Cops May Unlock iPhones Without a Warrant to Beat Apple's New Security Feature

This is part of an ongoing Motherboard series on the proliferation of phone cracking technology, the people behind it, and who is buying it. Follow along here.

Earlier this month, Apple confirmed it was introducing a new security feature that could make hacking iPhones harder, especially for companies such as Grayshift that unlock devices for law enforcement. USB Restricted Mode, as the feature is called, will turn an iPhone’s lightning port into simply a ‘dumb’ charging interface if the phone has not been unlocked within the last hour.

That ticking clock is causing law enforcement officials to at least explore the possibility of using warrantless unlocks to more quickly download data from a device, although they may then obtain a warrant to examine the data itself, according to a document obtained by Motherboard. By leveraging a legal exemption known as exigent circumstances—used in emergencies to avoid the deletion of evidence, or to prevent imminent danger to life—police officers may argue they can unlock and siphon data from an iPhone without first obtaining a warrant.

The news signals how, as Apple and hackers continue their one-upmanship, authorities are exploring more legal workarounds to encryption and locked phones. This is on top of things such as attempting to compel companies to build backdoors into their products, or to force suspects to decrypt devices.

“So long as DOJ continues to argue compelled decryption is an option, any attempt to label locked devices as an emergency situation would be a transparent attempt to circumvent the Fourth Amendment,” Jake Laperruque, senior counsel at The Constitution Project, at the Project on Government Oversight, told Motherboard in an email. The Project on Government Oversight is a non-profit that works to expose government fraud, waste, and abuse.

Motherboard obtained an email sent by a law enforcement official with a local police department in Arizona to a private community of forensic experts discussing USB Restricted Mode and possible legal bypasses to the issue.

“What are peoples thoughts in the U.S. about exigent circumstances?” the May 30 email starts. “At the very least connecting to GrayKey in this seven day period to preserve the passcode/data, then following up with search warrant, court order, etc for data extraction,” the email adds, referring to Grayshift’s product, GrayKey. (In earlier beta versions of iOS, USB Restricted Mode disabled the iPhone’s lightning port after seven days; that has since been reduced to one hour).

In another leaked email, a forensic expert suggested an attorney should have no issue arguing for exigent circumstances to connect a seized device to a GrayKey within the first hour.

Typically, law enforcement would need to obtain a warrant before they cracked open a phone and pulled its data with an unlocking device such as GrayKey or Cellebrite’s iPhone service. But here, as this email suggests, a police officer may unlock a phone and preserve the data without a warrant, and then follow up with legal authorisation to then start digging through that data later.

This echoes what an anonymously quoted Department of Justice official told Politico earlier this month: “It may be [that] we can articulate an argument that we now have an exigency to use Cellebrite to unlock and dump an iPhone as soon as we possess it, even without a warrant,” the official said, according to Politico. “Under that scenario, I'd say we'd still get a warrant before actually reviewing the data,” […] “but if we only have an hour max from the time the phone is seized … I don't know.”

On Friday, Riana Pfefferkorn, cryptography fellow at the Stanford Center for Internet and Society, explored in an article for national security blog Just Security what this approach with exigent circumstances may look like. As well as noting it’s unclear whether judges would side with that law enforcement approach, Pfefferkorn highlighted that using exigent circumstances for iPhones in general, just in case they have USB Restricted Mode enabled (which should be, to note, on by default in the forthcoming iOS 12), is not really in the spirit of the legal mechanism.

“That is not how an exception to a rule works. 'Exigent circumstances' are supposed to be situational and case-specific. The DOJ’s own manual for electronic evidence search and seizure acknowledges as much,” she writes. DOJ’s manual says that “in electronic device cases, as in all others, the existence of exigent circumstances is tied to the facts of the individual case.”

Even with this in mind, and with members of law enforcement exploring how to use legal tools to bypass Apple’s new features, turning to exigent circumstances may not be necessary. Earlier this month, using other leaked emails, Motherboard reported that Grayshift may have already found a way to beat Apple’s USB Restricted Mode.

The Department of Justice did not respond to a request for comment.

Correction: This piece has been updated to correct the location of the local police department where an official discussed exigent circumstances. The police department was based in Arizona, not California. Motherboard regrets the error.

Update: This piece has been updated to include additional information from a second leaked email.