In the week since the FBI surprised Apple by saying it may have found its own way into the San Bernardino gunman’s smartphone, investigators have disclosed nothing about how they did it. But that has not stopped the security industry from guessing how the iPhone’s security was defeated and who helped the FBI uncover it.
The speculation is driven by both high-minded concern for the digital security of the general public and hackers’ constant desire for bragging rights about who has managed to outsmart the rest.
Employees at Cellebrite, an Israeli mobile forensics company known to have worked for the FBI, have claimed credit in private forums for breaking into Syed Rizwan Farook’s iPhone, according to two people familiar with the matter. Shares in the company’s Japan-listed parent, Sun Corp, have leapt more than 60 per cent in the past week.
Cellebrite, which has declined to comment on the matter, is one of several forensic security companies specialising in extracting data from mobile devices. Law enforcement agencies look to such businesses when extracting data is critical to solving a case, often paying a high price — in some cases, hundreds of thousands of dollars — for tools that can simplify cracking a smartphone.
“The cops basically want push-button forensics,” says Jonathan Zdziarski, an iPhone security expert.
As well as researching vulnerabilities themselves, these groups often scour the “grey” hacker market to buy so-called “exploits” they can package up and sell to investigators or companies for security testing.
Marc Goodman, who has worked on cyber security for Interpol and the US government, says law enforcement agencies had long been in an “arms race” with device and software manufacturers to break their security. “This is where law enforcement and criminals have something in common.”
Security experts agree that if the FBI can hack Farook’s iPhone 5c, which was running a version of the iOS 9 software released last September, it could break into any other device with the same specifications — and most previous models. Some fear the repercussions of the FBI’s disclosure that a previously unknown flaw exists.
“The fact that there is a confirmed exploit there for a device is certainly going to get a lot of people to look for it,” Mr Zdziarski says. “Damage control is the real question here?.?.?.?The FBI’s biggest mistake has been assuming that they can contain this.”
It is imperative for Apple to find out what the vulnerability is. Experts are divided on whether the FBI’s technique would have worked on newer iPhones released since 2013, when Apple introduced a new form of hardware protection known as a “secure enclave”.
Mr Goodman says the FBI’s method could probably not be replicated on a mass scale by cyber criminals, because it is likely to require possession of the device. Much simpler methods of tricking people into giving away the contents of their smartphones are widely available, such as persuading them to click on links containing malware.
Until technology is developed to enable the hacking to be done remotely, the tactic would probably be used only by “state-sponsored” entities, such as the US or Chinese governments, targeting “super high-value targets” such as terrorists, he says. “It could be used if you are an American travelling in China and the Chinese want access to your phone,” he said.
Mike Janke, chairman of Silent Circle, which makes an encrypted smartphone called the Blackphone, says he is not surprised the FBI has been able to access the phone with its “tens of millions of dollars of experts”.
He believes they copied the phone’s memory to automatically try different passcodes on the fake version without triggering the 10 passcode limit, in what is called a brute force attack. This method — sometimes known as “Nand mirroring” after the type of memory used in smartphones — might even work on newer iPhones, some experts believe.
“It is not as hard as people think,” says Mr Janke. “There isn’t a phone in the world that cannot have its hard drive opened like this, all are susceptible.”
But Adam Ghetti, chief technology officer at Ionic Security, says the FBI is likely to have used a simpler method to get into the iPhone 5c, one that could not be used on newer models.
In this scenario, a hacker would have to locate the part of the chip responsible for setting the 10-passcode limit and physically solder on a new connection to a programme that could reset it after nine attempts. “You don’t have to lift all the memory, just rewrite the right portions — and with only 10,000 options of codes, it wouldn’t take long,” he says.
The secure enclave in newer iPhones cannot be bypassed in the same way, he says, praising Apple for being ahead of the curve. “The vulnerability which was most likely exploited, Apple patched [fixed] 18 months ago,” he said.
Apple is already laying the groundwork to discover the FBI’s method in other court cases involving locked iPhones. On Friday, in a New York drugs case, the company wrote to the judge asking to delay proceedings in light of the Department of Justice’s sudden discovery earlier that week.
“If that same method can be used to unlock the iPhone in this case, it would eliminate the need for Apple’s assistance,” Apple said. “On the other hand, if the DoJ claims that the method will not work on the iPhone here, Apple will seek to test that claim, as well as any claims by the government that other methods cannot be used.”
(Published by Financial Times - March 30, 2016)