Should cops be able to unlock phones or not by using hacking and cracking devices?
Security experts used to say "absolutely not!" but some now say "maybe" because there are way worse alternatives on the horizon.
Israeli digital forensics company Cellebrite has made a name for itself by creating devices that can use flaws in how the security measures on Apple and Google Android devices are designed, and unlock them.
At NZ$7500 a pop, police could use the Cellebrite's Universal Forensic Extraction (UFED) and similar devices to unlock iPhones.
That was last year, and Apple quickly figured out what was going on and made software changes that locked out the passcode-guessing unlockers.
Devices like UFED and GrayKey were widely panned as a bad idea as they undermine device makers' efforts to keep extremely sensitive personal information secure. This especially so after cheap UFED devices appeared on eBay for anyone to buy — criminals, despotic regimes wanting to track and murder dissidents, and snoops of all kinds.
Now Cellebrite has released a new product, UFED Premium, that can "determine passcodes and perform unlocks for all Apple devices" up to the current, general release version 12.3 of the iOS operating system, and Android phones like the Samsung Galaxy S9.
To everyone's surprise, Cellebrite is giving Apple and Google a heads-up about the new cracking capabilities by advertising UFED Premium on social media and on the web. In the past, unlocker vendors would try to keep their products and services secret for as long as possible, to avoid Apple and Google figuring out what weaknesses they exploit and issue patches against these.
It's an arms race, but some security professionals are wondering, just quietly, that maybe law enforcement should have access to services like Cellebrite.
Why's that? Well, law enforcement has a job to do. Understandably enough, police don't like being stymied in that job and won't take "no, you can't access the information locked away on a strongly encrypted device" for an answer.
It is a difficult balance to get right, but there are undoubtedly cases where people are better served by police having access to information on devices.
What nobody wants is for law enforcement to lose patience and ask for legal powers that are draconian, unclear and sweeping and put people's security and privacy at risk on a large scale.
Like in Australia where the Assistance and Access Act means the likes of Apple and Google somehow must bypass strong encryption on their devices if government agencies order so.
This can be done by weakening "electronic protection" selectively but not by introducing systemic weaknesses which appears to be a contradiction in terms.
In that impossible situation, maybe it's better to have the lesser evil which involves turning a blind eye for a while to passcode cracking devices that cost thousands of dollars for the cops to use?
That is, rather than having millions of devices on which electronic protection can be selectively weakened — and if vendors can't or won't break encryption, they face fines and jail.
Much is at stake, but heavy-handed law that leaves super rich device makers with no choice but to enter into lengthy and expensive court action to protect themselves could mean the police will continue to use Cellebrite-style devices simply because it's faster.