Phone Crackers

The Cat-and-Mouse Game Between Apple and the Manufacturer of an iPhone Unlocking Tool

The confusion over a security feature in the iOS 11.3 beta shows Apple might be trying to hinder GrayKey, the popular iPhone-unlocking device for cops.

Image: Xavier Lalanne-Tauzia

This is part of an ongoing Motherboard series on the proliferation of phone cracking technology, the people behind it, and who is buying it. Follow along here.

When Apple was preparing to release iOS 11.3 for iPhones and iPads late March, the update to the operating system caused the manufacturer of a popular iPhone unlocking tool—and their customers in police departments around the country—to worry.

Former Apple security engineer Braden Thomas, who now works for a company called Grayshift, warned customers who had bought his GrayKey iPhone unlocking tool that iOS 11.3 would make it a bit harder for cops to get evidence and data out of seized iPhones. A change in the beta didn’t break GrayKey, but would require cops to use GrayKey on phones within a week of them being last unlocked.

“Starting with iOS 11.3, iOS saves the last time a device has been unlocked (either with biometrics or passcode) or was connected to an accessory or computer. If a full seven days (168 hours) elapse [sic] since the last time iOS saved one of these events, the Lightning port is entirely disabled,” Thomas wrote in a blog post published in a customer-only portal, which Motherboard obtained. “You cannot use it to sync or to connect to accessories. It is basically just a charging port at this point. This is termed USB Restricted Mode and it affects all devices that support iOS 11.3.”

Got a tip? You can contact Lorenzo Franceschi-Bicchierai securely on Signal on +1 917 257 1382 and Joseph Cox on Signal on +44 20 8133 5190. Details on our SecureDrop, a system to anonymously submit documents or information, can be found here.

The feature, which was present in the beta, seemingly did not make its way into the final 11.3 release. But the news highlights how companies like Grayshift or established mobile forensics firm Cellebrite are constantly playing a cat-and-mouse game with Apple. Each operating system update potentially complicates how cops break into phones.

Regardless, law enforcement departments around the country that had bought GrayKey were concerned by the development, according to online communications between law enforcement and the mobile forensics community viewed by Motherboard.

In the iOS 11.3 beta release notes, Apple describes USB Restricted Mode like this:

To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.

In other words, with USB Restricted Mode enabled, if you’re a law enforcement agent and you get a locked phone from a suspect, you might have a week at most to plug it into an unlocking device, and you have to hope the phone had been plugged in and unlocked within a week of it being seized. Apple declined to comment on the record for this article.

The change would not have stopped GrayKey or other iPhone unlocking tools from working altogether, but it would have provided another obstacle law enforcement officials need to consider when trying to unlock up-to-date iPhones. A source in the forensics industry, who is not a Grayshift employee, told Motherboard that the iPhone unlocking device does indeed work. Motherboard granted the source anonymity to discuss industry developments.

Read more: Stop Using 6-Digit iPhone Passcodes

Thomas, the ex-Apple engineer who now works at Grayshift, wrote a follow-up blog post saying his initial analysis of what USB Restricted Mode is and its potential implications was correct, but as it turned out, he wrote, the feature was “disabled” in iOS 11.3.

Grayshift has been demoing its product to police forces, according to emails obtained by Motherboard. Other internal agency documents, online records, and conversations with law enforcement officials show that regional police, such as Maryland and Indiana State Police, have procured the technology; local forces may have purchased it; federal agencies such as the State Department have cashed in; and the FBI, DEA, and Secret Service are all looking to buy a number of GrayKey units themselves too.

Motherboard’s documentary series “Dear Future” was nominated for a Webby. We’d love your vote, and it only takes a minute.