The Police Can Probably Break Into Your Phone

At least 2,000 law enforcement agencies have tools to get into encrypted smartphones, according to new research, and they are using them far more than previously known.

Credit...Boris Séméniako
Jack Nicas

In a new Apple ad, a man on a city bus announces he has just shopped for divorce lawyers. Then a woman recites her credit card number through a megaphone in a park. “Some things shouldn’t be shared,” the ad says, “iPhone helps keep it that way.”

Apple has built complex encryption into iPhones and made the devices’ security central to its marketing pitch.

That, in turn, has angered law enforcement. Officials from the F.B.I. director to rural sheriffs have argued that encrypted phones stifle their work to catch and convict dangerous criminals. They have tried to force Apple and Google to unlock suspects’ phones, but the companies say they can’t. In response, the authorities have put their own marketing spin on the problem. Law enforcement, they say, is “going dark.”

Yet new data reveals a twist to the encryption debate that undercuts both sides: Law enforcement officials across the nation regularly break into encrypted smartphones.

That is because at least 2,000 law enforcement agencies in all 50 states now have tools to get into locked, encrypted phones and extract their data, according to years of public records collected in a report by Upturn, a Washington nonprofit that investigates how the police use technology.

At least 49 of the 50 largest U.S. police departments have the tools, according to the records, as do the police and sheriffs in small towns and counties across the country, including Buckeye, Ariz.; Shaker Heights, Ohio; and Walla Walla, Wash. And local law enforcement agencies that don’t have such tools can often send a locked phone to a state or federal crime lab that does.

With more tools in their arsenal, the authorities have used them in an increasing range of cases, from homicides and rapes to drugs and shoplifting, according to the records, which were reviewed by The New York Times. Upturn researchers said the records suggested that U.S. authorities had searched hundreds of thousands of phones over the past five years.

While the existence of such tools has been known for some time, the records show that the authorities break into phones far more than previously understood — and that smartphones, with their vast troves of personal data, are not as impenetrable as Apple and Google have advertised. While many in law enforcement have argued that smartphones are often a roadblock to investigations, the findings indicate that they are instead one of the most important tools for prosecutions.

“Law enforcement at all levels has access to technology that it can use to unlock phones,” said Jennifer Granick, a cybersecurity lawyer at the American Civil Liberties Union. “That is not what we’ve been told.”

Still, for law enforcement, phone-hacking tools are not a panacea to encryption. The process can be expensive and time consuming, sometimes costing thousands of dollars and requiring weeks or more. And in some cases, the tools don’t work at all.

“We may unlock it in a week, we may not unlock it for two years, or we may never unlock it,” Cyrus R. Vance Jr., the Manhattan district attorney, testified to Congress in December. “Murder, rape, robberies, sexual assault. I do not mean to be dramatic, but there are many, many serious cases where we can’t access the device in the time period where it is most important for us.”

Along with officials at the Justice Department, Mr. Vance has complained for years that smartphone encryption by Apple and Google has hamstrung investigations. His crime lab has spent hundreds of thousands of dollars on phone-hacking tools, he told lawmakers, yet remains locked out of roughly half of the iPhones it has warrants to search, or about 300 to 400 a year.

ImageA demonstration outside an Apple store in New York in 2016 protesting U.S. government efforts to gain access to the iPhone of an attacker in the 2015 shooting in San Bernardino, Calif.
A demonstration outside an Apple store in New York in 2016 protesting U.S. government efforts to gain access to the iPhone of an attacker in the 2015 shooting in San Bernardino, Calif.Credit...Bryan Thomas/Getty Images

Law enforcement regularly searches phones with owners’ consent, according to the records. Otherwise, a warrant is required.

An Apple spokesman said in an email that the company was constantly strengthening iPhone security “to help customers defend against criminals, hackers and identity thieves.” But, he added, no device can be truly impenetrable.

Google, which also offers encryption on its Android smartphone software, did not respond to a request for comment.

The companies frequently turn over data to the police that customers store on the companies’ servers. But all iPhones and many newer Android phones now come encrypted — a layer of security that generally requires a customer’s passcode to defeat. Apple and Google have refused to create a way in for law enforcement, arguing that criminals and authoritarian governments would exploit such a “back door.”

