Roger Fingas
Data recovery firm DriveSavers is now selling a "passcode lockout recovery" service claimed to be the first for the general public able to crack any iPhone.
The company's technology purportedly ensures a "100 percent success rate" with iPhones, regardless of passcode length, according to marketing. DriveSavers doesn't say what exact means it's using, or offer an upfront price. Forensic-level recovery is typically expensive however — Grayshift for example charges a minimum of $15,000 to law enforcement agencies.
To ensure people such as thieves don't abuse its service, DriveSavers is promising to validate legal rights to data during "all phases" of a recovery attempt.
Apple and forensics firms have been engaged in an unspoken race in which the latter exploit security vulnerabilities until Apple can fix them. Once a passcode is enabled iPhones are protected with full-disk encryption, and trying to brute-force a passcode risks losing data completely if someone has chosen to enable a self-wipe after 10 failed attempts.
In October, a report revealed that Grayshift's GrayKey had been disrupted by iOS 12, limiting it to a "partial" extraction of unencrypted files and metadata.
For some law enforcement agencies it may be more practical to force a suspect to unlock a device via Face ID or Touch ID. U.S. police can't legally demand that someone turn over their passcode, but they can use biometrics. In some cases this approach has even been used with the dead.
Wesley Hilliard
AppleInsider Staff
Andrew Orr
Amber Neely
William Gallagher
35 Comments
I am really pleased to see these companies producing products like this. We need genuinely secure encryption but we also need people trying (and succeeding) to break that encryption. These products also prove that law enforcement isn’t helpless in the face of encryption and therefore need backdoors, and so they rather should be investing in techniques to legally break the encryption.
The company hasn’t provided info on the manes by which the unlock works? Could it be you have to install something on the device when you sign up, so that it can be accessed when you later find yourself locked out? Because if this is a vulnerability, for sure Apple will close it.
So, is someone from AI going to call them and see if they can recover data from a “test” device? Or at least report back what they are told about the procedure and how much it costs?
I call BS on anybody that claims “100 percent success rate” for anything. Snake oil until they show us a PoC with a random security configuration sample set (audited by a 3rd party to ensure no funny business). Also, what is the use case here for a consumer that supposedly has legal access to the data? Dementia, death of a family member, an underage member of the family, etc? The legal ramifications alone make this a sketchy proposition.