Did Apple Just End The ‘Golden Age’ Of Government iPhone Hacking?

Apple's latest devices are believed to be the most secure iPhones ever. But will they end a so-called

Since its storied battle with the FBI over an iPhone at the center of the San Bernardino shootings in 2016, Apple has invested a significant portion of its vast resources on iPhone privacy and security. And Apple has just released what some believe are the most secure smartphones ever made for the general public.

Yet some feel the government, law enforcement and their tech partners are currently enjoying a “golden age” in iPhone hacking.

That was the wording used by former West Virginia State Police forensics specialist Chris Vance, speaking last month in a webcast about the hottest new iPhone hacking tech, the GrayKey. When first revealed by Forbes in March, GrayKey manufacturer Grayshift claimed it could break into locked iPhones, even the latest models with the most up-to-date iOS.

But when Vance was speaking of the halcyon days of iPhone forensics five months later, he was talking up GrayKey’s ability to harvest data from Apple devices, not just its technique for getting passcodes. That’s because GrayKey does something others cannot: It can grab the entire filesystem from an iPhone. Vance described it as “one of the biggest forensics advancements that’s been made in years.” He even sent a password-locked iPhone X to Grayshift, which returned the filesystem and all the juicy data within. The last time feds had access this deep into non-jailbroken iOS cellphones was with the iPhone 4, released way back in 2010, said Vance, now a researcher at Canadian government contractor Magnet Forensics.

Inside the filesystem is an abundance of data that could prove invaluable to police, according to Vance. Private Facebook Messenger and Instagram messages can now be swiftly retrieved. As can all email data from the Mail app. And deleted text messages, even if they’re deleted immediately after being sent or received.

Add to that browser tabs that had been opened, not just on the iPhone but across synced MacBooks and iPads too. And what Wi-Fi hotspots were used by particular applications. Plus Google searches pulled from memory.

There’s also a significant amount of location data that GrayKey grabs. “There’s so much location data that right now we’re able to finally really explore again and dive deep into,” Vance said.

Even outside of GrayKey, with other forensics tools from the likes of Cellebrite, Elcomsoft, Magnet and Oxygen, law enforcement are able to draw out all kinds of information from iPhones. Ahead of the revelations around GrayKey, Forbes revealed Israeli firm Cellebrite was touting the capability to unlock the latest iPhone models in February.

But it’s easy to see why, with all the data Grayshift is making readily available to law enforcement, Vance and others are enamoured with GrayKey. The U.S. government has shown its feelings. Recent Grayshift customers include the DEA and Immigration Customs Enforcement. The latter deal, valued at $384,000, has caused anxiety among human rights activists given President Trump’s hardline on immigration.

New iPhones = big security

It’s little surprise then that Apple is doubling down on security and privacy. The iPhone XS, XR and XS Max, which went on public sale Friday, have been referred to as the most secure models ever made.

With good reason. There are a number of significant updates that greatly improve the hardware. Pointer Authentication Codes, for instance, attempt to guarantee the authenticity of signs pointing data passing around the chip. “Doing so increases the difficulty of many attacks,” said Nikias Bassen, a noted iPhone hacker now working for mobile security firm Zimperium. He pointed to a common form of attack that the Apple update should prevent. Known as a Return Oriented Programming (ROP) attack, it attempts to trick the device into using legitimate code maliciously.

And with iOS 12, there’s much to cheer from a privacy perspective. There’s integration with password managers and auto-fill for one-time authentication codes. Both should make it easier to manage logins with complex passwords. And, crucially, users can now turn on automatic upgrades. Though it’s optional, everyone should turn it on, advised Ryan Stortz, a security researcher at TrailofBits.

Then there’s the feted USB restricted mode, which goes some way to stymie tools like GrayKey. When turned on, as it is by default, any iPhone that’s been locked for an hour cannot transfer data to a connected computer—vital for forensics tools to work—unless a passcode is physically entered. This has been taken further in iOS 12. If it’s been more than three days since a USB connection has been made between an iPhone and a PC, no data can be transferred. And if an iPhone is in a state where a passcode rather than just a fingerprint or a face is required to unlock a device, such as when the phone has restarted, USB restricted mode is turned on.

An iPhone infinity war

All these updates go some way to killing off forensics functionality. But will they help Apple bring an end to this “golden era” of iPhone forensics?

Perhaps not. Luca Todesco, a young iPhone hacker and jailbreaker, claims he’s already found some way to get around the protections offered by the Pointer Authentication Codes. “There are realistic limits to what it can do, and it isn’t a silver bullet,” he told Forbes. “It’s certainly a step forward, and it raises the bar. But as the saying goes, nothing is ever perfectly secure.” Prior to Todesco’s work, a bypass of USB restricted mode, using just $10 worth of equipment, was revealed. Vance even started a list of those USB dongles that could be used by cops to prevent a device entering restricted mode.

But Vladimir Katalov, CEO of Russian forensics firm Elcomsoft, thinks it really is the end of the golden era. While he had much respect for Grayshift’s work on breaking iPhone security, Katalov said Apple’s updates are going to challenge the company’s relevance. The GrayKey simply isn’t “future-proof,” according to the longtime forensics expert. Grayshift hadn’t returned a request for comment at the time of publication.

“If you think how many users update their devices to the latest iOS build, especially with iOS 12 being as good as it is, GrayShift today supports a small minority of devices,” Katalov added.

“There is no light at the end of this tunnel.”