The dispute flared up after the mass shootings in San Bernardino, Calif., in 2015 and in Pensacola, Fla., last year. The F.B.I. couldn’t get into the killers’ iPhones, and Apple refused to help. But both spats quickly sputtered after the bureau broke into the phones.

Phone-hacking tools “have served as a kind of a safety valve for the encryption debate,” said Riana Pfefferkorn, a Stanford University researcher who studies encryption policy.

Yet the police have continued to demand an easier way in. “Instead of saying, ‘We are unable to get into devices,’ they now say, ‘We are unable to get into these devices expeditiously,’” Ms. Pfefferkorn said.

Congress is considering legislation that would effectively force Apple and Google to create a back door for law enforcement. The bill, proposed in June by three Republican senators, remains in the Senate Judiciary Committee, but lobbyists on both sides believe another test case could prompt action.

Phone-hacking tools typically exploit security flaws to remove a phone’s limit on passcode attempts and then enter passcodes until the phone unlocks. Because of all the possible combinations, a six-digit iPhone passcode takes on average about 11 hours to guess, while a 10-digit code takes 12.5 years.

The tools mostly come from Grayshift, an Atlanta company co-founded by a former Apple engineer, and Cellebrite, an Israeli unit of Japan’s Sun Corporation. Their flagship tools cost roughly $9,000 to $18,000, plus $3,500 to $15,000 in annual licensing fees, according to invoices obtained by Upturn.

The police can send the trickiest phones to crack, such as the latest iPhones, to Cellebrite, which will unlock them for about $2,000 a device, according to invoices. Law enforcement can also buy a similar premium tool from Cellebrite. The Dallas Police Department spent $150,000 on one, according to the records.

David Miles, Grayshift’s chief executive, said in an email that its products can help the police get into some iPhones in one day and that they have helped law enforcement “solve crimes faster in many areas, including child abuse, narcotics, human trafficking, sexual assault, homicide and terrorism.” He confirmed that Grayshift’s flagship tool costs $18,000 but declined to comment further on prices or customers.

Cellebrite said in a statement that it sold a range of products to law enforcement, and that it now had more than 7,000 customers in 150 countries. “We have experienced double-digit growth for the last few years, and we expect that trend to continue,” the company said. “As long as criminals increasingly turn to technology, there will be a need for law enforcement to stay one step ahead of them.”

Cyrus R. Vance Jr., the Manhattan district attorney, has complained for years that smartphone encryption impedes investigations.Credit...Desiree Rios for The New York Times

Records obtained by Upturn show that law enforcement agencies have spent tens of millions of dollars on such tools in recent years. Andrea Edmiston, director of government affairs at the National Association of Police Organizations, said such prices had created a divide in the justice system, where officers in metro police departments can afford to search phones while rural sheriffs cannot. Money spent on such tools also can take funds away from other needs, she said.

Yet the Upturn data shows that police departments in many smaller communities have invested in phone-hacking tools. For instance, officials in Bend, Ore., population 100,000, have spent more than $62,761 on the technology since 2017. And the police department in Merrill, Wis., population 9,000, with just 10 vehicles and two bicycles, has spent $32,706 on the tools since 2013, though it has divided the cost with two nearby agencies.

With the proliferation of such tools, law enforcement has also sought to search phones for minor crimes. For instance, Upturn obtained warrants that authorized the police to search phones related to a case involving $220 worth of marijuana in Fort Worth as well as an investigation into a fight over $70 at a McDonald’s in Coon Rapids, Minn. At the Baltimore County Police Department and the Colorado State Patrol, a majority of warrants for phone searches that Upturn obtained involved drug investigations.

Logan Koepke, the lead author of the Upturn report, said the findings worried him because they showed that many police departments could gain entry to highly personal and private data, with little oversight or transparency. (Upturn is suing the New York Police Department for its records on phone searches.)

Mr. Koepke’s group asked 110 of the largest law enforcement agencies in the United States for their policies on using such tools and handling the data they extract from smartphones. Only half of those that replied said they had a policy, he said, and of those, just nine policies included substantive restrictions.

“They’re getting a window into your soul; it’s all of your contacts, your text messages, your entire location history, potentially embarrassing pictures, your account credentials,” he said. “We are placing in the hands of law enforcement something that I think is a dangerous expansion of their investigatory power.”