Spanish media claims iPhone 6 with Secure Enclave unlocked by Cellebrite in course of inve...

Posted:
in iPhone edited July 2017
Media reports are claiming that an iPhone 6 that was dredged out of the water in Spain has been unlocked by Cellebrite, and if accurate would be the first publicized report of Apple's Secure Enclave having been penetrated by third party hacking tools.




The mother of missing woman Diana Quer made the declaration on TV program Espejo Publico that a phone that Quer possessed had been unlocked. What useful data that could be gleaned in the investigation surrounding the missing woman is unknown at this time.

During the interview on the Spanish show, law enforcement also revealed that it cost 2000 euro to break into the phone, a far cry from the millions allegedly paid by the FBI to break into an iPhone 5c.

Many details about the penetration of the iPhone are still not known, or have not been revealed by law. While the device is an iPhone 6, what version of iOS the device was running is not known, nor is it known if the device was jailbroken by the user which could have made break-in attempts easier.

Law enforcement also claims that there are WhatsApp messages that were sent to Quer, but were not read that "remain available in the cloud." The sender of those messages, or the relevancy to the investigation is not clear.

Given that the iPhone was submerged in fresh water for two months, it was most likely non-operational. In all likelihood, the chips were removed from the device, and some variation of "NAND Mirroring" used to get at the contents.

Using NAND Mirroring, a four-digit passcode would take about 40 hours, and a six-digit code such as that found on Quer's phone, could take hundreds of hours.

Cellebrite is the Israeli company originally thought to be tied to the FBI's unlock of the San Bernardino shooter's iPhone 5c. In that case, another vague group of "grey-hat" hackers. No useful data linking the San Bernardino shooters to other suspects or deeper ties to terrorist organizations was discovered.

The director of Cellebrite claimed in February that it had started doing "lawful unlocking and evidence extraction" for the iPhone 6 and 6 Plus with in-house service only.

Following the assassination of the Russian ambassador to Turkey, an iPhone 4S was found on the shooter's body. Apple's assistance was requested in that case, with the company reportedly turning it down.

Comments

  • Reply 1 of 14
    SpamSandwichSpamSandwich Posts: 29,891member
    Sounds like they're bluffing.
    r00fus1magman1979ericthehalfbeewatto_cobrabshankcornchip
  • Reply 2 of 14
    mwhitemwhite Posts: 157member
    Fake news
    watto_cobra
  • Reply 3 of 14
    78Bandit78Bandit Posts: 190member
    I didn't think the 5C used secure enclave as was stated in the article. I thought that only started with the 5S models that had Touch ID. I have my serious doubts that iPhone 6 encryption can be cracked for only $2,000. A much more likely scenario is the mother knew the daughter's PIN and that was used to access the data mirrored from the recovered phone.
    SpamSandwichwatto_cobrastanthemancornchip
  • Reply 4 of 14
    linkmanlinkman Posts: 835member
    78Bandit said:
    I didn't think the 5C used secure enclave as was stated in the article. I thought that only started with the 5S models that had Touch ID. I have my serious doubts that iPhone 6 encryption can be cracked for only $2,000. A much more likely scenario is the mother knew the daughter's PIN and that was used to access the data mirrored from the recovered phone.
    The PIN alone is not the entire key needed to decrypt the contents. Some parts of that phone would still have to work to enable anything but a brute force decryption (which is almost impossible).

    The whole scenario as reported is unlikely.
    r00fus1SpamSandwichwatto_cobrastanthemancornchip
  • Reply 5 of 14
    Mike WuertheleMike Wuerthele Posts: 3,314administrator
    78Bandit said:
    I didn't think the 5C used secure enclave as was stated in the article. I thought that only started with the 5S models that had Touch ID. I have my serious doubts that iPhone 6 encryption can be cracked for only $2,000. A much more likely scenario is the mother knew the daughter's PIN and that was used to access the data mirrored from the recovered phone.
    Yeah, you're right about that. Left over from a previous draft, before I moved some bits around.
    watto_cobra
  • Reply 6 of 14
    mjtomlinmjtomlin Posts: 1,776member
    78Bandit said:
    I didn't think the 5C used secure enclave as was stated in the article. I thought that only started with the 5S models that had Touch ID. I have my serious doubts that iPhone 6 encryption can be cracked for only $2,000. A much more likely scenario is the mother knew the daughter's PIN and that was used to access the data mirrored from the recovered phone.

    If there was a passcode the private key stored in the "Secure Enclave" would be used in conjunction  to encrypt the data. Even if they were able to pull data off - it would be encrypted and the only way to decrypt it would be to get that private key.

    More than likely, there was no passcode set on the device - which is why it was easy to extract the data.
    ericthehalfbeeSpamSandwichwatto_cobracornchip
  • Reply 7 of 14
    foggyhillfoggyhill Posts: 4,754member
    Seems pretty unlikely as this requires a lot of the phone's hardware to work well, then decapping, then running custom software on then instrumenting those opened up chips that somehow survived in water without destroying them.

