Just two days after the attempted assassination at former President Donald Trump’s rally in Butler, Pennsylvania, the FBI announced it “gained access” to the shooter’s phone. The bureau has not disclosed how it broke into the phone — or what has been found on it — but the speed with which it did so is significant, and security experts say it points to the increased efficacy of phone-hacking tools.
In a call with reporters on Sunday, the bureau said field agents in Pennsylvania had tried and failed to break into Thomas Matthew Crooks’ phone. The device was then sent to the FBI lab in Quantico, Virginia.
“Almost every police department in the nation has a device called the Cellebrite”
Cooper Quintin, a security researcher and senior staff technologist with the Electronic Frontier Foundation, said that law enforcement agencies have several tools at their disposal to extract data from phones. “Almost every police department in the nation has a device called the Cellebrite, which is a device built for extracting data from phones, and it also has some capability to unlock phones,” Quintin said. Cellebrite, which is based in Israel, is one of several companies that provides mobile device extraction tools (MDTFs) to law enforcement. Third-party MDTFs vary in efficacy and cost, and the likely FBI has its own in-house tools as well. Last year, TechCrunch reported that Cellebrite asked users to keep use of its technology “hush hush.”
“It seems reasonable to me that the field office there [in Pennsylvania] wouldn’t have some of the more advanced techniques for breaking into modern phones that they have at Quantico,” Quintin told The Verge hours before the FBI announced it had successfully gained access to Crooks’ phone. “I have little doubt that Quantico will be able to break into this phone, whether that’s in-house or whether that’s through using outside help — like from Cellebrite, for example.
A 2020 investigation by the Washington, DC-based nonprofit organization Upturn found that more than 2,000 law enforcement agencies in all 50 states and the District of Columbia had access to MDTFs. GrayKey — among the most expensive and advanced of these tools — costs between $15,000 and $30,000, according to Upturn’s report. Grayshift, the company behind GrayKey, announced in March that its Magnet GrayKey device has “full support” for Apple iOS 17, Samsung Galaxy S24 Devices, and Pixel 6 and 7 devices.”
For law enforcement, third-party MDTFs are an effective way to get around tech companies’ hesitance to help break into customers’ phones.
In previous instances of mass shootings or domestic terrorism, the FBI has spent weeks or months trying to break into suspects’ phones. The bureau famously butted heads with Apple in late 2015 after the company refused to help law enforcement get around the encryption on the San Bernardino, California shooter’s iPhone. Early in the following year, Apple refused a federal court order to help the FBI access the shooter’s phone, which the company said would effectively require it to build a backdoor for the iPhone’s encryption software.
“The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers,” Apple CEO Tim Cook wrote in a February 2016 open letter. The FBI did have access to the a backup of the shooter’s phone that had been uploaded to his iCloud account — but the last backup appeared to have occurred six weeks before the shooting, hence the FBI’s desire to unlock the phone. In his letter, Cook claimed that the FBI had asked Apple to modify its iOS so passcodes could be input electronically in what he called a “brute force” attack.
“The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor,” Cook wrote. “While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.”
Trump — at the time one of several candidates vying for the Republican presidential nomination — was among those who demanded that Apple cave to the FBI
Trump — at the time one of several candidates vying for the Republican presidential nomination — was among those who demanded that Apple cave to the FBI. “First of all, Apple ought to give the security for that phone,” he told the crowd during one of his rallies. “What I think you ought to do is boycott Apple until such time as they give that security number.”
The FBI dropped its case against Apple in March 2016, three months after the shooting — not because Apple decided to comply with the FBI’s request, but because the bureau had obtained a break-in method from an “outside source” and no longer needed Apple’s assistance. Reuters initially reported that the Cellebrite had helped the FBI break into the device, which the bureau never confirmed, though then-director James Comey and Senator Dianne Feinstein did disclose that the FBI spent around $1 million to unlock the phone.
In 2021, the Washington Post reported that the Australian security firm Azimuth Security unlocked the San Bernardino shooter’s phone.
The San Bernardino shooting was not the only instance in which the FBI tried to compel Apple to break into an iPhone on its behalf. After a shooter opened fire at the Pensacola Naval Air Station in Florida on December 2019, the FBI asked Apple to unlock two iPhones linked to the shooter. After Apple refused, Attorney General William Barr said the company had failed to provide “substantive assistance” in the case. Apple, for its part, maintained that it “produced a wide variety of information associated with the investigation,” and turned over “gigabytes of information” to the FBI, including “iCloud backups, account information and transactional data for multiple accounts” related to the shooter. But Apple once again refused to unlock the shooter’s phones.
The FBI said it was able to break into the shooter’s phones in March 2020, after several months of trying — and the bureau lambasted Apple in its announcement. “Thanks to the great work of the FBI — and no thanks to Apple — we were able to unlock Alshamrani’s phones,” Barr said at the time. FBI director Christopher Wray said this was done with “effectively no help from Apple.”
Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory, said the Pensacola shooting was one of the last times federal law enforcement agencies loudly denounced encryption.
“There are serious human rights risks when technology for breaking into people’s phones gets leveraged by undemocratic governments”
“That was over four years ago, and the technology on both sides of the equation has only evolved since then,” Pfefferkorn said in an email to The Verge.
Pfefferkorn said vendors and law enforcement agencies often gain access to phones by exploiting “a vulnerability in the software that’s running on the phone” or by guessing the password through brute force. “It takes a matter of minutes to brute-force a 4-digit passcode and a matter of hours for a 6-digit one,” Pfefferkorn said.
“In addition to the FBI’s own in-house tools, there are tools available from third-party vendors (as with the San Bernardino shooter’s phone), some of which are more scrupulous than others about who their customers are. There are serious human rights risks when technology for breaking into people’s phones gets leveraged by undemocratic governments, yet those tools are widely available for the right price.”