcement is cracking into passcodes and other security features Americans use to keep their information private.

ICE contracts — one for $384,000 in September and another for $819,000 this month — will go to the agency’s Homeland Security Investigations unit, which focuses not just on immigration crimes but also on drug trafficking, child exploitation and money laundering. ICE declined to say how the hacking tools will be used, but the contracts come amid heightened concern about warrantless searches of phones and laptops that ICE and Customs and Border Protection conduct at airports and other points of entry amid an immigration crackdown by President Trump.

Federal law enforcement agencies have complained for years that advanced encryption systems are crippling their investigations and allowing criminals and terrorists to “go dark” online. They’ve called on tech companies to help them bypass those encryption protections, and the FBI even waged a high-stakes court battle against Apple over the issue in 2015.

But law enforcement's claims about the danger posed by encryption have been repeatedly undermined by internal watchdogs and its own errors. And the federal spending spree on hacking tools offers yet another suggestion that law enforcement may be finding ways around encryption without tech companies’ help.

The American Civil Liberties Union and Electronic Frontier Foundation sued the government over those searches in 2017 and say they found that “CBP and ICE are asserting near-unfettered authority to search and seize travelers’ devices at the border.” That includes “for purposes far afield from the enforcement of immigration and customs laws” including “investigating and enforcing bankruptcy, environmental, and consumer protection laws,” the advocacy organizations said.

The ICE contracts are with the company Grayshift, which markets one of the most popular iPhone hacking kits to law enforcement agencies. The company has been involved in a back and forth game with Apple for the past year with Apple trying to block Grayshift’s ability to hack into locked iPhones and Grayshift seemingly finding new ways in.

The pace of new federal contracts would suggest Apple hasn’t won that fight.

Grayshift has inked $2.6 million in deals with federal agencies since 2017, including ICE, the Secret Service, the FBI and the Drug Enforcement Administration, according to information on a government spending database.

Despite a steady stream of warnings about the dangers of encryption since 2014, law enforcement has struggled to provide clear evidence that encryption substantially stymies its investigations.

In the most high-profile case in 2015, the FBI asked a federal court to compel Apple to help it crack into an encrypted iPhone used by San Bernardino, CA, shooter Syed Farook. The bureau ultimately withdrew its demand, however, after an unnamed third party offered to help it hack into the phone for a hefty fee.

In that case, the unnamed company appears to have helped the FBI disable a safeguard that would have wiped the phone’s contents after too many incorrect guesses at the passcode — similar to services offered by Grayshift. With that safeguard disabled, the FBI was presumably able to run a computer program that tried all possible passcode combinations until it landed on the correct one.

The Justice Department’s own inspector general later found the FBI had rushed into litigation against Apple without exhausting other options — and some FBI staffers believed the bureau was more interested in setting a legal precedent than in accessing the phone’s contents.

The FBI later acknowledged it had dramatically overstated the number of encrypted devices it was blocked from accessing because it accidentally double-counted instances that were maintained in multiple databases. FBI Director Christopher Wray had claimed the bureau was unable to access about 7,800 devices connected with crimes in 2017, but the real number was closer to 1,200, officials acknowledged.

Games and lies. You would bloody well think the FBI Director would have the correct numbers – and had them checked twice before citing phony numbers. Frankly, when I want the truth about privacy issues, I turn to the American Civil Liberties Union and Electronic Frontier Foundation.

Email:    Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson