Phone-cracking firm advertises that it can unlock any iPhone

The FBI has Cellebrite's number.

Phone-cracking firm advertises that it can unlock any iPhone

As Thomas Fox-Brewster reports at Forbes (danger! there’s an irritating anti-ad-blocker interstitial at the end of that link), Israeli security firm Cellebrite claims it can now even unlock iPhones running the very latest version of iOS.

Forbes was told by sources (who asked to remain anonymous as they weren’t authorized to talk on the matter) that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe. Indeed, the company’s literature for its Advanced Unlocking and Extraction Services offering now notes the company can break the security of “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.”

Sure enough, a January 2018-dated marketing document from Cellebrite, touting its ability to unlock smartphones and extract data from them, appears to confirm the company has found a method to meddle with iOS 11’s security on the latest Apple devices.

Cellebrite document

Such a technique has ramifications for all users of Apple products. Because if Cellebrite has found a way to do this, the ability could also potentially be found by others - including law enforcement agencies and dodgy authoritarian regimes.

And if they haven’t discovered how to do it… well, they could always pay Cellebrite to do it for them.

The one thing you can be pretty sure about is that Cellebrite is unlikely to have shared details with Apple. After all, Apple would presumably work quickly to secure any vulnerability, protecting hundreds of millions of its users around the world. And that would simply work against Cellebrite’s business model.

Forbes has also uncovered that the US government has used the phone-cracking technology in a criminal investigation, extracting information from a suspected arms trafficker’s iPhone X.

One interesting aside. Bruce Schneier notes the possibility that whatever Cellebrite has up its sleeve against latest iPhones may “only” stop iOS from preventing you from multiple attempts at guessing an owner’s PIN or password:

There’s also a credible rumor that Cellebrite’s mechanisms only defeat the mechanism that limits the number of password attempts. It does not allow engineers to move the encrypted data off the phone and run an offline password cracker. If this is true, then strong passwords are still secure.

If that’s the case then it’s still a security weakness of course, but not quite by itself a skeleton key for the Feds.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , , ,

6 Responses

  1. Chris

    February 28, 2018 at 3:15 pm #

    And if they haven’t discovered how to do it… well, they could always pay Cellebrite to do it for them.’

    No. CAIS is strictly Law Enforcement only, and even then detailed reasons why the procedure is absolutely necessary have to be provided, which may include warrant details, other methods tried and so on. The oversight for this method is very, very strong. It has undoubtedly put some seriously bad people in prison already and almost certainly saved lives.

    • Anonymous signal in reply to Chris.

      March 1, 2018 at 2:56 am #

      Every man has his price…

  2. Mark Jacobs

    February 28, 2018 at 4:11 pm #

    Why does the article seem to only cite Apple devices as being unlockable with their techniques and not the Google Android devices they also claim to be able to unlock? My fingerprint-protected Nexus 6 with its 11-digit PIN seems just as vulnerable now as the lastest iPhone X!

    • dave in reply to Mark Jacobs.

      February 28, 2018 at 4:51 pm #

      I have a Nexus 6 and there is no fingerprint protection. Did you mean the 6P? Fingerprint unlocking is not protected like passwords or PINs are.

      • WTS in reply to dave.

        February 28, 2018 at 11:17 pm #

        Actually, in the US, you can be required to provide your fingerprint to unlock any device secured by it. That is the least secure option available.

        A combination of the two would be nice but I don’t see that option on my iPhone.

    • Anonymous signal in reply to Mark Jacobs.

      March 1, 2018 at 3:52 am #

      It always has been. From early SIM card history, they were first marketed as personal application storage, you could create crude Java menus and such. There’s a whole (tiny) ecosystem for it; they’re called Java Cards, not SIM cards! … and yes, they still can run software, which can be updated by your provider, so your phone… runs any software they like… without your permission!

      Statistically speaking, your phone would certainly have seen a metasploit framework scan it, if only your phone had its own IP, and I’m willing to bet a few of them have regardless. All OSes are like this. Take the firmware that coincidentally protects the entire network away, or punch through it using DNS cache poisoning for example and assuming it was doing its job correctly to begin with, you’ve taken most of the security away. Once an attacker knows you’re running an out-of-date system and they can get access via exploits for vulns that aren’t yet patched, it’s game over. Microsoft learnt this the hard way back in 2003, give or take a couple of years.

      That issue is compounded by the fact that many people don’t update, or will keep holding off on restarting after a critical update (in spite of constant reminders)… yet it can’t be fully eliminated, as you can see, from the age of this post, there probably hasn’t been time to patch the code let alone conduct the investigation. Until the code is patched, you’re vulnerable… and from a networking perspective, hate to break your sunshine but most have been vulnerable since the late 80s anyway… QED: When was RFC882 officially endorsed? Because that’s probably somewhere around the time the problems started:

      > Name server functions are designed to allow for very simple
      > implementations of name servers. The simplest name server has a
      > static set of information and uses datagrams to receive queries
      > and return responses.
      > More sophisticated name server implementations can improve the
      > performance of their clients by caching information from other
      > domains.

      … ahhh, the spine which DNS cache poisoning attacks typically trample upon!

      I’ve owned a compromised phone before. My only advice involves being proactive, and planning ahead: 1/ run an update (of everything, A/V signatures included), malware scan and backup your phone regularly (as per usual recommended practices) and 2/ learn what to do to restore your phone to factory conditions, before you need to do it; after each update, scan & backup is a pretty good time to practice this, at least until you can remember how to do it without following written instructions. This way, it doesn’t become such an inconvenience when you start seeing strange malware installing itself.

      At the end of the day, the vulns will soon be patched. Google and Apple will probably send someone in to make a legitimate purchase of service, and then watch all of the incoming and outgoing traffic. It really is that simple for these big companies. I mean, Google has been busted recording wifi traffic before, and a zebra doesn’t change its stripes… right? All the big companies do is pay a few million in pocket money (“fines”?) and say “we won’t do it again”… then do it again five years later somewhere else… right?

      … and in the meantime, someone has a vuln they’ve not yet disclosed, somewhere, and they are the next ones to make their money in this business…

      … and in the meantime, some code monkey is adding more “mistakes” into the patches to be “found” later for a hefty reward, and… you get… HA HA HA HA HA HA HA HA perhaps an Apple employee?

Leave a Reply