EXCLUSIVE: Postal Inspectors Have Used iPhone Hacking Tools Hundreds of Times

EXCLUSIVE: Postal Inspectors Have Used iPhone Hacking Tools Hundreds of Times
A U.S. Postal Service (USPS) post office is pictured in Philadelphia, Penn., on Aug. 14, 2020. Rachel Wisniewski/Reuters
Updated:

The U.S. Postal Inspection Service (USPIS) owns sophisticated hacking tools that can breach iPhones, and has used them hundreds of times over the last several years, according to USPIS records.

Law enforcement’s use of hacking tools such as Cellebrite and GrayKey has attracted considerable attention in recent years, particularly following reports that the FBI used the Israeli-based Cellebrite to help access the iPhone belonging to San Bernardino shooter Syed Rizwan Farook—though there has since been reporting to the contrary. More recently, records obtained by Vice Motherboard last year revealed how police departments use GrayKey.

“Only a limited of number of individuals have access to these tools and they are used in accordance with legal requirements. A search warrant, court order, or other constitutionally permissible situation must exist prior to any digital evidence examination of cell phones,” USPS said in a statement emailed to The Epoch Times.

The use of such tools by the USPIS, the law enforcement arm of the Postal Service, is disclosed in its 2019 and 2020 annual reports, but has gone largely unpublicized until now. The Epoch Times has also reviewed an internal Postal Service letter, which shows that one technician in the USPIS digital evidence unit used GrayKey to crack more than 150 iOS devices—iOS being the mobile operating system for the iPhone.

Altogether, the records suggest that the USPIS has cracked hundreds of iPhones—generally thought to be one of the most secure commercial phones on the market—as well as other devices.

“The Cellebrite and GrayKey tools acquired in FY 2019 and 2018 allow the Digital Evidence Unit to extract previously unattainable information from seized mobile devices. During FY 2020, 331 devices were processed, and 242 were unlocked and/or extracted by these services," the USPIS 2020 annual report says. “The success of the program and ever-increasing demand for services required the purchase this year of a second GrayKey device for use on the East Coast.”
The 2020 report reveals an uptick in phone cracking from 2019, when the USPIS accessed 177 devices—34 using Cellebrite and 143 with GrayKey, according to that year’s annual report.

The internal USPIS letter suggests that the increase continued last year, revealing that one technician alone cracked more than 150 iOS devices.

“In May 2020, FLS [Forensic Laboratory Services] acquired a second GrayKey iOS tool for extractions of locked iOS devices. Password protected devices is one of the biggest challenges facing the digital evidence community today,” the letter says.

“Since acquisition, [the technician] has successfully unlocked/bypassed, extracted, and examined over 150 locked iOS devices. The additional GrayKey unit has allowed FLS to balance the workload for the three locations with specialized mobile tools, essentially eliminating the backlog for these examinations.”

Given that the USPIS is a federal law enforcement agency that predates even the FBI, its use of tools such as GrayKey isn’t necessarily surprising, said retired FBI agent Marc Ruskin.

“They have jurisdiction for a much wider variety of cases than you’d think because any type of wire fraud—a large scope of white-collar crime involves wire fraud—or the use of the mail falls under their jurisdiction,” said Ruskin, author of “The Pretender: My Life Undercover for the FBI.”

Ruskin told The Epoch Times he worked with Postal Inspectors on investigations twice during his career, and “they tend to be very good as far as professionalism and intelligence.”

One of the more prominent cases involving the USPIS was the 2001 anthrax mailings, and Postal Inspectors have served on numerous joint terrorism investigations since then.

However, Ruskin questioned what oversight and safeguards are in place at the USPIS to ensure that privacy rights are protected and GrayKey/Cellebrite aren’t abused.

“We don’t know what safeguards are in place. If the guidelines are flimsy, they may be permitting warrantless searches,” Ruskin said. “Under what circumstances are warrants required?”

USPS and USPIS did not respond to emails and calls seeking answers to those questions. USPS’s inspector general has referenced “case management reporting guidelines” that establish requirements for how Postal Inspectors should conduct and document their investigations, but that document does not seem to be public—unlike similar guidelines governing the FBI, which are available online.

Even with guidelines, the USPIS may not be subject to the same scrutiny or oversight as other law enforcers, Ruskin added.

“While they may be subject to the same legal limitations, in fact there may be less oversight because they have a lower visibility,” he said. “Everyone’s looking at what the FBI and ICE are doing constantly, but who’s looking at the Postal Inspection Service?”

The Epoch Times has filed a Freedom of Information Act (FOIA) request for UPSIS guidelines and other records related to tools that can crack iPhones.

Cellebrite and GrayKey developer Grayshift, for its part, also did not immediately respond to inquiries about whether it audits its customers’ use of its products, or has other safeguards to prevent abuse.

Cellebrite has come under particular scrutiny in recent years for doing business with authoritarian regimes. The company announced in October 2020 that it would stop doing business in China and Hong Kong.

Following last year’s revelations about USPIS monitoring anti-lockdown protestors via its Internet Covert Operations Program (iCOP), privacy activists have warned that USPIS is in danger of “mission creep”—when an agency has access to more tools or information than it needs to complete its designed mission, leading it to expand into another role outside of the designated mission to utilize those tools.

“The Postal Inspection Service has a well-defined mission in protecting the mail, but the agency has often overstepped its bounds,” the Electronic Information Privacy Center (EPIC) stated earlier this month. “The Postal Inspection Service now claims a ‘wide jurisdiction’ to preserve the ‘safety, security, and integrity of the nation’s mail system from criminal misuse.’”

More broadly, privacy activists have concerns about the proliferation of tools like GrayKey and Cellebrite, which have become steadily cheaper and more ubiquitous over the years.

“Forensic searches of cell phones are increasingly common … The searches are often overbroad, as well. It’s not uncommon for data unrelated to the initial suspicions to be copied, kept, and used for other purposes later,” the Electronic Frontier Foundation (EFF) said in a March 2021 explainer.

“For instance, police can deem unrelated data to be ‘gang related,’ and keep it in a ‘gang database,’ which have often vague standards.”

EFF added, “Many police departments don’t have any policies in place about when forensic phone-searching tools can be used.”