News

Unlocking your phone's secrets: Devices give access to those willing to pay up

BOSTON — FBI agents were frustrated. They couldn’t crack into Desmond Crawford’s phone.

Crawford, a suspected member of the violent street gang Columbia Point Dawgs, is accused of running drugs and shooting a rival gang member. In 2016, investigators were convinced his two cell phones contained incriminating text messages and cell numbers.

But investigators couldn’t access the locked devices.

“Probable cause exists to believe that [the cell phones] will contain evidence of violations of racketeering laws,” FBI agent Mathew Knight wrote in an affidavit to a judge in Feb. 2016. The agent believed Crawford used his iPhone to “discuss details related to the shooting of a rival gang member.”

Knight asked the judge for “authorization for an order requiring Apple” to help bypass the phone’s lock screen.

But following the deadly 2015 San Bernardino terrorist attack that left 14 dead, Apple has famously refused to help law enforcement unlock devices, citing privacy concerns for millions of Apple customers.

“The government suggests this tool could only be used once, on one phone. But that’s simply not true,” Apple’s CEO Tim Cook wrote in 2015. “Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes,” Cook said.

“No reasonable person would find that acceptable,” he wrote.

Apple’s defiance has forced investigators to find help elsewhere.

CRIME-FIGHTING TOOL IN USE IN MASSACHUSETTS

“It’s a very difficult problem for anybody,” Worcester Police Sergeant Brian Bisceglia said.

Bisceglia oversees the department’s cyber crimes unit. He said the Worcester Police Department pays the Israeli company Cellebrite close to $50,000 a year for the software to unlock an unlimited number of cell phones.

But Bisceglia said sometimes Cellebrite’s software isn’t enough to crack a phone’s encryption. Companies like Apple, Google and Samsung are quick to update their operating system to close any potential “backdoor entrances.”

"It depends on the phone, the version of the operating system, that's really key,” Bisceglia said. “It’s an evolving problem all the time.”

Cyber security experts warn if police are using technology to unlock phones, then criminal hackers will want to take advantage of the same technology.

“There’s no such things as a backdoor that only one person can use,” Thomas Reed said.

THE GRAYKEY

Reed is a blogger for the tech website Malwarebytes. Earlier this year he published the only known picture of another cellphone-unlocking device, the GrayKey. The GrayKey is made by the Atlanta-based company Grayshift and their products are shrouded in secrecy.

Reed said he was told about the GrayKey by a member of law enforcement who was uncomfortable with what the device could do.

"He felt like the public had a right to know about that, that it shouldn't be a secret,” Reed said.

‘CAT AND MOUSE GAME’ FOR PRIVACY CONCERNS

David O'Brien, a senior researcher with the Berkman Klein Center for Internet & Society at Harvard University, said this is a cat and mouse game with serious implications for millions of cell users.

“There isn’t much to prevent a company from selling the devices to people—to anyone—not just law enforcement,” O’Brien said. “On the one hand, law enforcement is obviously very interested in gaining access to the types of information that we have on our cell phones to conduct investigations. On the other hand, we’re also concerned about the same vulnerabilities on the phones that can be exploited by hackers that just want to do bad things.”

Tech experts said Apple’s latest iOS update in October rendered the Gray Key ineffective.