    Doing it on a new phone could in theory be done with a lot of very expensive machines and a working phone.

    Even mirroring shouldn't quite work in this case (like it did pre 5s).

    Doing this cheaply seems to be less than probable.


    edited July 2017 watto_cobrastantheman
  • Reply 8 of 14
    suddenly newtonsuddenly newton Posts: 13,719member
    So... NAND mirroring and using brute force to try every passcode does not equal "unlocking secure enclave."
    magman1979entropyswatto_cobrabshankcornchip
  • Reply 9 of 14
    I thought the 5S did not have the secure enclave since you need the Apple Watch to do Apple Pay with the 5S?
    watto_cobra
  • Reply 10 of 14
    gunner1954gunner1954 Posts: 138member
    78Bandit said:
    I didn't think the 5C used secure enclave as was stated in the article. I thought that only started with the 5S models that had Touch ID. I have my serious doubts that iPhone 6 encryption can be cracked for only $2,000. A much more likely scenario is the mother knew the daughter's PIN and that was used to access the data mirrored from the recovered phone.
    The article did not say that the encryption was cracked. It intimated that Cellbrite used NAND mirroring to decipher the 6-digit access code, which can be done in hours, not years. Once the 6-digit code is known, the phone's contents are 'unlocked' and can be read, but the encryption is still in place.

    If the person had use the optional 'Custom Alphanumeric Code,' Cellubrite may still be trying.
    stantheman
  • Reply 11 of 14
    foggyhillfoggyhill Posts: 4,754member
    78Bandit said:
    I didn't think the 5C used secure enclave as was stated in the article. I thought that only started with the 5S models that had Touch ID. I have my serious doubts that iPhone 6 encryption can be cracked for only $2,000. A much more likely scenario is the mother knew the daughter's PIN and that was used to access the data mirrored from the recovered phone.
    The article did not say that the encryption was cracked. It intimated that Cellbrite used NAND mirroring to decipher the 6-digit access code, which can be done in hours, not years. Once the 6-digit code is known, the phone's contents are 'unlocked' and can be read, but the encryption is still in place.

    If the person had use the optional 'Custom Alphanumeric Code,' Cellubrite may still be trying.
    The 6 digit access code is certainly not in the clear in any place I've ever seen in the last 30 years  and usually can only be fed through a working software anyway.

    You'd only get a one way hash out of that... So, the option is to get it offline I guess and then try to use the same function that created the hash in the first place (the same one as IOS would be using). It usually uses some other protected on device info to do that I believe. So, they'd need to decap a 1-2 more chips to get to that first.

    I guess the first they'd need to do is reverse engineer the hash function. For that, they can just use phones they control and input various passwords.
    That could have been done a while back.

    Then, they need to run that function offline until you get the same hash, that's a million iterations which once you got the correct function can be done in a jiffy.

    That's essentially the way people get passwords from stolen password files, except the fact those passwords being of random length  complicates this a bit.

    Then, they booth up the device and enter the code they got and get in.
    Apple can make their jobs impossible by insuring that the hash is built from info on the device, a kind of secret serial numbers, that is destroyed if you try to extract it (those kind of chips exists). The whole hash calculating chip could self-destroy if someone tries to tamper with it. Retries are already hardware enforced.

    None of this looks like a $1200 bucks job..., more like a 100K and up job.


    edited July 2017
  • Reply 12 of 14
    All the link says there is that they sent the phone to a company in Germany, paid 2000EUR to have the data retrieved. Sounds to me like it didn't have any touchID or passcode lock and this is just a fee for retrieving data from a seriously damaged device. OR They're being sent encrypted data which will be useless to them.
  • Reply 13 of 14
    shaminoshamino Posts: 399member
    So... NAND mirroring and using brute force to try every passcode does not equal "unlocking secure enclave."
    That's correct.

    The passcode is not the decryption key.  It (in conjunction with algorithms provided by iOS) allows access to a key that is used by the secure enclave to decrypt the actual content.  If the OS and the secure enclave chip are not functioning, then you would need to brute-force the internal key in order to read the content of the flash chip itself.  That is much much more difficult than trying all combinations of a 4- or 6-digit passcode.

    If the phone is working, you can try every passcode combination, but there are a few caveats.  After a few failures, the phone makes you wait before you can try again - I think the delay can go up to an hour, if you fail many times.  And there phone may be configured to wipe its contents after too many failures.  In order to work around this, you need to make a backup of the flash storage and restore it after every 4-5 attempts, in order to reset the counter.  But that only works on older versions of iOS - more recent versions store the counter in the secure enclave, where it can't be reset without already having the key.
    cornchip
  • Reply 14 of 14
    I thought the 5S did not have the secure enclave since you need the Apple Watch to do Apple Pay with the 5S?
    I guess the 5S has the secure enclave as this works in tandem with Touch ID, but it may lack the NFC radio to proceed with payments.
Sign In or Register to comment.