Spanish media claims iPhone 6 with Secure Enclave unlocked by Cellebrite in course of inve...
Media reports are claiming that an iPhone 6 that was dredged out of the water in Spain has been unlocked by Cellebrite, and if accurate would be the first publicized report of Apple's Secure Enclave having been penetrated by third party hacking tools.
The mother of missing woman Diana Quer made the declaration on TV program Espejo Publico that a phone that Quer possessed had been unlocked. What useful data that could be gleaned in the investigation surrounding the missing woman is unknown at this time.
During the interview on the Spanish show, law enforcement also revealed that it cost 2000 euro to break into the phone, a far cry from the millions allegedly paid by the FBI to break into an iPhone 5c.
Many details about the penetration of the iPhone are still not known, or have not been revealed by law. While the device is an iPhone 6, what version of iOS the device was running is not known, nor is it known if the device was jailbroken by the user which could have made break-in attempts easier.
Law enforcement also claims that there are WhatsApp messages that were sent to Quer, but were not read that "remain available in the cloud." The sender of those messages, or the relevancy to the investigation is not clear.
Given that the iPhone was submerged in fresh water for two months, it was most likely non-operational. In all likelihood, the chips were removed from the device, and some variation of "NAND Mirroring" used to get at the contents.
Using NAND Mirroring, a four-digit passcode would take about 40 hours, and a six-digit code such as that found on Quer's phone, could take hundreds of hours.
Cellebrite is the Israeli company originally thought to be tied to the FBI's unlock of the San Bernardino shooter's iPhone 5c. In that case, another vague group of "grey-hat" hackers. No useful data linking the San Bernardino shooters to other suspects or deeper ties to terrorist organizations was discovered.
The director of Cellebrite claimed in February that it had started doing "lawful unlocking and evidence extraction" for the iPhone 6 and 6 Plus with in-house service only.
Following the assassination of the Russian ambassador to Turkey, an iPhone 4S was found on the shooter's body. Apple's assistance was requested in that case, with the company reportedly turning it down.
The mother of missing woman Diana Quer made the declaration on TV program Espejo Publico that a phone that Quer possessed had been unlocked. What useful data that could be gleaned in the investigation surrounding the missing woman is unknown at this time.
During the interview on the Spanish show, law enforcement also revealed that it cost 2000 euro to break into the phone, a far cry from the millions allegedly paid by the FBI to break into an iPhone 5c.
Many details about the penetration of the iPhone are still not known, or have not been revealed by law. While the device is an iPhone 6, what version of iOS the device was running is not known, nor is it known if the device was jailbroken by the user which could have made break-in attempts easier.
Law enforcement also claims that there are WhatsApp messages that were sent to Quer, but were not read that "remain available in the cloud." The sender of those messages, or the relevancy to the investigation is not clear.
Given that the iPhone was submerged in fresh water for two months, it was most likely non-operational. In all likelihood, the chips were removed from the device, and some variation of "NAND Mirroring" used to get at the contents.
Using NAND Mirroring, a four-digit passcode would take about 40 hours, and a six-digit code such as that found on Quer's phone, could take hundreds of hours.
Cellebrite is the Israeli company originally thought to be tied to the FBI's unlock of the San Bernardino shooter's iPhone 5c. In that case, another vague group of "grey-hat" hackers. No useful data linking the San Bernardino shooters to other suspects or deeper ties to terrorist organizations was discovered.
The director of Cellebrite claimed in February that it had started doing "lawful unlocking and evidence extraction" for the iPhone 6 and 6 Plus with in-house service only.
Following the assassination of the Russian ambassador to Turkey, an iPhone 4S was found on the shooter's body. Apple's assistance was requested in that case, with the company reportedly turning it down.
Comments
The whole scenario as reported is unlikely.
If there was a passcode the private key stored in the "Secure Enclave" would be used in conjunction to encrypt the data. Even if they were able to pull data off - it would be encrypted and the only way to decrypt it would be to get that private key.
More than likely, there was no passcode set on the device - which is why it was easy to extract the data.
If the person had use the optional 'Custom Alphanumeric Code,' Cellubrite may still be trying.
The passcode is not the decryption key. It (in conjunction with algorithms provided by iOS) allows access to a key that is used by the secure enclave to decrypt the actual content. If the OS and the secure enclave chip are not functioning, then you would need to brute-force the internal key in order to read the content of the flash chip itself. That is much much more difficult than trying all combinations of a 4- or 6-digit passcode.
If the phone is working, you can try every passcode combination, but there are a few caveats. After a few failures, the phone makes you wait before you can try again - I think the delay can go up to an hour, if you fail many times. And there phone may be configured to wipe its contents after too many failures. In order to work around this, you need to make a backup of the flash storage and restore it after every 4-5 attempts, in order to reset the counter. But that only works on older versions of iOS - more recent versions store the counter in the secure enclave, where it can't be reset without already having the key.