A device specifically designed to break into iPhones and Apple operating systems and allow access to encrypted files has been approved for purchase by the Charlottesville Police Department.
A notice posted on the city’s purchasing website Thursday showed the police department had agreed to buy the device from Grayshift LLC, citing the company as the only source for the “‘microcomputer hardware unit/software to extract pass code and data from iOS devices.”
“The software is a tool utilized in digital forensics, pursuant to valid legal authority,” said Sgt. Tony Newberry. “This type of tool can be used in the examination of various electronic devices such as computers, cell phones, tablets, etc., [that are] legally seized or obtained through consent.”
The device is called a GrayKey and was developed to unlock iPhones, including models running iOS 11.3 and the iPhone X, according to computer security analysts and the company’s advertisements.
Although the Grayshift website has no information available, reports by computer security analysts and posts on a variety of social media and industry forums indicated the company offers a $15,000 annual license to use its internet-based software up to 300 times to crack codes.
A device can also be purchased for $30,000 and used as many times as the agency wants without accessing the internet except for initial setup and software updates.
The purchase announcement did not specify which option the city took.
The U.S. Supreme Court has ruled that in most cases police will need a search warrant to access information on a cell phone. In limited cases, if police have reason to believe information from the phone is needed to thwart a crime or that the information may be destroyed, they may search the phone prior to receiving a warrant.
“With the growth of technology such as this, the U.S. Constitution’s Fourth Amendment that provides a right to privacy is on life support,” said John Whitehead, of the Albemarle County-based Rutherford Institute, a nonprofit civil liberties organization that seeks to protect constitutional freedoms.
Rutherford noted that a wide variety of information is gathered and stored on cell phones, much of which is presumed to be private.
“What gives us dignity is privacy. It gives us our own space,” he said.
The ability — and inability — to access locked devices such as cell phones and other computer equipment has been a point of contention between U.S. law enforcement organizations and technology companies.
Called “going dark” by the FBI, it has resulted in conflict both legal and rhetorical between Apple and the FBI and other federal organizations.
The FBI sued Apple in 2016 after Rizwan Farook and Tashfeen Malik shot up a company holiday party in a December 2015 terrorist attack that killed 14 people in San Bernadino, California.
The couple died in a shoot-out with police and had destroyed their personal cell phones, but police found Farook’s work iPhone. The iPhone was set to erase data after 10 failed password attempts and the FBI sued Apple seeking a court order to force the company to develop software to defeat the security.
Apple refused and a March 2016 hearing was set in federal court. Before the hearing took place, the FBI found a third-party to break into the phone. The phone, as it turned out, had information only related to Farook’s job and not the planning of the attack.
The U.S. Department of Justice has since created the National Domestic Communications Assistance Center to help provide police agencies with information on how to crack computer and cell phone security codes and devices.
The center only provides information and technical knowledge and does not research how to break into devices.
Federal law enforcement officials have lobbied Congress to pass requirements that technology companies assist officials in accessing information when deemed necessary.
“Law enforcement at all levels has the legal authority to intercept and access communications and information pursuant to court orders, but it often lacks the technical ability to carry out those orders because of a fundamental shift in communications services and technologies,” the FBI states on a webpage dedicated to the problem.
“The challenges faced by law enforcement to lawfully and quickly obtain valuable information are getting worse. Currently thousands of companies provide some form of communication service, and most are not required by [law] to develop lawful intercept capabilities for law enforcement,” the page states. “As a result, many of today’s communication services are developed and deployed without consideration of law enforcement’s lawful intercept and evidence collection needs.”
Enter Grayshift, which touts itself as a solution to locked iPhones and other technology for law enforcement. Analysts say the company’s GrayKey works by brute force, overwhelming the equipment with possible pass code combinations much like organized hacker attacks on computer servers.
They say the GrayKey can break through four-digit security codes in about two hours. Phones secured with six digit codes may take three days or longer, according to published reports from cyber-security organizations.
Grayshift earlier this year announced that it had developed methods of breaking pass codes on newer iPhones and defeating encryption software, creating somewhat of a contest between the company and Apple.
Last month, Apple announced that new iPhone operating systems have more complicated security systems that can thwart GrayKey. The device’s manufacturer hinted earlier this year, however, that it had more capabilities it has not implemented, should additional security layers be developed.