advertisement
advertisement

Inside the $10 million cyber lab trying to break Apple’s iPhone

The Trump administration wants Apple to create a backdoor into the iPhone. District Attorney Cy Vance Jr. has spent millions trying to find other ways in.

Inside the $10 million cyber lab trying to break Apple’s iPhone
Manhattan District Attorney Cy Vance Jr. [Photo: Samir Abady for Fast Company]

The entrance to the radiofrequency isolation chamber, near the middle of the Lefkowitz Building in lower Manhattan, looks like an artifact from the Apollo program, shielded by two airtight, metallic doors that are specially designed to block electromagnetic waves. Inside the room, against one wall, are dozens of Apple iPhones and iPads in various states of disrepair. Some have cracked glass fronts or broken cases. Others look like they’ve been fished out of a smoldering campfire. Of course, the devices are not there to be fixed. They are evidence confiscated during the commission of alleged crimes.

advertisement
advertisement

The district attorney of Manhattan, Cyrus Vance Jr., and the city’s cybercrime unit have built this electronic prison for a very specific purpose: to try, using brute force algorithms, to extract the data on the phones before their owners try to wipe the contents remotely. 

Inside the first of two doors of the district attorney’s cybercrime unit’s radiofrequency isolation chamber. [Photo: Samir Abady for Fast Company]
Welcome to ground zero in the encryption battle between state and federal law enforcement officials on one side, and trillion-dollar tech giants Apple and Google on the other. About five years ago, with the introduction of its iOS8 operating system, Apple decided to encrypt all of its mobile devices—protecting both consumers and criminals from prying eyes. Google quickly followed suit, locking down its Android devices. The result has been an escalating cat and mouse game between Washington and Silicon Valley, with prosecutors like Vance trying to break into the phones, and Apple and Google racing to stop them.

What’s going on in the isolation room is important, if silent, forensic work. All of the phones are hooked up to two powerful computers that generate random numbers in an attempt to guess the passcode that locked each device. At night, technicians can enlist other computers in the office, harnessing their unused processing power to create a local supercomputer network. “All of these phones are in various states of being attacked,” explains Steven Moran, the director of the High Technology Analysis Unit. He shows me one phone where 10,000 random sequences have been tried. That would have been enough to crack a four-digit key, which has 10,000 possible combinations. But beginning in 2015, Apple began requiring a six-digit passcode—boosting the total permutations to 1 million.

(Clockwise from top left) Kenn Kern, chief information officer (left), Michael Sachs, chief of the investigation division (center), and Raymond Legendre, strategic communications specialist (right); Liz Roper, chief of cybercrime and identity theft (left), and Kenn Kern (right); Michael Sachs, Kenn KernCy Vance Jr., Raymond Legendre, and journalist William Cohan; Cy Vance Jr. [Photo: Samir Abady for Fast Company]
Since Apple limits the number of times per minute that a passcode can be tried, Moran has to think like Sherlock Holmes to narrow down the possibilities before the prosecution’s window of opportunity—or the statute of limitations—expires. “Do they like the Mets?” Moran explains. “Do they like the Yankees? Is their favorite player Derek Jeter? Is their favorite player Mickey Mantle? What’s the dog’s name? What’s the kid’s birthday? What’s their birthday? Where did they get married? What date did they get married? We are looking for any edge that we can try to find.”

At the same time, Moran and Vance have to decide which devices to prioritize. On the day I visited the cyber lab, there were nearly 3,000 phones, most related to active criminal investigations, that Moran had not yet been able to access. The team has built a proprietary workflow management program, using open source software, to triage the incredible volume of incoming devices and to escalate the most important cases. “So if a third party were to say ‘hey, we have a solution that will work on iOS 12.1.2 and it costs X amount of dollars,’ I can see within five seconds that that’s going to affect 16 different phones,” Moran says.   

