GrayKey device. | Source: MalwareBytes
In 2019, FBI investigators working on a case in Ohio were tasked with executing a search warrant on property owned by Baris Ali Koch, reports Forbes. Among the items seized was a locked iPhone 11 Pro Max that, according to the report, investigators subsequently accessed without Apple’s help.
Koch stands accused of misprision of a felony for helping his convicted brother flee the U.S. by providing a duplicate driver’s license and lying to federal agents. He is currently awaiting sentencing.
As part of the investigation into Koch, FBI personnel on Oct. 11, 2019, acquired the suspect’s iPhone 11 Pro Max which, according to Koch’s lawyer, Ameer Mabjish, was locked and protected by a passcode. Mabjish confirmed to Forbes that no passcode was furnished to authorities, nor was Koch forced to unlock the iPhone via Face ID authentication.
Interestingly, a search warrant filed on Oct. 30 reveals the FBI has in its possession a USB drive containing “GrayKey derived forensic analysis” of the iPhone in question. Produced by startup Grayshift, GrayKey is a data forensics tool that enables law enforcement agencies to thwart iPhone security protocols for purposes of data extraction.
While not specified in the Oct. 30 search warrant, the report suggests the FBI successfully deployed GrayKey to gain access to Koch’s iPhone 11 Pro Max.
If officials were indeed able to crack Apple’s latest iPhone security safeguards, it is possible that the FBI and other agencies have a means to access the much older iPhone 5 and iPhone 7 Plus handsets involved in more recent case.
Last week, the FBI asked Apple for assistance in “unlocking” two iPhones owned by Mohammed Saeed Alshamrani, a Saudi Air Force cadet accused of killing three sailors and injuring eight others in an attack at the Naval Air Station in Pensacola, Fla., in December. The situation escalated quickly, with Attorney General Bill Barr putting out a public plea for Apple’s compliance on Monday, while President Donald Trump slammed the company for its stance on strong device encryption a day later.
The Department of Justice claims it has exhausted all internal and external options, meaning Apple’s expertise is the only path forward. Officials refuse to enumerate exactly what methods were attempted.
While Apple has cooperated with FBI requests by handing over user data like iCloud backups and account information, it has declined to extract data from Alshamrani’s iPhone as doing so would necessitate the creation of a backdoor. The tech giant is staunchly opposed to such action as it would purportedly threaten the security of all iPhone users.
Pundits speculate Trump, Barr and the DOJ are using the Pensacola case to rope Apple into a precedent-setting legal fight over encryption. Apple faced a similar court battle in 2016 when it refused to unlock an iPhone 5c used by the San Bernardino shooter. In that case the DOJ threatened a showdown but pulled out at the eleventh hour after finding a third party contractor capable of extracting data from the device.
That said, the DOJ might be telling the truth. Apple could have identified and patched the vulnerabilities GrayKey leveraged to break iPhone 11 Pro Max encryption in the intervening months since Koch’s iPhone was seized. Alternatively, GrayKey could be in possession of an exploit that applies only to newer model handsets, though such a scenario is unlikely given Apple’s encryption architecture.
In any case, Apple is reportedly preparing for a legal scrum as it simultaneously works to keep the issue out of court.