Can Your Government Hack Your Apple Devices?

The iPhone is unquestionably one of the most secure cell phones globally. However, Apple’s claim that its products are “unhackable” isn’t entirely accurate. Apple’s iOS security is fantastic. However, do not depend only on Apple to keep your data safe.

Sadly, the government has a few methods to hack into your iPhone and steal your personal information. The bad news is that many law enforcement organizations and police departments use these techniques. Thus, it allows them to get information from almost anybody.

Companies That Have Assisted Government in Accessing Apple Devices

1. Grayshift

An Atlanta-based business called Grayshift has invented a hacking gadget called GrayKey. The firm claims to aid the police and government. According to Grayshift, GrayKey is “a state-of-the-art forensic access tool that extracts encrypted or inaccessible data from mobile devices.”

According to a search warrant made public by Forbes, the FBI possesses the BlackBox technology. They use this technology to hack password-protected smartphones. The warrant showed that the FBI used Grayshift technology to unlock Baris Ali Koch’s encrypted iPhone 11 Pro Max. Koch was suspected of assisting his brother to escape the United States. His brother had been guilty of a hate crime. 

Allegedly, Grayshift can defeat Apple’s iPhone passcode security using brute-force assaults. As the business stated, they bypass iPhone protection with brute-force assaults and a complete file-system extraction (File-Based Encryption). 

There’s supposedly a two-hour window for a four-digit passcode with the device. In addition, it took three days or more for a six-digit passcode to unlock an iPhone using Grayshift’s GrayKey BlackBox.

This is because it is one of the most excellent tools for hacking into iPhones and other Apple devices that makes it so popular. As a result, law enforcement uses it.

In 2018, Apple claimed that an iOS upgrade had restored the security of the iPhone against Grayshift’s GrayKey BlackBox. However, the warrant indicated that Apple’s upgrade may not have been as successful as the FBI had anticipated.

Grayshift has been a bit of a cat-and-mouse game for Apple. Despite Apple’s best efforts to strengthen the iPhone’s security so GrayKey cannot hack it, Grayshift has managed to make GrayKey work.

One of Apple’s long-term objectives has always been to keep your data private. So, the corporation constantly explores new methods to keep GrayKey out. Yet, Grayshift has continued to use GrayKey to continue hacking iPhones and iPads.

2. NSO Group

Israeli company NSO Group is a firm that claims to supply and sell information to approved government and law enforcement organizations for the prevention of terrorism, automobile explosions, and the dismantling of prostitution and drug trafficking rings.

According to Amnesty International, NSO Group’s Pegasus ransomware on iPhones was linked to journalists and human rights attorneys. This gave the attacker access to texts, emails, the phone’s microphone, and the camera.

Even if you keep your iPhone up-to-date, you can’t stop a devoted hacker who’s employing pricey and clandestine spy software to snoop on your data, according to the latest revelations from the NSO Group.

Users may not be able to defend themselves against NSO’s malware by modifying their behavior, such as not clicking on suspicious or phishing links in communications. Amnesty International said that affected users just had to click on a malicious website in an email message in previous Pegasus versions.

According to a list released by Amnesty International, NSO Group’s surveillance software may have addressed 50,000 phone lines in the United States. As a result, it discovered evidence of the usage of NSO Group software on Android smartphones. But it couldn’t investigate them in the same manner as the iPhones.

An NSO Group representative stated the corporation would examine any reports of abuse after the release of this study.

“We would like to emphasize that NSO sells its technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts. NSO does not operate the system and has no visibility to the data,” the NSO spokesperson said.

3. Cellebrite

Companies like Cellebrite are profiting from this problem by identifying new weaknesses and hacks to circumvent iPhone security. Then, they offer these “mobile device forensic tools” (MDFTs) to law enforcement and other governmental organizations for a large price, packaged with these vulnerabilities.

The San Bernardino shooting in 2016 revealed that the FBI acquired at least $2 million in Cellebrite products since 2012. Some regional law enforcement agencies adopted Grayshift’s technology. Also, the  Immigration and Customs Enforcement (ICE) and the United States Secret Service awarded the company contracts

A student admitted to giving the school access to their phone for the purpose of conducting a search in one such instance in the year 2016. Detectives used a Cellebrite machine to find deleted text conversations between the student and the instructor. Thus, this act led to an arrest.

How These Companies Work

Cellebrite and Grayshift tools don’t truly breach iPhone encryption; they merely guess the passcode. However, because of vulnerabilities like Checkm8, they can bypass the system’s 10-attempt password limit. An iPhone erases its data after ten unsuccessful tries. So blasting through hundreds of possible passwords until one is successful is how the tools go about their business.

As a result, the Pensacola case’s wild card is the length of the suspect’s passphrase. Almost definitely, police can crack a six-digit password on an iPhone. However, it may be difficult if the list is more extensive. 

For a four-number code, you’d need to guess for seven minutes on average. One needs about 11 hours if the number is six digits or higher. 

This means that it takes longer to break the password if the passcode includes both numbers and letters. Attempting to guess a six-character alphanumeric password would take an average of 72 years.

Each estimate on an iPhone gets calculated in 80 milliseconds. Note that software can potentially attempt hundreds of passcodes a second, despite how little that may appear at first. However, it can only make 12 attempts per second because of the latency.

Steps Apple Claims to Employ

San Xoese Dogbe worked for former President John Dramani Mahama of Ghana as a presidential aide. San Xoese revealed images of an Apple email alerting him that certain State-Sponsored attackers are attempting to breach his phone and gain access to sensitive data on his Apple iPhone. The message said:

“Apple believes you are being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID. These attackers are likely targeting you individually because of who you are or what you do. If your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone. While it’s possible this is a false alarm, please take this warning seriously.”

In November 2021, Apple issued a press statement announcing that it had launched a lawsuit against NSO Group. Apple said that NSO Group broke into Apple devices using an exploit for an already fixed vulnerability.

Apple has issued notifications to targets of state-sponsored attackers in Thailand, El Salvador, and Uganda only hours after launching a lawsuit against Israeli spyware producer NSO Group.

Those targeted include El Faro, an El Salvador online digital media. El Faro is widely known to be critical of the administration. Furthermore, other victims include two heads of civil society groups and two opposition lawmakers. Norbert Mao, President of Uganda’s Democratic Party, also tweeted that he got the threat warning.

At least six Thai critics, including political scientist Prajak Kongkirati and researcher Sarinee Achananuntakul, received a dangerous threat. Reuters reported that Thai activist Yingcheep Atchanont of the legal monitoring organization iLaw also got the notice. In addition, citizen Lab discovered in 2018 that there was a Pegasus spyware operator operating out of Thailand.

How to Avoid Being the Victim of a Hack

Apple released a list of internet safety tips that everyone should follow. These tips include:

  • Make sure your devices are running the most recent software, which includes the most up-to-date security updates.
  • Always use passwords to secure devices.
  • You should secure your Apple ID with two-factor authentication and a complicated password.
  • Use the App Store to download applications.
  • Use passwords that are complex and unique.
  • Don’t open attachments or links sent by untrusted sources.
  • When your phone gets hacked, you might not get a danger alert. You should enlist the advice of an expert if you suspect a hack on your phone, even if you haven’t gotten a danger alert. Apple cannot detect all attacks. In addition, Apple cannot detect all sophisticated state-sponsored attacks. Thus, be vigilant always. To be sure, there are low chances that a random person can be hacked. Although you can never be too watchful, even being aware of the dangers may help you stay safe.

Meanwhile, make sure your iPhone is running the most recent version of iOS.

The Operation of Apple’s Threat Alerts

If Apple has reason to believe that a hacker has gained access to one of its devices, it will alert the owner through two different methods. In the first place, when a user accesses and logs in to appleid.apple.com, Apple will show a Threat Notification at its top. Additionally, Apple sends an email and iMessage notice to the user’s Apple ID phone number and email address. Upon receiving a threat notice, the user has the option to learn more about how to better secure their device.

Apple’s danger notification service will not send links, files, or programs. Also, passwords will never be prompted by Apple’s danger notification service. Check the authenticity of notification by signing into your Apple ID account. Scammers will attempt to trick you if there isn’t a notice at the very top of the page.

Conclusion

Apple has prided itself in being very safe and secure for years. Furthermore, we saw that Apple has refused to grant the government access to even suspected criminals’ Apple devices. While this might be true to some level, there are still cases of the government accessing individuals’ iPhones without Apple’s permission.

iOS code is difficult, time-consuming, and expensive to alter. Make sure you’re not blindly trusting your iPhone and the web. Do not click a link from an untrusted source. Don’t give your personal information to anybody whose legitimacy you can’t verify by looking at their website.

It’s impossible to hack your iPhones through phone calls. A scammer can trick you into handing up personal information by a scammer. The scammer then uses that information to hack your phone or steal your identity. Finally, avoid using programs that request rights you don’t need. A few simple security precautions can have a big impact.