WIRED / Apple

UK police are stepping up their efforts to access the contents of locked iPhones. At least three police forces in England have spent thousands of pounds on new hacking technology to get into iPhones, according to financial documents seen by WIRED.

Officers in Lancashire, Derbyshire and Nottinghamshire have purchased licences for systems belonging to US-based firm Grayshift. The company, which has a former Apple engineer as a senior member of staff, emerged at the end of 2017 and can reportedly unlock iPhones running everything up to Apple's latest operating system, iOS 12.


It sells a small box, called GrayKey, that plugs into an iPhone and unlocks it. To do this it exploits alleged vulnerabilities in Apple's software. Once an iPhone has been unlocked it is possible to access everything on the device, including messages, photos and activity logs. GrayKey has proved to be a significant headache for Apple, which has improved security on its phones in an attempt to block it.

Spending records from the three police forces reveal payments to Grayshift for the technology. It is believed to be the first time that UK public authorities have purchased the firm's technologies and follows high-level interest from law enforcement in the US.

Read next iPad 10.2-inch 2020 review: a lazy update, but who cares? iPad 10.2-inch 2020 review: a lazy update, but who cares?

"What we're seeing is a broader pattern where police forces are essentially secretly purchasing this equipment and then deploying it," says Scarlet Kim, a legal officer at the charity Privacy International. "Given the intrusiveness of the technology, there are certain baseline safeguards that need to be introduced."

A financial document from Nottinghamshire police reveals it spent £11,000 on buying a GrayKey in June. The tech will "reduce the need to send phones to Leicestershire for unlocking", the document explains. Similarly, monthly spending figures from Derbyshire show it spent £11,477.54 in June alone on technology from Grayshift. Lancashire Police has taken a slightly different approach, purchasing the system for £46,200 over a period of four years from a third-party supplier in Hertfordshire, called Micro Systemation Limited.


Both Nottinghamshire and Derbyshire forces confirmed their purchases of the technology, while Lancashire did not respond to a request for comment. "Bypassing security on digital devices is a daily requirement for which Nottinghamshire Police use a range of tools and techniques from several different suppliers," a spokesperson for the force said, adding that getting into devices takes place during police investigations.

"It is part of a suite of tools used to complete criminal investigations," a spokesperson for Derbyshire Constabulary added. It did not elaborate how and when it uses the technology, citing "operational reasons".

Grayshift and its GrayKey first emerged in 2017, a year after Apple's public encryption spat with the FBI. Grayshift largely operates under the public radar and is cheaper than products from competitors. The device was first reported on by Forbes in March 2018. The company reportedly offers two models of its iPhone unlocking tech: a $15,000 (£11,437) licence which allows around 300 phones to be unlocked and an offline version that costs twice as much and can unlock an unlimited number of phones.

Read next Apple Watch Series 6 review: still the greatest but with one big pitfall Apple Watch Series 6 review: still the greatest but with one big pitfall

Grayshift co-founder David Miles did not reply to questions around UK police forces buying the firm's tech, how the system works or whether it has shipped hacking technology to other companies. He has previously been seen demonstrating how the GrayKey can easily unlock iPhones. The company doesn't talk about the security vulnerabilities it uses to get around Apple's technology.


Fed up of Chrome? These are the best iOS and Android alternatives Google Fed up of Chrome? These are the best iOS and Android alternatives

In iOS 12, the latest version of the iPhone and iPad operating system, Apple introduced a new feature that attempted to stop iPhone hacking technology being used. As first reported by Motherboard, the USB Restricted Mode requires passwords to be entered when a phone has a cable connected. Grayshift has apparently found a way around this.

"Devices such as the ones Grayshift makes allow less technically proficient law enforcement to access this data, and in most cases this is a good thing," says Jean-Philippe Taggart, a senior security researcher at Malwarebytes. He says that the ability to access evidence on encrypted phones has been a huge problem for police and many lack the expertise to access data themselves. "Technology that makes accessing encrypted phones is troubling because of its potential misuse," he adds.

Grayshift isn't the only firm that sells phone hacking technology – Israeli firm Cellebrite leads the market and has claimed to be able to unlock everything up to the iPhone X. Reports have revealed the US state department, Drug Enforcement Administration and other police forces have purchased Grayshift's GrayKey. The FBI is also allegedly interested in the tech.

Read next How to download iOS 14 and try out its best new features How to download iOS 14 and try out its best new features

Research from Privacy International has shown that more than half of the UK's police forces are using technology to pull data from mobile phones. This technology includes self-service kiosks where officers can unlock phones, hubs that serve multiple police forces and systems that can be used remotely.

"Privacy International believes that a lack of any kind of warrantry or record keeping, and no independent oversight in relation to the exercise of mobile phone extraction powers, creates a serious risk of abuse and discriminatory practices," the organisation's report concluded.

Kim says that given how much data can be pulled from a person's phone there should be a form of judicial approval before such technology is used. "The public are in the dark," Kim says. She points to new laws that have been passed in several US states that require authorities to publicly disclose what surveillance technology they are using and buying.

More great stories from WIRED

– The race is on save the banana from extinction again

– How the mods of r/funny weed out Russian trolls

– The untold story of Stripe the $20 billion payments startup


– Inside the incredible struggle to find dark matter

Don’t miss out. Sign-up to WIRED Weekender to get the best of WIRED in your inbox every weekend