Cellebrite advertises its ability to unlock devices running iOS 11, including the iPhone X...

Posted:
in iOS
Cellebrite, the Israeli security firm believed to have helped the FBI unlock an iPhone during the San Bernardino investigation, is claiming it is capable of bypassing the security of devices running iOS 11 and older versions, including recently launched hardware including the iPhone 8 and iPhone X.

Cellebrite's Universal Forensic Extraction Device (UFED)
Cellebrite's Universal Forensic Extraction Device (UFED)


The company is said to be advising to its customers it has the ability to access devices running iOS 11, reports Forbes. A marketing document advertising the firm's Advanced Unlocking and Advanced Extraction services to law enforcement agencies advises iOS devices running iOS 5 through to iOS 11 can be accessed, including all iPhone, iPad, iPad Pro, and iPod touch models.

A report source claims the Department of Homeland Security successfully raided an iPhone X in a search for data in November 2017, most likely by using Celebrite's technology. A separate source involved in the police forensics community claims he was informed by Cellebrite it could unlock an iPhone 8, and believed it would also be true of the iPhone X.

Cellebrite's Advanced Unlocking service is marketed as the "industry's only solution" for defeating complex locks on market leading devices, including both iOS and Android smartphones and tablets. The paid service, available only to law enforcement, unlocks the device for the government agencies, allowing them to extract the data themselves.

The Advanced Extraction option is billed as the option to access the device's data if it is not accessible by conventional means, such as by full disk encryption. Under the service, the full file system is retrieved for the customer, providing access to emails, application data, geolocation data, and other items without jailbreaking or rooting the device.

If Cellebrite's claims are true, this effectively means it is possible for agencies like the FBI to pay to unlock any iOS device. In contrast to the alleged $900,000 supposedly paid to Cellebrite, the report suggests that the unlocking process can be relatively inexpensive, priced as low as $1,500 per device.

The apparent hack of the iPhone X using Cellebrite's tech was discovered in a warrant discovered by Forbes, with the phone owned by a suspect in an arms trafficking case. The iPhone X was taken from the suspect as he was about to leave the U.S. on November 20, was sent to a Cellebrite specialist at the DHS Homeland Security Investigations Grand Rapid labs, and the data extracted on December 5.

The warrant does not mention what data was discovered nor how it was accessed. The iPhone X owner is apparently now awaiting a trial on July 31, but it is unknown if the accessed data will be used in their prosecution.

Cellebrite's ability to access the contents of an iOS 11 device is surprising, considering the operating system's release also introduced new security features that made it harder to break. This includes the SOS mode disabling Touch ID, a move that effectively prevents police from forcing a suspect to unlock their iPhone using a fingerprint.

It is unknown exactly how Cellebrite is able to defeat iOS 11's security, and it is unlikely such information will be released, as Apple would almost certainly attempt to patch the security flaw as quickly as possible. Report sources claim the firm has developed new techniques to get in, but considering Apple's quick reactions to plug security holes, it is probably not one that has been publicly discovered.

A release of data from a hack of Cellebrite's servers last year revealed some of the workings behind its Universal Forensic Extraction Device, a unit that could pull a variety of data from a connected smartphone. Along with brand-specific exploits, the iOS-related code allegedly used scripts originally used to jailbreak iPhones, as well as firmware altered to break security on older devices.
«1

Comments

  • Reply 1 of 37
    eightzeroeightzero Posts: 2,241member
    Violation of Apple's Terms of Service?
    watto_cobra
  • Reply 2 of 37
    rob53rob53 Posts: 1,986member
    eightzero said:
    Violation of Apple's Terms of Service?
    Probably but they could care less and the FBI absolutely could care less how they get the data—if they actually did. 
    watto_cobra
  • Reply 3 of 37
    We can only hope that they won't perform the service for countries with less then stellar record for human rights... (rhymes with prussia, rina and audi)
  • Reply 4 of 37
    Apple should just buy the company, before Russian and Chinese. 
    I am sure it is more useful than Shazam.
    edited February 2018 netmagemagman1979avon b7brian greenrobin huberjony0repressthis
  • Reply 5 of 37
    My guess is there is a problem with the way both TouchID and FaceID authenticate.  Both are basically a way to bypass the system password.

    TouchID and FaceID might be good enough for Apple Pay, but they’re not good enough to secure the device (anymore).

    The vulnerability was probably found as a result of this:
    https://appleinsider.com/articles/18/02/07/source-code-for-ios-iboot-component-reportedly-leaks-online-could-lead-to-new-exploits

    If you are concerned you might want to turn off the ability for the 2 to UNLOCK the device.  If you are REALY concerned delete the saved Fingerprint, and go back to using a password for everything.  I’m assuming everyone (that’s concerned) already has the wipe device option turned on (after 10 failed password attempts).

    I also have some other ideas, but there is nothing users can do to protect themselves... as long as Idevices can be “jail broken” the solution has to come from Apple.  Hopefully it’s not that... Apple has failed to prevent “jail brakes” and there is nothing that suggests that will change anytime soon.
    edited February 2018 brian green
  • Reply 6 of 37
    eightzeroeightzero Posts: 2,241member
    rob53 said:
    eightzero said:
    Violation of Apple's Terms of Service?
    Probably but they could care less and the FBI absolutely could care less how they get the data—if they actually did. 
    I wonder what a court would say.
  • Reply 7 of 37
    I see this as a good thing actually. This is how it’s supposed to work. It’s not supposed to be the government mandating back-door access, it’s supposed to be a cat-and-mouse game with the pursuit of better security and the pursuit of cracking that security.

    Maybe this will help silence those pushing for backdoor access for a little while...
    eightzero
  • Reply 8 of 37
    dewmedewme Posts: 1,934member
    Pretty much any security measure can be defeated given enough time, money, or jumper cables & car batteries.
  • Reply 9 of 37
    eightzero said:
    rob53 said:
    eightzero said:
    Violation of Apple's Terms of Service?
    Probably but they could care less and the FBI absolutely could care less how they get the data—if they actually did. 
    I wonder what a court would say.
    A US federal court would likely not care what the Apple user agreement says. They would only be concerned with the requirements of the US Constitution and supporting law and precedence.
  • Reply 10 of 37
    dewme said:
    Pretty much any security measure can be defeated given enough time, money, or jumper cables & car batteries.
    Unfortunately that’s very true.  Usually the best we (Apple, etc.) can do is increase the cost enough that “they” go after someone else.  The “They” is usually hackers, but unfortunately (or fortunately) depending upon your perspective ‘nation states’ have essentially unlimited funds.  Lately, the discussion of security, privacy, backdoors, etc. have become (devolved to?) PR battles.
  • Reply 11 of 37
    Oh boy!!! So what’s Apple to do now if this is really true about everything up to IOS being compromised?? A big selling point for me going with Apple is knowing they would never divulge any personal information I was texting or emailing to other Apple usures. 
  • Reply 12 of 37
    Oh boy!!! So what’s Apple to do now if this is really true about everything up to IOS being compromised?? A big selling point for me going with Apple is knowing they would never divulge any personal information I was texting or emailing to other Apple usures. 
    Security of Apple’s products is an important selling point, this news is a big problem.  With Android you might be able to go with a 3rd party solution (like full disk encryption) but that’s not possible with Apple.

    Cellibrite’s announcement is basically reporting a zero-day flaw in iOS.  The problem is Apple has no information about the flaw, and Cellibrite isn’t likely to tell them.

    The only thing I can think of is Apple buying rights to the exploit, and perhaps hiring them to find more.  At that point Israel might get involved...

    Also, there is nothing stopping someone else finding the same vulnerability, with the iBoot code already out there.  Whatever happens this is going to cost Apple a bundle.
  • Reply 13 of 37
    eightzero said:
    rob53 said:
    eightzero said:
    Violation of Apple's Terms of Service?
    Probably but they could care less and the FBI absolutely could care less how they get the data—if they actually did. 
    I wonder what a court would say.
    A US federal court would likely not care what the Apple user agreement says. They would only be concerned with the requirements of the US Constitution and supporting law and precedence.
    I'm not sure I would agree that a US Federal Count would not be interested in a breach of contract case.


