In what appears to be a major breakthrough for law enforcement, and a possible privacy problem for Apple customers, a major U.S. government contractor claims to have found a way to unlock pretty much every iPhone on the market.
Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11 (right up to 11.2.6).
That includes the iPhone X, a model that expert has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology. The Israeli firm, a subsidiary of Japan's Sun Corporation, hasn't made any major public announcement about its new iOS capabilities. But expert was told by sources (who asked to remain anonymous as they weren't authorized to talk on the matter) that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe.
Indeed, the company's literature for its Advanced Unlocking and Extraction Services offering now notes the company can break the security of "Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11." Separately, a source in the police forensics community told he'd been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple's newest devices worked in much the same way.
iOS 11 was only released in September last year and was even praised by Cellebrite competitor Elcomsoft for new features that were designed to make it harder for forensics experts to hack into an iPhone. That included protections against forced unlocks with fingerprints, a tactic previously used by U.S. police in the field.
Though it's always wise to take the claims of profit-focused vendors with a pinch of salt, whatever flaws Cellebrite found in Apple's tech in the last half year, they're likely significant; just last year, the company warned about a decline in its ability to break into iPhones.
To take advantage of the Cellebrite service, which "can determine or disable the PIN, pattern, password screen locks or passcodes on the latest Apple iOS and Google Android devices," cops have to send the device to Cellebrite first. In its labs, the company then uses whatever secret exploits it has to crack the lock and either hands it back to investigators so they can take data from the device, or Cellebrite can do that for them. As experts previously detailed, this can be relatively inexpensive, costing as little as $1,500 per unlock. Given there's a $1 million price tag for a single iPhone vulnerability, that's cheap.
Cellebrite could put its latest iPhone unlocking tech into the software it sells to customers. But that would mean Apple could test the tool and potentially figure out a way to stop it working, explained Don Vilfer, a partner at private forensics firm VAND Group, who welcomed the new services. Vilfer said his company has already had some success with the iOS 11 service, in a case where a client's employee wouldn't give over their passcode for their work iPhone, though he recalled it was an iPhone 6 model, not one of the most recent devices.
Neither Apple nor Cellebrite had provided comment at the time of publication. For the general user, they should be aware that the unlocks require physical access to the device. Cellebrite doesn't do such work remotely. And, of course, it's always a cat and mouse game where Apple is continually patching iOS in response to vulnerabilities emerging, so it could close the holes at some point in the future. Users are, generally, advised to download the latest operating system to stand the best chance of remaining secure.
iPhone X examined
It also appears the feds have already tried out Cellebrite tech on the most recent Apple handset, the iPhone X. That's according to a warrant unearthed in Michigan, marking the first known government inspection of the bleeding edge smartphone in a criminal investigation. The warrant detailed a probe into Abdulmajid Saidi, a suspect in an arms trafficking case, whose iPhone X was taken from him as he was about to leave America for Beirut, Lebanon, on November 20. The device was sent to a Cellebrite specialist at the DHS Homeland Security Investigations Grand Rapids labs and the data extracted on December 5. (Saidi's case is due to go to trial on July 31. His legal team didn't respond to requests for comment).
From the warrant, it wasn't clear just how the police got into the iPhone X in the first place, nor does it reveal much about what data was inside. Back when the iPhone X was launched, some fears were raised about the possibility for investigators to simply lift the device to a suspect's face to unlock it via Apple's Face ID facial recognition. Researchers also claimed to have found ways to dupe the Face ID tech into unlocking with a mask. The DoJ prosecutor on the case declined to comment, whilst the DHS didn't respond to requests for comment.
But the ability to crack open almost any iDevice on the market is a significant moment for law enforcement, not just in America, but across the globe. Police have been left scrambling for ways into iPhones ever since Apple started improving its security with each new release. Layers of encryption have become increasingly difficult to penetrate, as highlighted in the now-infamous tussle between the Cupertino giant and the FBI in San Bernardino, where the feds wanted an unwilling Apple to help them access the iPhone 5C of San Bernardino murderer Syed Rizwan Farook.
'Hoarding iPhone vulnerabilities'
Cellebrite has no doubt benefited from the cat and mouse game being played out by the government and Silicon Valley giants. Many U.S. policing and intelligence agencies, including the FBI and the Secret Service, are customers. As detailed last year, the company scored record contracts with a variety of agencies, most notably the Immigration and Customs Enforcement branch of the DHS, which spent $2 million on one deal alone. Customs and Border Protection is also a client.
At the time of the ICE contract, civil rights activists raised concerns over the use of such powerful technology to search Americans' devices. Speaking about the latest developments, Electronic Frontier Foundation senior staff attorney Adam Schwartz said the way in which the government did business with the likes of Cellebrite was "of great concern." He said it was clear that Cellebrite was hoarding vulnerabilities rather than disclosing them to vendors like Apple, which would lead to patches and better security for the general public. "All of us who're walking around with this vulnerability are in danger," he added.
"When it comes to the international border, as the EFF has argued in court and in Congress, the government really needs to get a warrant before it searches our phones. It's all the more true when we see the ever expanding power of governments to get into those phones." Cellebrite provided some additional specifics on Wednesday, claiming it can unlock all iOS versions up to 11.2.6, the most recent iteration of Apple's operating system.
A spokesperson added: "With its service offering, Cellebrite can retrieve (without needing to root or jailbreak the device) the full file system to recover downloaded emails, third-party application data, geolocation data and system logs. Agencies can either provide the device already unlocked, furnish the known passcode, or use Cellebrite’s Advanced Unlocking Services to unlock the device.
"Once the device is unlocked and/or extracted, it is returned to the originating agency. Any extracted data is also sent to the agency in encrypted form to ensure privacy and protect operational information." They declined to provide more details on the nature of the exploits required to open the latest iPhones. Sources close to Apple had previously suggested the company thought Cellebrite's techniques involved older, now-patched vulnerabilities. That appears to be false, if Cellebrite's statement is accurate.