Steve Moran, director of the High Technology Analysis Unit (left), and Manhattan District Attorney Cy Vance Jr. (right). [Photo: Samir Abady for Fast Company]
Of course, Moran’s counterparts in Silicon Valley are just as committed to keeping the government out. Apple and Google have gone to great lengths to encrypt the data on their hugely popular devices, which together comprise nearly 99% of the smartphone market and are used by billions of people worldwide. Apple argues that it is protecting our privacy by ensuring that no one—not even Apple—can gain access to our most intimate personal data. Vance is skeptical that Apple doesn’t have a secret backdoor. “They get into my phone all the time because they upgrade my operating systems and they send me messages,” he says. But protecting privacy has become central to Apple’s marketing pitch. The subtext is clear: We’re not Facebook, and we’re going to fight to keep it that way. 

advertisement

That’s a huge digital thorn in Vance’s side. The problem is that criminals also use Apple and Android phones, and the data hidden inside them—GPS coordinates, text conversations, transcripts of voicemails—are often essential for prosecuting them. Without access to their devices, Vance argues, some criminals may go free while others, accused of crimes they didn’t commit, may end up incarcerated. He recalls how, after months and months of trying, Moran’s lab was finally able to break into an iPhone belonging to E’Dena Hines, the 33-year-old granddaughter of actor Morgan Freeman, and used a video they found to help convict her boyfriend of stabbing her to death. There have also been at least 16 cases where information obtained from smartphones has exonerated alleged suspects. “That just matters,” Vance says. 

Liz Roper. [Photo: Samir Abady for Fast Company]
Vance has been at war with Silicon Valley since September 2014, when Apple introduced iOS8. He’s met with Interpol and Europol, published op-eds in newspapers across the country, and written letters to Apple CEO Tim Cook and Google cofounders Sergey Brin and Larry Page, imploring them to help solve the problem. He has yet to have meetings with the leaders of these companies but he’s hopeful he will. “The single most important criminal justice challenge in the last 10 years is, in my opinion, the use of mobile devices by bad actors to plan, execute, and communicate about crimes,” he testified before the Senate Judiciary Committee in December. “Just as ordinary citizens rely on digital communication, so do people involved in terrorism, cyber fraud, murder, rape, robbery, and child sexual assault.” 

What’s particularly baffling for Vance, who has been Manhattan’s district attorney for a decade, is that before September 2014, the tech giants seemed happy to help prosecutors get the data they needed. Whenever Vance obtained a search warrant for a smartphone, he would pay for a detective to fly the device to Apple’s headquarters in Cupertino. A few days later, Apple would return the phone, plus a thumb drive with the data specified in the search warrant. “They liked working with law enforcement and were proud of their working with law enforcement,” Vance says. (Representatives for Apple and Google did not immediately respond to requests for comment.)

Boris, a cryptographer. [Photo: Samir Abady for Fast Company]
The cooperative relationship began to unravel in the aftermath of Edward Snowden’s revelations, in 2013, that the U.S. National Security Agency had been operating a global surveillance program with the participation of telecoms including Apple, Google, Microsoft, Yahoo, and Facebook. All the companies named in the Snowden leaks denied providing the government with direct access to their servers or data without a court order, but Apple went even further. With the introduction of iOS8, about a year later, Apple said it would no longer perform “data extractions in response to government search warrants” because the files are protected by an encryption key, tied to the user’s passcode, which Apple “does not possess.” 

The effect on law enforcement was immediate. “It had a big impact right away on our cases,” Vance says. “The inability to access devices in small cases and big cases was having an impact on our ability to get evidence.” Vance appealed to Apple, and later to Google, without success. He visited with members of Congress and pushed for legislation to fashion a compromise, but no legislation was forthcoming. In the meantime, the tech companies continued upgrading their software to stay one step ahead. When the FBI paid an Israeli forensics firm to hack an iPhone belonging to the 2015 San Bernardino mass shooter, for instance, Apple responded by patching the vulnerability.  

“We had to figure out what we were going to do with this new situation over which we had no control,” Vance says. So at a cost of some $10 million, Vance decided to build his own high-tech forensics lab—the first of its kind within a local prosecutor’s office.

advertisement

[Photo: Samir Abady for Fast Company]
Moran stocked the cyberlab with mind-bending hardware and a crack team of technology experts, many of whom are ex-military. Proprietary software provides prosecutors with real-time information about each smartphone in their possession, which can be removed from the radiofrequency-shielded room using Ramsey boxes—miniaturized versions of the isolation chamber that allow technicians to manipulate the devices safely. In other corners of the lab are a supercomputer that can generate 26 million random passcodes per second, a robot that can remove a memory chip without using heat, and specialized tools that can repair even severely damaged devices. (Word to the evil: If you really want to destroy your iPhone, try throwing it into the ocean. For electronics, saltwater is the most readily available corrosive substance.)

