A $1.2 million tab for iPhone hacking technology at U.S. Immigration and Customs Enforcement underscores how pervasively law enforcement is cracking into passcodes and other security features Americans use to keep their information private.
The ICE contracts — one for $384,000 in September and another for $819,000 this month — will go to the agency’s Homeland Security Investigations unit, which focuses not just on immigration crimes but also on drug trafficking, child exploitation and money laundering, according to Forbes’s Thomas Brewster, who was the first to report on the contracts.
ICE declined to tell Brewster how the hacking tools will be used, but the contracts come amid heightened concern about warrantless searches of phones and laptops that ICE and Customs and Border Protection conduct at airports and other points of entry amid an immigration crackdown by President Trump.
Federal law enforcement agencies have complained for years that advanced encryption systems are hobbling their investigations and allowing criminals and terrorists to “go dark” online. They’ve called on tech companies to help them bypass those encryption protections, and the FBI even waged a high-stakes court battle against Apple over the issue in 2015.
But law enforcement's claims about the danger posed by encryption have been repeatedly undermined by internal watchdogs and its own errors. And the federal spending spree on hacking tools offers yet another suggestion that law enforcement may be finding ways around encryption without tech companies’ help.
The American Civil Liberties Union and Electronic Frontier Foundation sued the government over those searches in 2017 and say they found that “CBP and ICE are asserting near-unfettered authority to search and seize travelers’ devices at the border.” That includes “for purposes far afield from the enforcement of immigration and customs laws” including “investigating and enforcing bankruptcy, environmental, and consumer protection laws,” the advocacy organizations said.
The ICE contracts are with the company Grayshift, which markets one of the most popular iPhone hacking kits to law enforcement agencies. The company has been involved in a cat-and-mouse game with Apple for the past year with Apple trying to block Grayshift’s ability to hack into locked iPhones and Grayshift seemingly finding new ways in.
The pace of new federal contracts would suggest Apple hasn’t won that fight.
Grayshift has inked $2.6 million in deals with federal agencies since 2017, including ICE, the Secret Service, the FBI and the Drug Enforcement Administration, according to information on a government spending database.
Despite a steady stream of warnings about the dangers of encryption since 2014, law enforcement has struggled to provide clear evidence that encryption substantially stymies its investigations.
In the most high-profile case in 2015, the FBI asked a federal court to compel Apple to help it crack into an encrypted iPhone used by San Bernardino, Calif., shooter Syed Farook. The bureau ultimately withdrew its demand, however, after an unnamed third party offered to help it hack into the phone for a hefty fee.
In that case, the unnamed company appears to have helped the FBI disable a safeguard that would have wiped the phone’s contents after too many incorrect guesses at the passcode — similar to services offered by Grayshift. With that safeguard disabled, the FBI was presumably able to run a computer program that tried all possible passcode combinations until it landed on the correct one.
The Justice Department’s own inspector general later found the FBI had rushed into litigation against Apple without exhausting other options — and some FBI staffers believed the bureau was more interested in setting a legal precedent than in accessing the phone’s contents.
The FBI later acknowledged it had dramatically overstated the number of encrypted devices it was blocked from accessing because it accidentally double-counted instances that were maintained in multiple databases.
FBI Director Christopher Wray had claimed the bureau was unable to access about 7,800 devices connected with crimes in 2017, but the real number was closer to 1,200, officials acknowledged.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The government of Ecuador has agreed to turn over to U.S. law enforcement items turned up in a search of the room WikiLeaks founder Julian Assange occupied for seven years at the Ecuadoran embassy in London, José Maria Irujo reported for the Spanish newspaper El Pais.
The agreement includes “any documents, cellphones, digital files, computers, memory drives, CDs and any other devices that may turn up during the search,” Irjuo reported.
Ecuador turned Assange over to British police last month and U.S. officials are seeking his extradition on computer hacking charges.
“The search of Assange’s sealed-off room will take place on May 20 as part of a petition for judicial assistance issued by the US Department of Justice to the government of Ecuador,” Irujo reported.
Baltasar Garzón, a lawyer for Assange, railed against the agreement, saying it’s “incomprehensible that the country that afforded him protection is now taking advantage of its privileged position to turn over his belongings to the country that is persecuting him.”
Swedish prosecutors also said Monday they will reopen the rape case that originally caused Assange to flee to the Ecuadoran embassy.
PATCHED: A bill introduced by House Democratic committee leaders Friday would pledge $1 billion to improve the cybersecurity of election systems across the nation — plus $175 million in additional federal grants to states every two years to keep those systems secure.
The Election Security Act, sponsored by Homeland Security Chair Bennie Thompson (Miss.), Administration Committee Chair Zoe Lofgren (Calif.) and Democracy Reform Task Force Chair John Sarbanes (Md.), would also mandate that states use paper ballots and establish cybersecurity standards for election system vendors.
The proposal comes as Congress has failed to pass any election security mandates more than two years after Russians sought to undermine the 2016 election with a hacking and disinformation operation that included attempts to breach state and local election systems.
The bill is highly unlikely to pass the Republican-controlled Senate, where GOP lawmakers are wary of imposing federal mandates on elections. As the first stand-alone election security bill this Congress, however, it will give Democrats a firm proposal to rally around as they charge Republicans with being unconcerned with election integrity.
At least two election security bills are likely to be introduced in the Senate this month — including an updated version of the Secure Elections Act, the bipartisan bill that came closest to passing last Congress.
PWNED: We’re on track for more state and local governments to have their computers locked up by ransomware attacks in 2019 than in any previous year, according to a new study by the digital research firm Recorded Future.
Ransomware attackers lock up victims' computers and encrypt their data, then demand a hefty payout to put things right again. The report comes as Baltimore is still struggling to recover from a ransomware attack — the second to hit the city in just over a year — that shut down the majority of the city’s servers and halted many noncritical services.
There were 21 publicly reported ransomware attacks against state and local governments during the first four months of 2019, Recorded Future threat intelligence analyst Allan Liska wrote. If that trend continues, ransomware attacks against government targets in 2019 will substantially outpace the 53 attacks recorded in 2018, Liska reported.
Most ransomware hackers aren’t intentionally targeting state and local governments — they’re just looking for victims with weak digital defenses, Recorded Future found. “However, once these groups do realize they are in a state or local government target, they take advantage of the fact by targeting the most sensitive or valuable data to encrypt,” Liska reported.
A federal commission that helps states with election security, meanwhile, is down to just one full-time employee in charge of testing and certifying voting machines, Tim Starks reports in Politico’s Morning Cybersecurity.
That could cause an unsustainable backlog in security testing for machines in the run-up to the 2020 elections, a voting technology executive told Tim.
The Election Assistance Commission promoted that remaining employee — former Colorado election security expert Jerome Lovato — to be the new director of its testing and certification office late last week, according to a commission announcement and Q and A. The promotion came after the abrupt resignation of the department’s previous director, Ryan Macias, Tim reported.
Lovato has worked for the commission since September 2017. In the Q and A, he listed hiring new staff as his first priority.
More cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: