A mobile device forensics company now says it can break into any Apple device running iOS 12.3 or below.
Israeli-based Cellebrite made the announcement on an updated webpage and through a tweet where it asserted it can unlock and extract data from all iOS and "high-end Android" devices.
This isn't the first time Cellebrite has claimed to have been able to unlock iPhones. Last year, it and Atlanta-based Grayshift said they had discovered a way to unlock encrypted iPhones running iOS 11 and marketed their efforts to law enforcement and private forensics firms worldwide. According to a police warrant obtained by Forbes, the U.S. Department of Homeland Security tested Cellebrite's technology.
Grayshift's technology was snapped up by regional law enforcement agencies and won contracts with Immigration and Customs Enforcement (ICE) and the U.S. Secret Service.
Shortly after the two companies announced their ability to bypass iPhone passcodes, Apple announced its own advances to further limit unauthorized access to locked iOS devices through a USB Restricted Mode. In iOS 12, Apple changed the default settings on iPhones to shutter access to the USB port when the phone has not been unlocked for one hour.
While the passcode hack may be unsettling to iPhone owners, Cellebrite's technology doesn't work via the cloud; it requires physical access to a device, according to Jack Gold, principal analyst with J. Gold Associates.
"I am speculating of course, but if you can work below the phone BIOS level, you can do lots of stuff (think of it as a root kit like on a PC)," Gold said via email. "If this is indeed their penetration method, then the level of OS almost doesn't matter, since they are breaking in below the OS level and it's more about the actually hardware inside the phone."
Vladimir Katalov, CEO of Russian forensic tech provider ElcomSoft, described Cellebrite's technology as based on a brute-force attack, meaning their platform tries various passcodes until it unlocks the phone. And, he said, both Cellebrite and Grayshift say they have "a kind of" solution to USB Restricted Mode. But any details are kept secret and made available only to customers who are under a strict NDA, Katalov said.
"From what I know, both companies [Cellebrite and Grayshift] are now able to extract most of the data even from locked iPhones running iOS 11 and older – without recovery of the passcode (though some data remains encrypted based on the real passcode). The limitation is the phone should be unlocked at least once after last reboot," Katalov said via email. "From what we heard, it is about 10 to 30 passcodes per second in AFU (After First Unlock) mode, and just one passcode in 10 minutes in BFU (Before First Unlock)."
The iPhone Xr and Xs models (based on A12 SoC) are harder to break because the password recovery for it always runs at BFU speed (even if the phone was unlocked once), Katalov claimed. "Cellebrite does not support these models in their on-premise solution though, but it is available from their [Cellebrite Advanced Services]," he said.
Both Cellebrite and Grayshift's technology not only try all possible passcode combinations but they start with most popular passcodes first, such as 1234; it is especially important in BFU mode, where only about 150 passcodes per day can be tried. Custom dictionary (wordlist) can be also be used, Katalov said.
In general, iOS devices are very well protected, while some Android devices provide an even better level of security, Katalov said.
To protect your smart phone, Katalov recommends the following:
- Use at least a 6-digit passcode
- Make the passcode complex
- Enable USB restricted mode
- Know how to activate it (S.O.S.)
- Best of all, use an iPhone Xr or Xs model or newer
"For normal users, I think there is no risk at all," Katalov said. "Though, of course, I am looking for better iOS security in the future. At the same time, forensic investigations should be still performed on a regular basis. Honestly, I do not see the perfect solution here, to find a good balance between privacy and security and having an ability to break into locked devices to find evidence."
The real risk to users, Gold said, is that bad actors could get their hands on the technology and use it.
"Cellebrite claims it's got everything under control, but I've seen some rumors saying that they've lost some systems and that could lead to a reverse engineering scenario where bad actors duplicate the tech for bad purposes," Gold said. "Of course, there's also a privacy issue – once public agencies have the tech, will they use it to invade our privacy? It will be hard to do on a large scale, as it requires a physical connection to the phone. But in select situations it could be an issue."
Gold doesn't believe Apple, Google or any other phone manufacturer will be able to completely secure their devices because encryption is a game of "advances" where vendors make security advances and hackers find a way to evolve their break-in efforts.
Andrew Crocker, a senior staff attorney with the Electronic Frontier Foundation, agreed with Gold, saying it's nearly inevitable that dedicated attackers, "including Cellebrite," will find a way around security features.
"That leads to a kind of cat-and-mouse game between security teams at Apple and Android and companies like Cellebrite and GrayKey," Crocker said. "We should remember that dynamic the next time we hear law enforcement officials who want to mandate encryption backdoors talk about 'unhackable' devices and 'zones of lawlessness.'"