We have already extracted 98 percent of your iPhone, just give us the PIN

The interrogation trick almost everyone falls for, the real difference between a warm phone and a cold one, and why your date of birth is the first thing an investigator types in.

A teacher, mid 40s, has taught German and history for 20 years. One morning 2 officers stand at his door because a pupil has claimed something. Only claimed. It will turn out to be baseless months later, but nobody knows that on this morning, and nobody on this morning cares. What counts is the search warrant in one officer’s hand and the evidence bag in the other’s. Into that bag goes his iPhone. Unlocked, because he had just been reading his mail. With it, his whole life goes into the bag: the photos of his children, the chats with his wife, the message to his best friend about the separation the school knew nothing about, the searches at 3 in the morning, the note with the passwords, the half decade of location data that betrays exactly where he was every Tuesday evening. He gets the device back 14 months later. The case is dropped. By then his life had long been read by anyone who wanted to.

I have examined devices like that. For 25 years, court appointed, until I ended that work last year. I sat on the other side of the table where decisions are made about people whose phone lay open in front of me. And I tell you from that experience: what we carry in our pockets today is not a phone. It is the most complete confession a person ever makes about themselves, voluntarily, every day, without noticing.

Before we begin, a boundary

I despise crime. I despise violence. I question every offence down to the bone, that was my profession. This piece is expressly not for those who want to use the knowledge in it to refine their criminal energy. I cannot stop them from reading along, I am aware of that, and I write it anyway, because the others need the knowledge more urgently.

This piece is for the people in Iran who pay with their lives for a message to the wrong person. For the scientist whose unpublished data is worth a fortune. For the researcher, the investigative journalist, the source who calls him, for everyone who carries responsibility in government or administration, for every person in public life who ends up in the crosshairs because someone wants them there. And it is for you, no matter who you are. Because it can happen to anyone, and that too I say from experience. You only have to be in contact with the wrong person, someone whose line of business you do not even know. Or it takes one bad day, a little alcohol, a careless comment on social media. And your smartphone is seized.

This is where I see a line being crossed. But more on that later, cold and with the necessary sharpness.

A whole life, in a device that fits in one hand

Let us talk about what actually sits on such a device, because most people have never made it conscious to themselves.

There are the obvious things. The photos, tens of thousands, each stamped with date, time and coordinates. The chats across every service, often years back. The emails, the notes, the calendar that knows every appointment of the last decade. The browser history. The health data. But that is only the surface.

Beneath it lies what people send one another when they believe nobody is watching. Intimate images between partners, what we now call sexting. I had to look at these images, depending on the case, that was part of the analysis. And I want to be honest about what that did to me, because it is the core of this entire text. What I saw there was never just an image. It was a person. Out of the photos, the messages, the searches, the nightly notes, the deleted and recovered fragments, a person assembled itself in front of me, more complete than they had ever seen themselves. In the end I was able to build a psychological profile so detailed that any psychiatrist would have turned green with envy. Not because I am especially gifted. But because the device keeps everything a person entrusts to it, and the person entrusts it with everything.

That gave me pause then, and it gives me pause to this day. Because the flip side of this depth is also its only consolation.

There were cases in which exactly this abundance of data saved an innocent person. I remember proceedings in which the health app of an iPhone became a witness for the defence. The app logs steps, flights of stairs, heart rate, often to the minute. When an accusation places a person at a certain time in a certain place, for example filming inside a bank during a robbery, that can be checked against the silent log in the device. If the phone showed a calm pulse at the time of the offence and shortly after the pattern of someone strolling up a staircase, while the prosecution wanted to see him in the middle of a violent act, then it did not add up. It is not proof in the strict sense, claiming that would be dishonest. The person could have lent out his phone. It is an indicator. But I have used indicators like that to break charges and pull people out of the machinery they should never have ended up in. The same device that lays you completely bare can also clear you completely. It only depends on whose hands it falls into and in which state.

Warm or cold, that is the whole truth

If you take exactly one technical term away from this text, take this distinction. It decides everything. Forensic examiners speak of two states, and they have abbreviations for them that sound wooden and yet rule over your fate.

A smartphone that has not been unlocked even once since it was last switched on is in the state Before First Unlock, BFU for short. Cold. In this state the keys that encrypt the data are themselves still encrypted inside the device’s security chip. The files are locked away individually. Without the correct password almost nobody gets in, and by almost nobody I include the most expensive tools in the world.

But the moment you enter the code even once, the device tips into the state After First Unlock, AFU. Warm. Now the keys sit in working memory. You can lock it again afterwards, as often as you like, the device stays warm until it restarts or shuts down. And a warm device is an open book with a thin curtain in front of it.

The forensics industry knows this exactly and tells its customers so. Cellebrite, the market leader for such tools, gives its investigators the plain advice to keep a seized iPhone that is still switched on switched on at all costs. They know what they have in their hands. They also know what slips away from them the moment the thing goes cold.

Translated into your everyday life, this means a simple, almost banal truth. If your device is caught warm, that is, unlocked or unlocked once since booting, the door stands wide open. If it is caught cold, switched off or never touched since booting, then even a state attacker is fighting only against two things: against the hardware in your device and against the strength of your password. We will talk about the hardware shortly. We will talk about the password at length, because it is the point at which most people betray themselves.

The call almost everyone falls for

There is a trick, and it works because it targets the most decent trait in a person, the wish for everything to pass quickly and be all right again.

The call goes roughly like this. We have already extracted 98 percent of your iPhone. Only a small remainder is missing. If you just give us the PIN now, we both save a lot of time, and you might even get your device back today. Sometimes it is wrapped politely, sometimes it comes as a casual request to unlock it briefly, because then it would go faster. Sometimes an officer stands next to you and says, come on, it makes things easier for everyone.

Do not fall for it. Never.

If a device really were 98 percent extracted, nobody would need your PIN anymore. The number is invented, it is a lever, and the lever aims at your hope. In truth the investigators sit in front of a cold device that gives them nothing, and the only shortcut into your life runs through your own mouth. That is exactly why they ask. They ask because they cannot do it themselves.

And here comes the part everyone living in Germany should know. As an accused person you do not have to hand over your PIN. Nobody may force you to name a password, because that would be active self incrimination, and an old, hard principle of our law protects you from it: nobody is obliged to incriminate themselves. No disadvantage may arise from your silence. This is not a trick and not a grey area, this is the law in force.

There is, however, a gap, and it is the reason I will talk about fingerprint and facial recognition shortly. The Federal Court of Justice has confirmed that investigators may press your finger onto the sensor by force. Placing the finger is a toleration, a physical measure, comparable to a blood sample. Naming the PIN would be a statement. The one you must tolerate, the other you never have to do. Remember this distinction, it is worth its weight in gold. A strong password that exists only in your head is, legally and technically, the better fortress than any fingerprint that can be wrung from you.

The first password I always tried

Now I will tell you something about my own work that is uncomfortable, because it is so simple.

When I had a locked device in front of me and a suspect whose file I knew, I did not start with high technology. I started with his date of birth. A person born on 13 April 1985, being a logically thinking creature, would of course never choose 130485 as a code. Such a person considers himself too clever for that. And it was exactly these people who were my surest hits. It is almost a law of nature. People believe the obvious is too obvious to be dangerous, and so they take it. With the dates of birth of suspects, of their children, of their partners, I have opened more devices than I care to admit.

The second mistake is even bigger, and it is the real reason this section is meant to wake you up. The Otto Sapiens, that subspecies of Homo Sapiens which believes it knows everything because it listened to half an audiobook, tends toward a fatal convenience. He uses one password. One. For everything. For the social network with the photographic focus, for email, for online shopping, for the bank account, and yes, for the iPhone itself.

This is where we investigators always set the lever, and I say this without any pride, rather with a cold shiver in hindsight. I first looked at which passwords this person used somewhere on the net, in a leaked dataset, in some old service, in a poorly secured database from which millions of credentials circulate. And very often that gave me the password to the device or to the platform I needed to get into. One key for all doors, made by the owner himself. There is no more elegant way to hand a stranger access to your own life.

From this follows the first concrete action you should take today, before you read on. Never the same password twice. Never the date of birth, not yours, not your children’s. A long passphrase for the device, something that lives only in your head and nowhere else. A 4 digit numeric code falls against any decent hardware in seconds. A long, high entropy passphrase makes the difference between an hour and a century.

PIN no, finger yes, and why that decides everything

I touched on this legal distinction above, but it is so important that it deserves its own clear block. It is the practical core of this entire text.

In Germany the principle holds that nobody is obliged to incriminate themselves. As an accused person you never have to hand over your PIN, your password, your passphrase. Naming a code is an active statement, and nobody can force you into a statement. No disadvantage may arise from your silence. This is not a grey area, it is settled law.

It is different with biometrics, and here lies the trap. On 13 March 2025 the Federal Court of Justice confirmed that investigators may press your finger onto the sensor by force, based on section 81b paragraph 1 in connection with sections 94 and following of the Code of Criminal Procedure. Placing the finger is not a statement but mere toleration, legally comparable to taking a fingerprint or a photograph. For facial recognition via Face ID the same will in all likelihood apply by the same logic, and why that is so, and where a fine but important difference nonetheless lies, that gets its own section in a moment.

From this follows a crystal clear practical rule. Whoever uses an iPhone with facial recognition or a fingerprint sensor as the sole protection has built in a door that can be opened against their will. Whoever instead carries a strong password in their head and disables biometrics in an emergency holds the only key nobody may compel. On every current iPhone a quick, repeated press of the side button is enough to disable Face ID instantly and force the passcode. Remember this move.

A glance across the Atlantic shows that this conflict rages everywhere. In the United States the disclosure of a passcode is mostly treated as testimonial and therefore covered by the protection against self incrimination. Biometric unlocking, by contrast, the courts judge inconsistently, more on that specific court battle in a moment. The legal situation is in motion, in Germany as in the USA. What remains is the core: a password in your head is legally better protected than any finger that can be placed on a sensor for you.

Is Face ID safer than the fingerprint? The answer is a clear yes and no

You may be wondering whether facial recognition is not in fact safer than the fingerprint, precisely because you have to look at the device consciously to unlock it. The question is clever, and the answer is: in one very specific respect yes, legally no. I will take both sides apart, because a lot of half knowledge circulates here.

First the technical side, and here Face ID does have an underrated protection built in. It is called attention awareness, “Require Attention for Face ID” in the original, and it is active in the factory state. With attention awareness switched on, the iPhone unlocks only when the eyes are open and directed at the display. Apple describes this unmistakably in its own documentation: the device opens exclusively when you consciously look at it. From this follows what Hollywood has been getting wrong for years. Holding the iPhone of a sleeping person up to their face does not work. Misusing the iPhone of an unconscious person does not work. And that image so beloved in crime dramas, where the phone is held up to a dead person’s face and it springs open, does not work either, as long as attention awareness is active, because a dead person does not direct their gaze at the display. A photo, a video or a two dimensional mask also fail, because the TrueDepth camera builds a three dimensional depth model of the face and accepts no flat image.

That is a real advantage over the fingerprint. A sleeping or unconscious person can be unlocked with the finger, the finger needs no consciousness. The face with active attention awareness demands the awake, looking person. So far your thought, and it holds.

Now the legal side, and here the supposed advantage tips over. The moment a person is awake and is forced to look, the technical protection no longer bites, because the eyes are open and the gaze falls on the device. That is exactly why the interesting question is whether investigators may force an awake suspect to hold his face in front of the phone and open his eyes. In Germany the Federal Court of Justice has not expressly decided the question for Face ID, its ruling of 13 March 2025 concerned the fingerprint. But it read section 81b of the Code of Criminal Procedure expressly as a technology open basis, and the legal world assumes almost unanimously that facial recognition is covered just the same as a similar measure. Merely holding the device in front of the face is toleration, not active cooperation, and so falls under the same logic as the forced finger. The fine difference remains only theoretical: if the suspect had to actively open his eyes or consciously look at the display, one could argue that this is already a compelled cooperation that the principle against self incrimination forbids. Until a court clarifies that, nobody should rely on it.

In the USA an open dispute rages between the federal courts over exactly this. In the case United States versus Payne the 9th Federal Circuit ruled in 2024 that forced biometric unlocking is not testimonial, because it requires no mental effort, an officer of the California Highway Patrol had pressed the suspect’s thumb onto the device. A year later, in the case United States versus Brown, the Federal Circuit for the District of Columbia ruled exactly the opposite: biometric unlocking is indeed testimonial and protected by the 5th Amendment, because it reveals knowledge and control over the device. This contradiction between two federal courts is ripe for the Supreme Court. On the passcode, by contrast, the US courts largely agree: it is content of the mind and protected.

Over all of this, in Europe, hovers a judgment that sets the frame. The European Court of Justice ruled on 4 October 2024 in the Landeck case, triggered by an Austrian case in which the police, after finding 85 grams of cannabis, tried in vain to unlock a seized phone, without authorisation, without documentation, without informing the person concerned. The Grand Chamber made clear: access to the data on a mobile phone is already a serious, possibly especially serious interference with fundamental rights, and the unlocking itself already counts as part of it. Such access is not limited to serious crime, but mandatorily requires prior review by a court or an independent body, the safeguarding of proportionality, and the subsequent notification of the person concerned. That is the European guardrail against which German courts too must be measured.

What does all this mean in practice for you? Do not rely on attention awareness as protection against the state, because against an awake, restrained person it runs into the void. Do rely on it very much as protection against the thief, the jealous partner, the curious acquaintance who holds the device up to your face while you sleep, because there it works reliably. And if your threat model includes the state, the same rule applies as for the fingerprint, only one notch sharper: disable facial recognition in an emergency and trust a long password alone. The move for it, the quick repeated press of the side button, immediately forces the passcode and locks Face ID until you enter the code. That is the one motion that counts in the decisive moment.

What Cellebrite and its brethren can really do

Let us talk about the tools, because myths surround them in both directions. Some hold them to be all powerful, others a bluff. Both are wrong.

Cellebrite is an Israeli company, its tool is now called Inseyets, formerly UFED. It is the most used forensic extraction machine in the world, deployed at over 7,000 authorities, with almost 3 million examinations per year. In May 2026 the company announced in a telling blog post that the so called access gap was closed, that it now offered access to the newest iPhone models in both states, warm and cold. That is sales prose, and at exactly this point a practitioner has to draw the distinction the marketing department deliberately blurs. Cellebrite itself cites a figure that shows why the lock state is so burning for investigators: according to its own industry report for 2026, 56 percent of all devices arrive at the lab locked, in North America even 75 percent.

What is true: in the warm state, AFU, a current iPhone is indeed attackable. Cellebrite has stepped up here, developed new methods, and when you get an iPhone warm into your hands, you pull out a great deal. There is a function named Instant Passcode Retrieval that automatically determines the passcode of a warm device and thereby lifts access from limited to the full file system. The clock runs against the owner, because this countdown begins with the first unlock, and that is exactly why Cellebrite preaches to its investigators to connect a warm device as quickly as possible.

Here a detail worth knowing, because it clears up a widespread misconception. Investigators like to put a seized phone into a so called Faraday bag, a shielding pouch that cuts every radio connection. This is meant to prevent the owner from wiping the device remotely. It works for that purpose too. But, and this is the point, the Faraday bag does not prevent the internal, hardware enforced restart after 72 hours, which we will discuss shortly. No radio dead zone in the world stops that counter. The shielding protects the owner, without the investigators wanting it to.

What the company conceals stands between the lines of its own documents and in the matrices that keep leaking. In the cold state, BFU, the matter looks completely different. Even if a BFU extraction succeeds, according to Cellebrite’s own older documentation it theoretically delivers only system data, the bulk of the user’s life stays encrypted. An academic study by Universitas Indonesia measured this. The researchers compared file by file, by hash value, what could be pulled from a cold iPhone against the complete file system. The result came to 63.48 percent agreement, 338,062 of 532,509 files. Sounds like a lot, but it is not, because the missing roughly 36 percent are exactly the part that counts: the sensitive app data, the chats, the heart of the matter. In the cold state that stays unreachable.

To give you an idea of the sheer force of these tools in the warm state: a second study by the same university compared the three big forensic suites on an iPhone 11 Pro. Cellebrite’s UFED pulled 8,539 individual artefacts from the device, the competing product XRY reached 6,542, AXIOM 4,220. An artefact here is not a file but a reconstructed data point, a deleted message, a location entry, a browser history fragment. Eight thousand such points from a single warm phone is no exaggeration, it was exactly 8,539. That is the depth an open device gives up.

