Data recovery service DriveSavers made an extraordinary claim November 28: It can unlock an iPhone or Android without the user’s passcode, 100 percent of the time, to restore that user’s access to the data on that device.

In information security terms, that’s roughly akin to telling the world that you’ve invented cold fusion and will start signing up electric subscribers next week.

Google’s Android and Apple’s iOS mobile operating systems employ strong encryption without a backup key, leaving the user’s designed unlock method—a passcode typed in, a pattern drawn on the screen, or a biometric interaction—the only way(s) to decrypt the device’s storage.



READ MORE ON SMARTPHONE SECURITY

Opinion: Get a new phone? Consider your Fifth Amendment rights
Fragmentation likely to hinder Android P’s security chops
Why are Androids less secure than iPhones?
How to FBI-proof your Android
How to FBI-proof your iPhone
How to wipe your phone (or tablet) for resale


So any stranger to the phone should be out of luck. DriveSavers, however, says it’s found a way around both Apple and Google’s defenses—and it’s not divulging its route.

What, not how

The Novato, Calif., company’s press release cites only “new proprietary technology,” and the explanation on the page for this new Password Lockout Data Recovery service is equally vague. The latter brags of “a 100% success rate with unlocking and recovering data from passcode-protected smartphones of every make, model, and operating system with any length passcode, including phones and tablets with more complicated passcodes of six digits or more.”

The makes DriveSavers specifies it can unlock include Apple, Samsung, and LG (but not Google’s Nexus or Pixel lines, though “every make” would seem to include them), and the list of covered operating systems includes the now-defunct Windows Mobile and BlackBerry platforms.

DriveSavers also specifies that it won’t offer this service to law enforcement, and it intends to serve only people who genuinely either forget their phone’s passcode or are seeking access to the phone of a deceased relative.

In an email conversation, DriveSavers spokesperson Michelle West said the service costs $3,900 and requires its verification that the potential customer has a legal right to the data on the device, something she said the firm verifies with “an intensive interview with the customer.” Customers must then sign a few forms, vouching for their ownership of the data and granting DriveSavers permission to engage in this service.

We are the only company offering this to consumers, and we’d prefer other data recovery companies do not learn our methods.”—Michelle West, spokesperson, DriveSavers

West did not offer the names of any customers. She also declined to expand on descriptions of people DriveSavers would serve, what its technology entails, or how it works.

“We are the only company offering this to consumers, and we’d prefer other data recovery companies do not learn our methods,” she said. “Our more advanced competitors will likely learn eventually; however, we’d like to prolong this as much as we can.”

Some theories

It would be a mistake to dismiss these claims as marketing puffery: DriveSavers has an outstanding reputation for recovering data after a variety of worst-case scenarios. There’s also a precedent for companies exploiting zero-day vulnerabilities to defeat the security features Apple and Google deploy to stop brute-force attempts to guess a phone’s unlock code or otherwise bypass its lock screen.

In 2016, the FBI quietly ended its legal campaign to have a court force Apple to write software to disable the iPhone’s passcode-lockout security, which stops further attempts to unlock a phone after 10 incorrect attempts, after reportedly paying the Israeli firm Cellebrite for its iOS-unlocking exploit.

Within just two years—and after multiple demands by law enforcement figures for Apple and Google to provide law enforcement agencies some way around their encryption—Motherboard discovered that police departments across America had been buying an iPhone-unlocking tool called a GrayKey that plugs into an iPhone’s Lightning port.

One of the first researchers to write about GrayKey, Thomas Reed, Malwarebytes director of Mac and mobile, wondered in an email whether DriveSavers was using a GrayKey or an updated but unreported version of that tool. Noting that “my sources in law enforcement have told me that iOS 12 + the latest iPhone hardware have thoroughly defeated the GrayKey,” he allowed for a third possibility: DriveSavers had found other operating-system vulnerabilities to exploit.

In a second email, Reed added that he’d learned that the questionnaire DriveSavers asks customers to fill out includes questions about birthdays and favorite numbers. “That leads me to believe that they are brute-forcing the passcodes based on that information, which probably means they don’t actually have a vulnerability to work with.”

Security researcher Ashkan Soltani, meanwhile, hypothesized in an email that DriveSavers had either found another way to exploit the Lightning or USB ports on iPhone and Android devices, a flaw in their car dashboard-pairing modes, or “some direct-access-to-memory hack,” perhaps to read a cached passcode during a phone’s boot-up sequence.

Apple and Google did not answer requests for comment.

What comes next?

Soltani also worried whether a court could compel DriveSavers to use this tool to unlock a specified phone, but an expert on privacy law rated those odds at near zero.

“I’ve never seen a case where a court could require a company like DriveSavers to use its tools to help law enforcement execute a warrant,” emailed Robyn Greene, senior policy counsel at New America’s Open Technology Institute. “The court would not have jurisdiction to issue an order to compel the company to do anything, since the company would be unrelated to the case”—as in, DriveSavers didn’t make the iPhone or Android device at stake.

One thing does seem certain: The existence of DriveSavers’ tool, whatever it might be, will not stop top law enforcement officials from continuing to ask Apple and Google to ease up on their support of strong encryption and instead engineer some way for an investigator with a court-issued search warrant to get into a locked phone.