“With the aid of a ‘state trojan’—government-deployed malware—investigators can hack into a smartphone. However, this is becoming increasingly difficult as device security continues to improve.
In December, the Berlin House of Representatives passed an amendment to the General Security and Order Act (also known as the Police Act). Under this amendment, investigators are authorized not only to hack into IT systems but also to secretly enter suspects' homes in order to physically install state trojans. These tools are designed to intercept communications either before or after encryption. What does this look like in practice? How, for instance, can investigators gain access to the contents of an iPhone? Here, we will limit our scope to a technical analysis of Apple devices, as the Android ecosystem—with its myriad versions—presents a vastly different landscape that precludes generalized statements.
For iPhone users who consistently keep their devices up to date, the days when simple tricks sufficed to gain unauthorized access are a thing of the past. Trivial infection vectors—such as phishing links targeting outdated vulnerabilities within WebKit, the underlying web browser engine—are largely ineffective against current versions of iOS, as Apple typically patches such security flaws with great speed.
In this technical arms race, investigators conducting surveillance focus almost exclusively on ‘zero-click exploits.’ As the name implies, this attack vector is particularly insidious, as it requires absolutely no interaction on the part of the victim. The user need not click on a link, nor open a file. Instead, attackers exploit vulnerabilities within system services that automatically process data—such as messages or images—in the background.
However, even in the event of a successful infection, investigators face a technical dilemma. On modern iPhones, it is difficult to install malware permanently. The reason for this lies in the ‘Secure Boot Chain’—a security mechanism that validates the integrity of the operating system kernel upon every device restart, thereby detecting any signs of tampering. Consequently, most modern spyware implants—such as the notorious Pegasus software—are transient in nature, because they reside solely in the device's RAM. As soon as the user restarts the device, the Trojan is removed.
To bypass this protective mechanism, investigators continuously monitor the target device's online status. If the iPhone reconnects to the network after a restart, a new zero-click exploit—for instance, via a specially crafted iMessage—is automatically sent, completely invisibly to the user, to instantly renew the infection. In response to these highly sophisticated threats, Apple introduced "Lockdown Mode," which reduces the attack surface by preemptively disabling certain features. Technically, this entails—for example—blocking almost all attachments in the Messages app or disabling Just-in-Time (JIT) compilation in the Safari browser. JIT is a technique that accelerates JavaScript code execution at runtime but often serves as an entry point for complex attacks. When this mode is active, known attack methods fail. For investigators, this means that remote infection becomes impossible without the use of new and costly zero-day exploits. If remote digital access fails—for instance, due to an activated Lockdown Mode—the focus shifts to physical forensics once authorities have seized the device or gained physical access to it, such as during a covert residential search. At this stage, extraction tools from companies such as the Israeli firm Cellebrite or the American provider Magnet Forensics (with its product, GrayKey) are brought into play.
These devices connect directly via the charging port and exploit vulnerabilities in the hardware or firmware to manipulate communication with the device's secure enclave processor. The objective is to bypass the artificial time delays imposed on passcode entry and to guess the unlock code using "brute force"—the automated, systematic testing of every possible numerical combination.
However, the success of these physical attacks depends on the device's current state; investigators distinguish between two specific modes: AFU and BFU. AFU stands for "After First Unlock" and refers to a device that has been unlocked at least once since its last restart. In this "hot" state, cryptographic keys often remain resident in RAM to facilitate background processes—a condition that affords tools like GrayKey high success rates. In contrast stands the BFU status—short for "Before First Unlock"—which applies when a device has just been restarted or its battery has run dry. In this "cold" state, data is encrypted to the maximum extent, and the keys are securely sequestered within the security processor, rendering access impossible.
It is precisely here—with iOS 18, unveiled at the 2024 developer conference—that Apple introduces a new hurdle that massively complicates forensic investigations: the Reboot. This feature ensures that an iPhone which has not been unlocked for a specific period—reportedly about 72 hours—automatically performs a restart. For investigators, this is a vexing issue, as the device autonomously transitions from the AFU state to the secure BFU state. A seized iPhone sitting in the evidence locker over the weekend could be inaccessible to investigators by Monday. Compounding the difficulty is the protection for stolen devices, which—in unfamiliar locations such as a police station—mandates biometric authentication via Face ID and denies access to backups or the ability to change the passcode using the numerical code alone.” [1]
1. Stille Spione. Frankfurter Allgemeine Zeitung; Frankfurt. 30 Dec 2025: T4. Von Michael Spehr
Komentarų nėra:
Rašyti komentarą