There is an old vulnerability named checkm8, a flaw deep in the boot chip of older iPhones, unpatchable because it sits in the silicon. A hardware flaw cannot be repaired by update, it stays as long as the device exists. With checkm8 even cold devices could be read out completely, and for the affected models that holds to this day. The good news for current devices: checkm8 reaches only from the A5 to the A11 chip generation, that is, from the iPhone 4S to the iPhone X. Everything from the iPhone XS onward, everything from the year 2018, is immune to this attack. An iPhone 16 Pro or an iPhone 17 has long been out of reach. So anyone who still regards an old iPhone from the time up to 2017 as a secure device is fundamentally mistaken. It is exactly these old models that stand open as a barn door in the cold state.

The clearest real proof against the big promise comes from February 2026. The iPhone of a Washington Post reporter ended up at the FBI’s forensic lab, the Computer Analysis Response Team. These people have tools the local criminal police only dream of. They failed. The device did not give up its data. That is the benchmark, not the glossy brochure.

And now the one point where I have to be honest, even though it does not fit the simple narrative. The forensically hardest device in the world is not the iPhone. It is a Google Pixel running a hardened operating system named GrapheneOS. The leaked Cellebrite matrices list this system as the only platform against which the tool has achieved nothing since the year 2022, cold as well as warm. A matrix from October 2025 even suggests that Cellebrite has lost access to unlocked GrapheneOS devices, that is, fails even in the warm state. Whoever wants the maximum of protection and is willing to give up convenience and some services for it reaches for that. For most people, though, who will not flash an operating system by hand, the current iPhone remains the best practical fortress on the market. With one condition I will come back to at the end.

The ranking of devices, sorted bluntly

So that you leave this section not with a feeling but with an order, I sort the device classes the way a forensic examiner experiences them at the analysis table. From the softest to the hardest.

At the very bottom lie the cheap Android devices with a MediaTek chip. They have no dedicated security chip, no so called secure element, and their boot area is vulnerable to unpatchable flaws. In the cold state the only defence left is a strong password, everything else is open. I will come in the next section to an example that will leave you speechless.

Above them stand Samsung devices with Knox Vault. Knox Vault is a real, separate security building block, a tamper resistant subsystem with its own processor and its own memory, physically separated from the main chip, hardened even against attacks with laser or voltage manipulation. That is a serious second wall, and it lifts a modern Galaxy far above the MediaTek class. The weakness lies in the configuration. A function named Secure Startup is what binds the main key firmly to your PIN in the first place, and it is not active for everyone. And the automatic return to the cold state, which the iPhone handles on its own, is optional on Samsung and switched off in the factory state. You have to arm the fortress yourself.

On the same level, in the upper league, stand the current iPhone and a Pixel with Google’s original Android. Both have a real security chip, Apple’s Secure Enclave, Google’s Titan. Both are strong in the cold state, attackable in the warm state. The iPhone has the decisive advantage the next section is about: it sets itself cold.

And at the very top, alone, stands the Pixel with GrapheneOS. When this system is installed, its own keys are written into the Titan chip and the boot area is relocked under those keys. Added to this is a memory protection that arranges the layout randomly on every start and thereby hampers the attacks with which spyware intrudes without the user doing anything. That is the machine on which the most expensive tools break their teeth.

45 seconds, and a crypto fortune is gone

Let me get concrete, because in the abstract all of this sounds harmless. In March 2026 the security team Donjon, which belongs to the crypto company Ledger, published a finding that sums up the whole convenience of the cheap device class in a single image.

The researchers took an ordinary Android phone with a MediaTek chip, a Nothing CMF Phone 1, and connected it by USB cable to a laptop. They needed no malware, no app, no internet connection, not even a running Android. The device was in the cold state, in theory the secure fortress. After 45 seconds they had the PIN, had decrypted the storage, and, this is the part that hurts, they had read out the seed phrases from the crypto wallets, the secret recovery sentences with which an entire crypto fortune can be seized. Several well known wallets were affected. 45 seconds, one cable, done.

The flaw sits in the boot chain of the MediaTek chip and carries the identifier CVE-2025-20435. MediaTek is no niche manufacturer, its chips sit, according to market researchers, in roughly a third of all smartphone chipsets sold worldwide. MediaTek delivered the repair code to the device manufacturers in January 2026, so this specific flaw is fixable. But it stands for a structural problem. A device class without a real security chip has no second line of defence. If the first falls, everything falls, and it falls in under a minute. Whoever wants to protect a crypto fortune or truly sensitive data does not buy a MediaTek device. Full stop.

Apple’s quiet weapon that robs investigators of sleep

In October 2024 Apple introduced a function, quietly, without a big announcement, that hit forensics like a bomb. It is called Inactivity Reboot and has been in every current iPhone since iOS 18.1.

The principle is as simple as it is elegant. The security chip in the iPhone counts how long the device has not been successfully unlocked. When this counter reaches 72 hours, the iPhone restarts entirely on its own. And with the restart it falls from the warm state back into the cold, from AFU back to BFU, from open back to encrypted. A seized device that lies in the evidence room for 3 days thus locks itself, without its owner having to do anything. In the first version, iOS 18.0, the counter still stood at 7 days. With iOS 18.1 Apple lowered it to 72 hours, without comment.

This function was discovered not by security researchers but by baffled investigators in Detroit, whose stored iPhones in the evidence room suddenly and seemingly without reason restarted. An internal agency document seriously suspected that the devices were sending each other wireless signals to restart, a kind of uprising of the machines in the evidence room. The truth was more mundane and, for Apple, far more elegant. It was a counter. The German security researcher Jiska Classen of the Hasso Plattner Institute later took the function fully apart and proved that an attacker would already need control over the core of the system just to prevent this one restart. That is, exactly the access he is trying to gain with the restart in the first place. A lock that can only be opened with the key it locks away inside itself, and this time that loop works for you.

