New leaks on police phone unlocking tech

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

Understanding the threats from police phone forensics tools

Reporting from 404 Media examines the capabilities of Graykey, a hacking tool designed to help police access data on mobile devices. Leaked documents suggest Graykey can pull only partial data from modern, up-to-date iPhones (from iPhone 12 and newer). The documents do not specify what “partial” extraction entails, though previous reporting suggests this may include metadata about files, as opposed to the content of those files. Older devices, like the iPhone 11, are apparently vulnerable to “Full” extraction.

According to 404 Media, the tool’s capabilities against Android devices are more varied, possibly due to Android’s more diverse ecosystem. The Graykey is only able to extract partial data on most recent versions of Google Pixel phones and tablets, including the Pixel 9, after someone has already unlocked the device. 

Analysis from 404 Media suggests these tools “may not be able to retrieve any data from phones running operating system versions released a month or two earlier, historically they have eventually caught up and managed to get partial information from the phones.”

What you can do

• Update, update, update. Yes, it’s unsexy, but simply downloading your security updates as soon as they are available is one of the most effective ways to protect your private data. If you’re an iPhone user and need any more incentive to update, it’s worth noting that your phone’s encryption is strongest when the device is turned all the way off, and the recent iOS 18 update makes your device reboot when inactive and locked for three days. If you lose access to your device, it will be that much harder for someone to access your private data. 
• Use a strong passcode. Because it’s so short, using a numeric passcode is one of the less secure approaches to locking and unlocking your device. We generally recommend journalists use a long, alphanumeric passcode to make it harder for someone to easily guess or crack it. Look for alphanumeric passcode options in your Settings app on both Android and iPhone devices. Learn more about how to set this up from our guide to mobile maintenance.

Updates from our team

• My colleague Davis Erin Anderson just released a guide to risk assessment for journalists. Because risk assessment is so important for helping us to think through security priorities — what information we most want to protect, from whom, and how — this is one of the very first things we always speak about in our digital security trainings. I think this is pretty foundational reading, so check it out.
• Reminder: If you’re a U.S.-based journalist or news outlet covering the U.S. election and need safety support, the team at Election Urgent Care is here to help. FPF has joined forces with the Knight Election Hub and an all-star team of safety and legal experts from the Committee to Protect Journalists, the International Women's Media Foundation, Reporters Committee for Freedom of the Press, PEN America, and Aegis Safety Alliance. We’ll provide support for digital, physical, psychological, and legal concerns, from dealing with doxing, threats, and arrests to preparing for risky assignments. To learn more, or to apply from an eligible newsroom for support, check out Knight Election Hub’s Urgent Care. 

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

–

Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation