As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, 
e-discovery, and cybersecurity service provider. The Vestige team that you know and trust will
continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow
us to serve you and your clients even better.

Virtual Case Notes: Newest iPhones Can Now Be Unlocked for Forensic Examination, 2 Companies Claim


Virtual Case Notes: Newest iPhones Can Now Be Unlocked for Forensic Examination, 2 Companies Claim

Author photo
Associate Editor, Forensic Magazine

Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

A terrorist attack, a months-long legal battle and about a million dollars later, two companies are now claiming to hold the key to surpassing an obstacle made famous in the aftermath of the 2016 San Bernardino shooting—Apple’s encryption. With no “back door” included in the popular iPhone devices, and Apple refusing to help unlock them, FBI investigators were left unable to access the contents of deceased attacker Syed Farook’s iPhone 5c—until a mysterious and yet-unnamed third party managed to crack it, for a price ranging somewhere between $900,000 and $1.3 million.

Now, leading mobile forensics firm Cellebrite and a second lesser-known company called Grayshift are offering to unlock iPhones running the latest iOS, all the way up to the cutting-edge iPhone X, for a much lower price per pop. Last week, Forbes reported that Cellebrite could unlock iPhones running up to iOS 11.2.6, the latest version, and that Cellebrite’s price for unlocking iPhones was about $1,500. This is obviously considerably less than what the FBI paid to have Farook’s iPhone 5c running iOS 9 unlocked.

However, it wasn’t until earlier this week that Grayshift suddenly emerged, publicly offering its online service GrayKey for $15,000 for 300 uses—only $50 per device. And, according to Forbes, Grayshift also offers an offline version of GrayKey for $30,000 with unlimited uses. If Grayshift’s claims are true—that it can unlock the latest iPhone models up to the iPhone 8 and iPhone X, running iOS 10 or 11—it certainly seems like something law enforcement agencies, including the FBI, would like to have in their back pocket.

Why is it so difficult to unlock the iPhone?

“Apple and other companies looking to encrypt data for privacy and security have a goal to maximize privacy and security. They are not interested in how that may affect an investigation be it civil or criminal,” explained Greg Kelley, Chief Technology Officer of Vestige Digital Investigations, a digital forensics firm that includes mobile forensics services. Maximum security means keeping everyone who isn’t the user out of the user’s device, not just hackers, but law enforcement as well.

Security features, such as the device locking for longer periods of time after multiple failed passcode attempts, and even an optional feature that wipes the iPhone’s data after 10 failed attempts, make typical “brute force” methods of trying every possible passcode option both impractical and risky for investigators.

“Vestige has worked with many iPhones. When they are password protected we have in the past used brute force techniques to unlock them. There are other methods including acquiring a key file from a computer that has a trust relationship set up with the phone, but usually we just get a phone and no computer,” Kelley explained. “If we don’t have a trusted computer and the client doesn’t want to chance the brute force method wiping the phone we have to hope to get the PIN from the client. Usually in civil cases this isn’t a problem. However, there are some civil cases where the employee has left the company for a period of time and ‘forgets’ the PIN or the custodian of the phone is deceased.”

In a criminal case scenario, this could instead be a suspect refusing to tell investigators their PIN, or, of course, a suspect shot dead in the commission of a violent attack. The Fifth Amendment typically protects defendants from being compelled to give up their password or PIN, and what’s more, the latest iOS gives users even more security, enabling them to require a passcode (instead of a fingerprint) by pressing the power button five times, and requiring a passcode before a computer can establish a trusted connection to a device. At every turn, Apple protects users’ privacy, all the way to the jail cell or even the grave.

What impact will these new tools have?

The days of relying on brute force methods may be over for law enforcement seeking to unlock iPhones, now that Cellebrite and Grayshift have come forward with their new capabilities. Agents at the U.S Department of Homeland Security were already able to extract data from an iPhone X with the help of a Cellebrite specialist, according to a warrant published by Forbes, in what may be a one of the first of many extractions that would have previously been impossible.

As for GrayKey, Vice Media’s tech and science vertical Motherboard reported today that at least one police department—the Indiana State Police—purchased the 300-use tool in late February. An ex-Apple security engineer and U.S. intelligence contractors appear to be the figures behind the little-known Grayshift company, according to Forbes, which would explain its ability to do what no other major company other than Cellebrite has publicly claimed to be able to do.

But could the excitement over these new unlocking abilities be short-lived? While tech companies have been working to find the key to getting past Apple’s iron-clad encryption, Apple has no doubt been working to detect and patch any vulnerabilities that make infiltration possible.

“Apple’s response to this news (…) likely will be attempting to understand how this unlocking is done in order to close the loop on a possible vulnerability,” Kelley told me. “What we may be left with is a constant arms race between Apple closing loops and companies exposing new ones to get into the phone.”

Of course it’s far from just forensic investigators Apple’s security seeks to thwart—any vulnerability may have the potential to be taken advantage of for malicious purposes, which is why some, such senior staff attorney for the Electronic Frontier Foundation Adam Schwartz, have criticized Cellebrite for not disclosing the vulnerability, according to Forbes. But Cellebrite chief marketing officer Jeremy Nazarian told Forbes last week that their technology is unlikely to be misused, and that an interest in public safety motivates them to keep the vulnerability a closely-held secret.

“These capabilities are germane again to homicide, crimes against children, drug gangs, major public safety threats in any community (…) We feel an obligation to those serving the public safety mission to ensure those capabilities are preserved,” Nazarian told Forbes.

Kelley pointed out that the vulnerability tapped by Cellebrite and Grayshift would only be helpful to criminals in specific situations.

“Realize that right now this vulnerability is just to get around the PIN on a phone. This really comes into play when one has physical access to a phone. Hackers instead usually are trying to figure out how to get to the data on a phone remotely,” Kelley said. “Without knowing specifically how Cellebrite and Grayshift are getting around the PIN it is unknown as to whether that vulnerability would truly help a hacker.”

Laura French, Associate Editor, Forensic Magazine