NewsOK: Oklahoma City News, Sports, Weather & Entertainment

'Cat-and-mouse game' persists between tech companies, law enforcement

Oklahoma City detectives have run into roadblocks trying to crack the latest version of the Apple iPhone's software, according to a story posted on Forbes website last month.

But a local cybersecurity expert says it's only a matter of time before someone finds a way around it.

Cellphones often contain evidence of crimes that investigators need to access to prove their case in court. But measures to protect that information, like the ones included in the latest iPhone software, can create roadblocks.

"With enough time and energy, you can get into anything," said Ken Dewey, director of the cyber security program at Rose State College.

Dewey created the cyber security program at Rose State when he retired from the Air Force after 20 years. He started as a jet engine mechanic, then left the military as a network administrator in 2000. Since then, he's earned a number of advance degrees, keeps up with the software updates, reads technology news, and travels to conferences.

Dewey doubts it will take long for law enforcement to find a way around the new iPhone security.

"I don't care what Apple does to fix it, there's going to be a vulnerability," Dewey said. "If there were no more vulnerabilities, why would they change it? Why would there be updates?"

Emails from an Oklahoma City police detective leaked to Forbes magazine show the department first encountered a problem getting into an iPhone loaded with iOS 14.4.1 just 10 days after the update was available.

Law enforcement officers use a variety of password-bypass programs such as GrayKey from Grayshift or Cellebrite to access evidence on cellphones. But the most recent iPhone update posed a unique challenge.

“We have run into our first phone with 11.4.1 yesterday and it's confirmed," a leaked email reads. "Plugging the device into the GrayKey results in the phone signaling that it's charging but they GrayKey does not recognize that a phone is plugged into it."

The newest update has a built-in feature that makes it impossible to move data from the phone via a USB connection if the phone has been locked for an hour, even when investigators using those bypass tools.

Instead, the emails reveal, detectives are able to reset that internal timer simply by plugging it into another device before that 60-minute window elapses. If they don't, they're out of luck unless they can a passcode to unlock the phone, or until one of these companies finds a way to crack the security.

"They could be lucky and guess it," Dewey said. "Believe it or not, most people really suck at passwords. The word 'password' is the number two most common password in the world."

What's more likely is that someone will find a back door in the code, or spend enough time tinkering with the device to find ways around it.

Although police would not comment on specific issues and tactics related to accessing cellphone information, Oklahoma City Capt. Bo Mathews said police started using GrayKeys this year. The department paid $15,000 for a subscription to the service. The department has also been using Cellebrite for years, Mathews said.

Dewey said that cracks and loopholes in the security may have already been found, but not publicized. Such vulnerabilities are called "zero day exploits."

To create applications for the iPhone, Apple turns over the code for its operating system to developers. That allows programmers to discover the inner workings and weaknesses of the code and sell that information.

One cyber security company has a contract with the federal government to provide 24 such exploits a year, he said.

Another problem that many police departments may experience is not having the ability to pay for the software to bypass passwords. Instead, they are forced to rely on the Oklahoma State Bureau of Investigation to crack the phone, which takes time.

But no matter what, Dewey said, someone somewhere will find a way to access the information — most likely sooner rather than later.

"I haven't seen anything that hasn't been broken," Dewey said.