Then there is USB Restricted Mode, which cuts the data line at the port as soon as the device has been locked for longer than 1 hour. When at the start of 2025 a flaw with the identifier CVE-2025-24200 surfaced that defeated exactly this protection and, according to Apple, was abused in an extremely sophisticated attack against single, specifically chosen individuals, the emergency patch came with iOS 18.3.1 within a few days, on 10 February 2025. This phrasing, highly targeted attack against single individuals, is Apple’s cautious paraphrase for exactly the tools this whole text is about. Apple defends this line with a hardness one rarely sees in a publicly traded company.

Finally there is Lockdown Mode, a bolt for people with a real threat profile. Apple states that to this day no device has been successfully compromised with spyware on which this mode was active at the time of the attack. That is not a guarantee of unbreakability, it is a statement about what has not been observed so far, and I phrase it here deliberately that cautiously. The Security Lab of Amnesty International confirms this line, and Citizen Lab, the forensic lab of the University of Toronto, has even documented at least 2 cases in which Lockdown Mode actively blocked an ongoing attack and even warned the user, among them an attack with Pegasus. Apple pays up to 2 million dollars in bounty to anyone who defeats this mode. Whoever works in science, journalism or politics and could end up in the crosshairs switches this mode on and accepts the loss of comfort.

A last word on Apple, and it is not pure praise. There is a function named Advanced Data Protection that also encrypts the cloud backup end to end. It is excellent, but it is not available everywhere, and for a reason that should make you prick up your ears. Apple withdrew this function for new users in the United Kingdom in February 2025, after the British government demanded a backdoor by law. In October 2025 London demanded access again. That shows that even the hardest company does not withstand the pressure of a state indefinitely. Encryption is not a technical fact alone, it is also a political battlefield.

When the state itself becomes the burglar

Up to here it was about seizure, that is, the case where someone gets your device physically into their hands. There is a second, more sinister class of attacks, in which nobody has to touch your phone. They are called state trojans and commercial spyware, and they are not material for conspiracy theorists. They are documented, litigated and in part confirmed by courts.

The best known name is Pegasus from the Israeli NSO Group. On 6 May 2025 a Californian jury sentenced the company to 167,254,000 dollars in punitive damages and a further 444,719 dollars to compensate the concrete harm, because in 2019 it had hacked around 1,400 users of a well known messenger, through a single vulnerability with the identifier CVE-2019-3568 that required not a single click from the victim. This is called a zero click attack. The phone rings, and it is already infected, whether you answer or not. Among the victims were journalists, lawyers, activists, government critics in 51 countries, among them 456 people in Mexico, 100 in India, 69 in Morocco. Court documents brought to light that the spyware was installed not by the government customers but by the company itself. A judge reduced the penalty in October 2025 to 4 million dollars and issued an injunction, NSO appealed. The message remains: here an entire industry was dragged into court and found guilty.

There are more recent cases. A software named Graphite, made by the company Paragon, co founded among others by a former Israeli prime minister and a former commander of the notorious cyber Unit 8200, struck around 90 users of a well known messenger at the start of 2025, again among them journalists and members of civil society in over 2 dozen countries. Citizen Lab forensically confirmed the infection of Italian journalists, named among them were the reporters of an investigative outlet. The associated iPhone attack ran over a prepared link, used a flaw with the identifier CVE-2025-43200 and was closed by Apple only with iOS 18.3.1. The Italian parliament confirmed in June 2025 the use by its own government. And in April 2026 the director of the US immigration agency ICE confirmed openly for the first time that it uses this software. These tools wander, that is the real news. What is used today against a cartel boss stands ready tomorrow against a journalist.

And Germany? Here too there is reading along, and with its own tool. The Federal Criminal Police Office holds several trojans: an in house development named RCIS, approved since 2016 and having consumed around 5.77 million euros in development, the purchased FinSpy of the company FinFisher, and since 2019 at times also Pegasus. About FinFisher there is a bitter punchline: a court found that the office paid 325,666 euros to the company for a tool that was never successfully deployed, and FinFisher is insolvent today. These trojans intercept communication directly at the device, before it is encrypted or after it has been decrypted, which is why even the best messenger is useless if the device itself is compromised.

The official statistics of the Federal Office of Justice show for the year 2023 exactly 104 judicial orders for so called source telecommunications surveillance, of which 62 were actually carried out, against 49 the year before. For the more far reaching online search, which captures the entire device, there were 26 orders and 6 executions. The numbers are rising. The occasion was mostly the suspicion of drug offences. On 7 August 2025 the Federal Constitutional Court declared the state trojan laws largely constitutional, but expressly objected to their use for lighter offences. That is the right direction, yet the tool is out in the world, and it is being used.

Against this class of attacks switching off does not help, because they come while you are using the device. Here only this helps: keep the device up to date, switch on Lockdown Mode if you are at risk, and in doubt do not put the truly sensitive communication on a networked device in the first place.

The bugged car, and why I of all people am telling you this

There is a way to your password that is more elegant than any forensic tool and that gets by without your device. Someone simply watches you type it in.

Investigators bug vehicles. They open a suspect’s car unnoticed, often at night, and place technology inside the cabin. A microphone that records every word. And, this is the point that surprises most people, a camera, small enough to disappear into a reading lamp, into the headliner, into a compartment. This camera does not film for a confession. It films your hands. It films how you unlock your phone at the traffic light, and it films the digits you type while doing it. That is how you get a password, very fast, without any high technology. The most expensive Cellebrite apparatus is superfluous when a lens in the headliner has already recorded the code.

To get into the car you need a key or a code, and this is exactly where it gets interesting. Modern vehicles are so well secured against theft that they also lock out the state. That is why the Conference of Justice Ministers passed a resolution in November 2024 meant to oblige car manufacturers to hand over, on order, a second key or access code so that investigators can enter the vehicle unnoticed and bug it. I am obliged to precision here, because this text also appears as a specialist contribution: such a duty to cooperate is not yet law in force in Germany, it is a demand by the states to the Federal Ministry of Justice. What does already exist is the practice, and there are manufacturers who cooperate within the scope of an order, while others dig in their heels. The direction is clear, and it does not point in your favour.

