INDIANAPOLIS (WISH) — What if the information you had on your iPhone was not as secure as you thought? Experts who spoke with I-Team 8 tell us that is exactly the case. A new law enforcement tool is making it even easier for police to get inside your phone, even without your permission.
We carry our phones around everywhere. We use them to communicate, share information, get places, and store secrets. However, what you store on your phone is much less private than you think.
“Some phone companies, they'll give you the actual body of the texts on your phone,” said Novella Nedef, an attorney and a professor at Indiana University McKinney School of Law.
Nedeff said attorneys often use a subpoena to get information off your phone from your cell carrier. But a new law enforcement tool called “GrayKey” helps police get the information right off the phone itself.
I-Team 8 does not have a photo of it, but GrayKey is a small box, about the size of a portable external hard drive. If you plug it into an up-to-date iPhone, it will unlock the phone. GrayKey basically guesses the passwords until it gets the right one.
“Your iPhone typically would lock out after 10 attempts at doing that, but with the exploit that bypasses that feature, you can guess all of them,” said Jason Ortiz, a senior engineer at a local cyber security firm called Pondurance.
“From the grand scheme-type, 10,000-foot-picture, really, the iPhone is a very, very secure device,” Ortiz said.
How is this all legal? It's not legal unless police have a search warrant — just as if they wanted to search your home.
“The existence of this device doesn't give the police a legal right to just have a fishing expedition,” said Nedeff.
However, Nedeff said the technology itself is a game changer. According to CNN, the FBI paid more than $1 million in 2016 to unlock the San Bernardino shooter's phone.
“This is considerably cheaper,” Nedeff said. “My understanding is the State Police have used it about 100 times.”
Indiana State Police got GrayKey in March, and the Indianapolis Metropolitan Police Department got it in April.
IMPD and ISP each bought the GrayKey device and licensing to use it for about $15,000. Neither agency was willing to be interviewed on camera, but sent the following statements:
IMPD Dep. Chief of Investigations, Christopher Bailey:
On Friday, April 27, 2018, the IMPD Digital Forensics Unit received the GrayKey hardware/software. Graykey is used ONLY for iOS (Apple) devices.
The device provides forensic examiners a highly specialized law enforcement "tool" to retrieve data from iOS devices. In turn, this data provides information, sometimes pivotal information, to detectives which is useful in solving crimes. Recently, using the Graykey device, a forensic examiner was able to locate and provide information which was instrumental in solving an active murder investigation. With this new technology we are able to level the playing field slightly and keep pace with criminals.
The examinations are performed ONLY after we are legally authorized to do so (i.e.: valid and signed search warrant, consent etc.).
David R. Bursten, Captain, Indiana State Police:
-Why did ISP decide to obtain GrayKey? To increase our ability to comply with search warrants that direct electronic devices be searched.
-When will ISP have the device? The capability was acquired in March of 2018
-How does GrayKey work and what does it do? While we do not address the specifics of how different investigative tools work, I can tell you it helps our ability to comply with search warrants for the forensic examination of locked cellular devices.
-How is GrayKey a useful law enforcement tool? It helps our ability to comply with search warrants for the forensic examination of locked cellular devices, thereby collecting both exculpatory and incriminating evidence, identifying victims, and preventing further victimization in ongoing crimes.
-How does ISP plan to balance privacy concern about such a device? The capability is only used as part of an ongoing criminal investigation, in compliance with a search warrant issued by a judge, or under long-standing exceptions to the warrant requirement under federal and state laws.
-In what ways can GrayKey help protect the public? Think about crimes where children have been victimized, or unsolved murder investigations, or other crimes where related evidence may have been stored on a locked electronic device. If police are not able to collect evidence in compliance with a search warrant, they are not able to save child sex victims from ongoing abuse, obtain both incriminating and exculpatory evidence in criminal investigations, or fully provide facts to prosecutors, defense counsel, judges, and juries.
It is a reminder that your phone is not as private as you might think, with or without devices like GrayKey.
“Anything out there, just like something that you lock behind the door in your house can be gotten at, and we need to face that, that's reality,” said Nedeff. “If it's out there, if it's in your phone, yea, people can get to it.”