  • Reply 14 of 37
    cgWerkscgWerks Posts: 1,949member
    My guess is there is a problem with the way both TouchID and FaceID authenticate.  Both are basically a way to bypass the system password.
    TouchID and FaceID might be good enough for Apple Pay, but they’re not good enough to secure the device (anymore).
    Yea, or just one of the types of security flaws we seem to see in the news every month or two, anymore... just not reported, so not fixed. Or, it could just be a baloney report too to keep the 'bad guys' on their toes.

    Assuming Apple hasn't provided a back-door, though, this is kind of the way it is supposed to be. The industry makes things as secure as possible. Crooks and 3-letter agencies try to break in. And, we all hope there are more 'good guys' that responsibly report the security holes, instead of selling them to crooks or 3-letter agencies.
    watto_cobra
  • Reply 15 of 37
    flydogflydog Posts: 174member
    eightzero said:
    eightzero said:
    rob53 said:
    eightzero said:
    Violation of Apple's Terms of Service?
    Probably but they could care less and the FBI absolutely could care less how they get the data—if they actually did. 
    I wonder what a court would say.
    A US federal court would likely not care what the Apple user agreement says. They would only be concerned with the requirements of the US Constitution and supporting law and precedence.
    I'm not sure I would agree that a US Federal Count would not be interested in a breach of contract case.


    What contract are you referring to?  
  • Reply 16 of 37
    I’ll bet there are a lot of conditions necessary for this to happen. Not as easy as they imply. Marketing and hype. How’s about a public demo?
    sully54magman1979watto_cobra
  • Reply 17 of 37
    This is interesting. What does Celebrite know that Apple doesn't know (yet) about their own OS?
    watto_cobra
  • Reply 18 of 37
    Cellbrite is widely suspected to be using NAND mirroring, a method that's been demonstrated as a proof of concept. They de-solder the memory chip, clone it thousands of times, and then install an external interface on the phone so the chip can be easily replaced. Each chip gets six passcode tries before lockout, then they swap it out for the new one.
    corradokidwatto_cobra
  • Reply 19 of 37
    Or it’s deliberate misinformation.

    It is more in this companies (and the FBI et al) interest to keep this information hidden...

    UNLESS

    you want to get the gullible to unlock their phone for you - 

    CIA: unlock your phone!
    Person of Interest: No.
    CIA: look, just go ahead and unlock it will you. We can get it unlocked anyway... haven’t you seen the news? It’s been on Twitter and everything... oh, and we’ll charge you the 1,500 plus shipping and handling also.
    Person of Interest: Oh crikey, you’re right. Here, let me unlock that for you.
    watto_cobra
  • Reply 20 of 37
    My guess is there is a problem with the way both TouchID and FaceID authenticate.  Both are basically a way to bypass the system password.

    TouchID and FaceID might be good enough for Apple Pay, but they’re not good enough to secure the device (anymore).

    The vulnerability was probably found as a result of this:
    https://appleinsider.com/articles/18/02/07/source-code-for-ios-iboot-component-reportedly-leaks-online-could-lead-to-new-exploits

    If you are concerned you might want to turn off the ability for the 2 to UNLOCK the device.  If you are REALY concerned delete the saved Fingerprint, and go back to using a password for everything.  I’m assuming everyone (that’s concerned) already has the wipe device option turned on (after 10 failed password attempts).

    I also have some other ideas, but there is nothing users can do to protect themselves... as long as Idevices can be “jail broken” the solution has to come from Apple.  Hopefully it’s not that... Apple has failed to prevent “jail brakes” and there is nothing that suggests that will change anytime soon.
    I was under the impression jailbreaking has actually become more difficult to do and the lead times longer after new iOS versions. 
    watto_cobra
Sign In or Register to comment.