It is not only cars that get bugged. Apartments get bugged, cameras at building entrances get evaluated, video doorbells, of which nearly every second one now hangs at a door, deliver a seamless record of who comes and goes when. I deliberately leave everything open here, because the list of places where an eye can sit is longer than you would like, and longer than I spell out here.

And now the part where I have to be fair, because anything else would be dishonest. I have built reading lamps like that. Technology that disappears into a lamp and records. I plan to offer it again. Why am I telling you this, in the middle of a text that warns you about exactly this technology?

Because I am neutral. I am a businessman, and I offer what is needed. The object of my company is unchanged: science and research in the field of criminal forensics, the preparation of expert opinions, investigative support for authorities, and general activities in the field of information technology. It would not be fair to show you the danger and conceal that I myself stand on this side of the workbench. I decide which country I work for, and I decide which clients I accept. Neutrality and loyalty are a cornerstone of my life, that is written law for me, and I hold to it. For Germany I swore an oath decades ago.

I am out of that system, everyone who knows me knows it. I no longer take part in the punch and judy show, and there is not one reason for that but several. I leave them standing here without listing them.

Everyone has a right to privacy, and that is exactly why I write this text. In the early 2000s I worked in an area of crime whose nature I deeply despise: sexual violence and abuse against children. I had to see things no person survives without scars. I actively opened access back then, AOL accounts, TrueCrypt containers, yes, you read that correctly, and with every analysis 10 new cases were added. Anyone who has once sat at this table knows that the technology in this text is no toy. It has two edges. It exposes the perpetrator, and it lays bare the innocent. My whole concern is that you know which side of the lens you sit on, before someone else decides it for you.

Now comes the sentence that will hurt many, and I put it deliberately into the room. There is no chat you did not program yourself that is truly safe. None.

That sounds like doom mongering until you look at what has just happened. Meta, the company behind the photographic social network, switched off end to end encryption for direct messages in Instagram as of 8 May 2026. This is not a rumour, it stands in the company’s own help pages. Encrypted messages on Instagram have not been supported since that date. Whoever writes there today, their messages can be read by the company, evaluated, and handed over to authorities around the world on request. The justification was that only very few people had used the encryption anyway. That is the most cynical of all justifications, because the encryption was never the default but had to be laboriously activated per conversation, which is why almost nobody found it. Remarkable too is the timing, just 11 days before the entry into force of a US law obliging platforms to swiftly remove certain content, which would not be possible at all without insight into the content. One may connect the dots oneself.

Let us place the situation soberly side by side. Signal encrypts by default and is regarded as the gold standard. Apple’s iMessage encrypts between Apple devices. WhatsApp and the Messenger of the same Meta company still encrypt for now, which, given the Instagram decision, is cold comfort. Telegram does not encrypt end to end across the board by default at all, only in an optional secret mode almost nobody uses. And Instagram, since 8 May, not at all anymore.

An industry that lives off your secrets

Why do I tell you all this in such detail? Because behind all of it stands no coincidence but a market. A huge, growing, hungry market.

The Atlantic Council, a respected think tank, mapped the surveillance industry in a report from September 2025 and arrived at 561 companies in 46 countries. In the year 2024 alone, 43 new such companies were founded. And here is the figure that occupies me most: the biggest financiers of this industry have sat, since 2024, no longer in Israel but in the United States, whose number of investors jumped from 11 to 31, three times as many as in the next largest country. These companies employ legions of staff, many of them former members of military special units and intelligence services. The entanglement is structural, not accidental. Whoever spent years cracking phones for an intelligence service goes on to found a company that sells exactly that.

It is about a great deal of money. The market for the software alone that is meant to fend off such attacks is estimated at around 3.2 billion dollars, and that is only the defensive side. The NSO Group, the maker of Pegasus, was at one point valued at around 2 billion dollars. An industry of this size seeks out its easiest targets first. And an unencrypted chat is the easiest target of all. Hence the sentence I put into the room and repeat here: there is no chat you did not program yourself that is truly safe.

The cloud is the open back door

You can turn your device into a fortress and still lose everything if you overlook one single thing. The backup in the cloud.

It is no use owning an iPhone that nobody opens in the cold state if at the same time a complete, unencrypted copy of your device lies on a server that a company administers and that an authority can demand by order. Then they do not even need your fortress, they walk through the open back door. A court order to Apple or Google suffices, and all the beautiful encryption on the device was for nothing, because the copy lies open elsewhere.

The same goes for the password itself. Once the security chip is bypassed, as happened with the MediaTek class in 45 seconds, all that stands between the attacker and your data is the strength of your PIN. A 4 digit code is then tried out in seconds, all 10,000 possibilities. A long passphrase of letters, numbers and characters, by contrast, blows up any computing time.

Hence my clear recommendation. Make your backup onto an encrypted Mac or, if it must be, an encrypted PC. Or make no backup at all if you do not absolutely need the data. Switch on Advanced Data Protection at Apple, which also encrypts the cloud backup end to end, provided it is available in your region. And switch off access to your cloud from foreign devices on principle. A digital privacy expert put it aptly: whoever uploads his exported chats back into the cloud afterwards for safekeeping uploads the unencrypted raw version to exactly the place where he never wanted it.

From the behemoth in the data centre to the trouser pocket

Let me digress for a moment, because this comparison has occupied me ever since I began thinking about the sheer quantity of what we carry around with us.