Still, Moran’s job keeps getting more difficult. Five years ago, only 52% of the smartphones that the District Attorney’s office obtained were locked. Today, that figure is 82%. Vance says the cybercrime lab is able to successfully crack about half of the phones in his possession, but whenever Apple or Google update their software, they have to adapt. “Every time there’s a new operating system that comes in, that’s another more complicated layer to crack,” he says. “The problem with that, particularly from a law enforcement perspective, is, first of all, time matters to us. If we seize a phone that is iOS 10 but can’t open the phone, maybe never, but, say, not for another two years, well, that’s not the timeframe in which cases move, particularly cases when they’re in court.”

Apple argues that Vance can get iPhone data from its cloud server without cracking the phone itself. “It sounds fabulous,” Vance says, “but if you’re a serious criminal, you’re not going to back it up.” And that’s not the only problem with cloud technology. A user can choose what kinds of information is stored remotely. Messaging apps like WhatsApp, Signal, and Telegram are designed to delete texts after a certain number of minutes. And in many cases, Moran says, smartphones won’t back up to the cloud in the brief period of time between when a crime takes place and a suspect shuts off their phone. 

Privacy advocates point out that law enforcement can still obtain device metadata—such as the time and location of a phone call—from unencrypted SIM cards or wireless phone carriers. But Vance says it’s the difference between being able to read the contents of a letter and just having the envelope the letter came in. “If you want to find out what they’re talking about with regard to any specific crime,” he says, “you’ve got to get the letter itself.” Adds Moran: “Even if we are lucky enough to get into the cloud or even if we’re lucky enough to get some of the metadata, we’re still missing an awful lot of important information that’s critical to the investigation.”

Doug, a cryptographer. [Photo: Samir Abady for Fast Company]
Vance is careful to say that he’s not “whining” about the problem. He knows he is better off than 99% of the other jurisdictions in the country. Thanks in part to the billions of dollars the city has collected from prosecuting financial crimes on Wall Street, Vance is able to continue operating his $10 million lab. “But it’s not the answer,” he says, “and it’s not the answer for the country because we are an office that is uniquely able to pay for expensive services.”

Last week, Vance picked up an unexpected ally in Attorney General Willim Barr, the Republican head of the Justice Department. On January 13, Barr called on Apple to open two encrypted iPhones used by the alleged gunman in a December shooting at Naval Air Station Pensacola that resulted in the deaths of three sailors. The federal government has labeled the crime an act of terrorism. “We don’t want to get into a world where we have to spend months and even years exhausting efforts when lives are in the balance,” Barr said. “We should be able to get in when we have a warrant that establishes that criminal activity is underway.” It’s the same argument that Vance, a Democrat, has made for years. As expected, Apple disputed Barr’s characterization of the help it has provided to the Justice Department. “Our responses to their many requests since the attack have been timely, thorough, and are ongoing,” Apple responded, while refusing to open the iPhones.

advertisement

Vance is happy to have Barr raise the profile of an issue he’s been trying to resolve. But he remains a little wary. “I’ve been sued by the president, so there’s certain things where we’re on the opposite side and there’s other things where we are on the same side,” he says. “If the goal is to raise awareness around the issues sufficient to move senators and congressmen and women to pass legislation then I think it’s a net good thing. To the degree that it moves people the other way I think it’s a bad thing.”

Liz Roper (left), Raymond Legendre (center left), Kenn Kern (center right), and Michael Sachs (right). [Photo: Samir Abady for Fast Company]
In the end, Vance just wants prosecutors to have all the tools available to do their jobs. “You entrust us with this responsibility to protect the public,” he says. “At the same time, they”—Apple and Google— “have taken away one of our best sources of information. Just because they say so. It’s not that some third party has decided, this is the right thing for Apple and Google to do. They just have done it.” He believes there should be a balance between protecting user privacy, getting justice for victims of crimes, and not thwarting the ability of prosecutors to do their jobs. “It’s corny,” he continues, “but me and every one of my assistants take an oath when they start their jobs. It’s not just like showing up at Goldman Sachs. It’s a different responsibility.” 

Vance says it’s not fair that Apple and Google get to set these rules unilaterally. “That’s not their call,” he concludes. “And it’s not their call because there’s something bigger here at issue rather than their individual determination of where to balance privacy and public safety. What’s bigger is you’ve got victims and you’ve got a law enforcement community who have strong imperatives that should be recognized and balanced equally with the subject decision-makers by the heads of Apple and Google. Today, I think it’s unbalanced.”

[Photo: Samir Abady for Fast Company]
William D. Cohan is a journalist and author of six books, including his latest, Four Friends: Promising Lives Cut Short.

advertisement
advertisement