In my very young years I once stood in the Leibniz computing centre, in front of a gigantic machine. A whole hall full of technology, a computer that cost a fortune and needed a climate controlled room of its own. The 10 times the computing power of that entire hall you carry today in your trouser pocket, and I am sure that is still an understatement. At the same time, in my early years, when I used a telecommunications satellite of the German postal service to phone the USA for free, I owned a hard drive I was proud of. It was about 16 centimetres wide, 40 centimetres long, 9 centimetres high, a heavy, humming device. The price was exorbitant. The storage this behemoth made available to me amounted to 20 megabytes.

20 megabytes. Today I sign a contract for artificial intelligence with a provider and get 5 terabytes of cloud storage thrown in, in April 2026, at no surcharge, for the value of a good dinner per month. 5 terabytes are around 250,000 times as much as my behemoth back then. The first commercial hard drive storage in the world, the IBM RAMAC of 1956, held 5 megabytes, weighed a ton and cost a small fortune per megabyte. A cloud subscription of the upper class today with 30 terabytes corresponds to the storage capacity of around 6 million of these RAMAC behemoths.

And the computing power on top of that. The Apollo Guidance Computer that steered the astronauts to the moon and back ran at 0.043 megahertz and had less working memory than sits today in a single text message. A modern iPhone clocks around 100,000 times higher and carries millions of times more memory. A recognised comparison concludes that an iPhone has around 120 million times the computing power of that moon computer. With the device in your pocket you could, purely arithmetically, steer 120 million Apollo missions to the moon at once.

Why do I tell this? Not out of nostalgia. But because this incredible compression is the reason for the whole danger. Once a person was spread over a thousand places: a letter in the drawer, a photo in the album, a diary under the mattress, a secret only in one’s own head. Today all of it lies in a single place, in a device that fits in one hand and that can be taken out of that hand from you in a second. The convenience this gives us is the same convenience that makes us completely transparent.

Where I see the line being crossed

Now the part where I turn cold, because hot anger helps nothing here.

We have a constitution. It protects our home, our own four walls, expressly and unmistakably. It protects our right to remain unto ourselves. And above everything stands a principle that must be observed in every single state measure: proportionality. A measure must be suitable, it must be necessary, and it must be appropriate. You do not shoot sparrows with cannons, that is not a proverb, that is constitutional law.

And exactly here I see a line being crossed, day after day. When, because of an insult on social media, because of a careless word against a politician, a house search takes place and a smartphone is seized, then that stands in no proportion. Since 2021 there has been a separate criminal offence for the insult of persons in political life, with a maximum penalty of up to 3 years, and it has since been prosecuted even without a criminal complaint. The consequence is a flood of proceedings. Against a single minister alone, more than 800 criminal complaints over offences against honour ran between 2021 and 2024, against another top politician more than 500. The best known case is an image that labelled a minister a numbskull and culminated in a house search. Having insulted someone publicly once should perhaps not entail a search of the home in which, incidentally, the entire digital life of the person concerned vanishes into a bag.

I want to remain fair, because the other side of the coin exists too. In the case of a well known politician who was vilely insulted, the Federal Constitutional Court ruled in her favour and made clear that not everything is permitted on the net either. Incitement is not an opinion. The protection of honour is a real good. But between protection from a hate campaign and a house search over a single coarse word lie worlds, and exactly this distinction is what proportionality demands. When the insulting post has long been secured as a screenshot, then nobody needs to turn the home of the person concerned upside down and examine his phone for months. On the question of when a phone seizure over a mere insult is permissible at all, I have written in detail elsewhere here on the blog, and I refer anyone whom it interests in detail to there.

What remains for me at this point is the cold observation. I find it sad, what happens here. And I demand, unbroken, that those organs be held to account which order and carry out such disproportionate measures. Whoever has experienced the system from the inside for one, two, three decades knows that it is prone to error. I do not tolerate such errors, I never tolerated them, neither in the justice system I worked for nor now, where I look at it from the outside. People had to endure the full programme, house search, seizure, discreditation, and at the end, for many of them, nothing stood but hot air. That is not collateral damage. That is a failure, and it has names, even if I do not name them here.

A brief word on that company from Redmond

One more thing, before I come to the practical conclusion, and it actually deserves a piece of its own, which I will still write.

I no longer recommend a Windows PC to anyone today when it comes to protecting their data. What I have experienced with that company from Redmond over the past decades makes me shake my head to this day. The telemetry that can barely be switched off. The features that record screen contents and are sold as comfort. The persistence with which data leaves the computer, whether you want it or not. A Mac runs cleaner, a Linux system runs cleanest. But the whole story, the whole decades of head shaking, I save for a text of its own, because it bursts the bounds of this one. Only this much as a cliffhanger: whoever believes his operating system works exclusively for him has slept through the last ten years.

Switched off is safe, everything else is a matter of minutes

Let us come back to the teacher from the beginning, whose iPhone vanished unlocked into the bag. His mistake was not a moral one, he had done nothing. His mistake was a technical one, and it is the only one that counts. His device was warm.

From this follows the whole lesson of this text, and it fits into a single sentence. The iPhone is safe, and it stays safe, when it is switched off. In the cold state, with a strong password, the current iPhone is, by everything that is publicly demonstrable, practically locked against the most expensive tools in the world. In the warm state, with a swipe code, the same device is an open book. It is not the brand that decides. It is the state, and over the state you decide.

That is why in the end there is only one recommendation, and it consists of three simple habits.

Leave your phone switched off when you leave it behind in the vehicle. In serious offences or when weapons are involved, an arrest sometimes happens in the middle of a country road, by a special unit, and then it is no longer hard to open an unlocked device. A switched off device, by contrast, stays silent.

Switch your phone off before going to sleep. Most people use it as an alarm clock, unlocked beforehand, and in the morning it goes off with a great bang at the same time every day, and the phone is open and the person is vulnerable. Whoever switches it off begins the day cold and safe. And I recommend the same for the computers. Always shut the Mac down, never just into sleep mode, and disable external access, booting from foreign media. A device in sleep mode is a warm device.

And the very first thing you do when you take a new iPhone into your hands, before you even take a photo: assign a strong password. No 4 digit numeric code. No dates of birth. A long passphrase that exists only in your head. Switch off unlocking by fingerprint and face if your threat profile demands it, because the finger can be placed for you, the password in your head cannot.

I myself live by this, and it fits my life. I am no longer important, I do not have to be reachable around the clock. I switch my phone on now and then, look at what is happening in the world, read my messages, and then I switch it off again and live my life. My computers are off when I do not need them. When I leave the house, it is with the device switched off. That is not paranoia. I commit no crimes and never will. I simply exercise a right that is mine, the right that my most intimate things stay with me.

You carry your whole life in this one hand. This is not about paranoia. It is about your highest good. And nobody protects that for you. You protect it only yourself, with a finger on the power button.

References

• Amnesty International. (2025, May). Ruling against NSO Group in WhatsApp case a momentous win. https://www.amnesty.org/en/latest/news/2025/05/ruling-against-nso-group-in-whatsapp-case-a-momentous-win/
• American Bar Association. (2025). Compelled Biometrics and Fifth Amendment Rights. https://www.americanbar.org/groups/litigation/resources/newsletters/criminal/compelled-biometrics-fifth-amendment-rights/
• Apple. (2025). About Face ID advanced technology. Apple Support, HT102381. https://support.apple.com/en-us/102381
• Atlantic Council. (2025). Mythical Beasts: Diving into the depths of the global spyware market (2nd ed.). https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/mythical-beasts-diving-into-the-depths-of-the-global-spyware-market/
• Bundesamt für Justiz. (2025, August 5). Übersicht zur Telekommunikationsüberwachung für das Jahr 2023. Press release. https://www.bundesjustizamt.de/
• Bundesgerichtshof. (2025, March 13). Decision 2 StR 232/24: Forced placement of the finger to unlock a smartphone. Discussion at Legal Tribune Online. https://www.lto.de/recht/nachrichten/n/2str23224-bgh-auflegen-finger-entsperren-handy-ermittlungen-dateien
• Cellebrite. (2026). The Access Gap Is Closed: What Cellebrite Can Unlock in 2026. https://cellebrite.com/en/blog/the-access-gap-is-closed-what-cellebrite-can-unlock-in-2026/
• Citizen Lab. (2025, March 19). A First Look at Paragon’s Proliferating Spyware Operations (Report No. 183). https://citizenlab.ca/research/a-first-look-at-paragons-proliferating-spyware-operations/
• Dreyenberg. (2025, June 5). BGH ermöglicht Zwangsentsperrung von Smartphones per Fingerabdruck. https://dreyenberg.com/blog/bgh-ermoeglicht-zwangsentsperrung-von-smartphones-per-fingerabdruck
• European Court of Justice (Grand Chamber). (2024, October 4). Judgment in Case C-548/21, Bezirkshauptmannschaft Landeck, ECLI:EU:C:2024:830. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62021CJ0548
• Federalist Society. (2026, January 8). Do Compelled Biometrics Violate the Fifth Amendment? A Deepening Split Among Lower Courts. https://fedsoc.org/commentary/fedsoc-blog/do-compelled-biometrics-violate-the-fifth-amendment-a-deepening-split-among-lower-courts
• Harwahyu, R., et al. (2024). Locked iOS Device: Data Availability on Before First Unlock (BFU). Indian Journal of Computer Science and Engineering, 15(3). https://www.ijcse.com/docs/INDJCSE24-15-03-045.pdf
• Heise online. (2024, November 29). Justizminister: Polizei soll Zweitschlüssel fürs Verwanzen von Autos bekommen. https://www.heise.de/news/Justizminister-Polizei-soll-Zweitschluessel-fuers-Verwanzen-von-Autos-bekommen-10183384.html
• Ledger Donjon. (2026). MediaTek boot chain vulnerability (CVE-2025-20435). https://internationalfintech.com/ledgers-donjon-hacker-lab-discovers-critical-mediatek-vulnerability-potentially-affecting-25-of-android-phone-users/
• MacRumors. (2026, May 8). Instagram DMs Lose End-to-End Encryption Starting Today. https://www.macrumors.com/2026/05/08/instagram-end-to-end-encryption/
• Quarkslab. (2025). First analysis of Apple’s USB Restricted Mode bypass (CVE-2025-24200). https://blog.quarkslab.com/first-analysis-of-apples-usb-restricted-mode-bypass-cve-2025-24200.html
• Sinaga, et al. (2026). Comparative evaluation of artifact extraction performance in digital forensic tools: Cellebrite UFED, MSAB XRY, and Magnet AXIOM. Journal of Forensic Sciences. https://onlinelibrary.wiley.com/doi/10.1111/1556-4029.70320
• TechCrunch. (2024, November 14). New Apple security feature reboots iPhones after 3 days, researchers confirm. https://techcrunch.com/2024/11/14/new-apple-security-feature-reboots-iphones-after-3-days-researchers-confirm/
• Troutman Pepper Locke. (2025, May 15). US v. Brown: D.C. Circuit Rules on Compelled Biometric Unlocking of Cellphones. https://www.troutman.com/insights/us-v-brown-district-of-columbia-circuit-rules-on-compelled-biometric-unlocking-of-cellphones/
• Verfassungsblog. (2024). Ehre, wem Kritik gebührt? § 188 StGB und die Grenzen des Ehrschutzes von Politikern. https://verfassungsblog.de/ehre-wem-kritik-gebuhrt/