US media giant Forbes is making a bold claim: the FBI can now unlock every iPhone in existence.
Actually, that’s not exactly what Forbes said – the headline used the slang term “Feds”, referring not just the FBI, but to law enforcement in general and, by obvious association, to the world’s various intelligence services, too.
And, to be precise, Forbes put the word “probably” in the headline, too, neatly wrapped in brackets in a way that probably made the Forbes lawyers much happier.
So, according to Forbes, law enforcement agencies may be able to unlock many or most iPhones in use out there.
Is it true?
The company that caused Forbes to make this dramatic claim is one we’ve mentioned before on Naked Security: Cellebrite.
Cellebrite is headquartered in Israel, but owned by Suncorporation, a Japanese company broadly associated with video gaming and the pachinko industry. (A pachinko machine is a type of slot machine popular in Japan.)
You may recall that the FBI famously (or infamously, depending on where you stand in the phone unlocking debate) broke into the iPhone 5C of the dead San Bernadino terrorist and mass murderer Syed Rizwan Farook.
At first, no one quite knew how the FBI did it.
We speculated that there were several approaches the cops might have used:
- Perhaps the passcode was 0000 or 2580, and the FBI got lucky?
- Perhaps autowipe after 10 wrong guesses was off, so the FBI had more than 10 goes?
- Perhaps the iPhone had enough unencrypted data left in RAM to help the investigation?
- Perhaps the FBI could re-write RAM and flash storage to allow repeated guesses?
- Perhaps the FBI purchased a zero-day vulnerability in iOS?
- Perhaps the FBI recovered the code using fingerprint marks on the screen?
In the end, it seems that Cellebrite helped out in the San Bernadino case, in a phone hack that was claimed to have cost close to $1,000,000 in total, and that involved a system that worked only on a “narrow slice of phones,” apparently including the iPhone 5C but not the iPhone 5s or later.
What now?
Now, if Forbes is to be believed, Cellebrite has extended the range of phones it can successfully unlock, according to the company’s own marketing material:
Devices supported for Advanced Unlocking and Extraction Services include:
Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.
Google Android devices, including Samsung Galaxy and Galaxy Note devices; and other popular devices from Alcatel, Google Nexus, HTC, Huawei, LG, Motorola, ZTE, and more.
Of course, Cellebrite isn’t openly promising that it can always get everything off the systems listed above, merely that those devices “are supported”.
And Cellebrite isn’t saying which sorts of device it’s willing to take a go at – newer ones generally have more secure hardware to enforce the security coded into the software.
You have to send the device to a Cellebrite office; it’s sent back unlocked, if possible – obviously, Cellebrite can’t guarantee to unlock any phone out there, not least because a confiscated device could, in fact, already be irreparably damaged.
But would Cellebrite go to the trouble of inviting law enforcement agencies to send “devices of interest” to a Cellebrite lab if it didn’t think it had a fair chance of getting in?
Does Cellebrite have an exploitable vulnerability up its sleeve that neither Apple nor the jailbreaking community has yet discovered?
Despite Forbes’s bullish (or bearish, depending on where you stand in the phone unlocking debate) claims, we simply can’t say.
What to do?
Let’s assume the worst – namely that Cellebrite does have a pair of iPhone and Android zero-day aces in the hole.
In a way, there’s some good news in that scenario: you can bet your boots (and your trendy phone case) that Cellebrite will go many miles out of its way not to let those zero-days become known, because they’re the geese that lay the golden purchase orders.
So, even if Cellebrite is willing to have a go at cracking phones, for a fee, your device still isn’t wide open to just anyone.
In other words, the following simple precautions are well worth taking:
- Patch early, patch often. This can be tricky in the divided and inconsistent Android ecosystem, but it’s pretty easy in the iPhone world: when there’s an iOS update, install it right away. You’ll be protecting against plenty of new security holes that have recently been reported – and, who knows, if Cellebrite really does have a secret security hole of its own, sooner or later you’ll neutralise that one, too.
- Use the longest phone lock code you can manage. A 10-digit lock code is a mild irritation for a while, but soon starts to feel like a virtuous and more secure choice than 4 or 6 digits – because it is.
- Set the shortest lock period you can tolerate. A phone that automatically locks itself after a minute will annoy you from time to time, but it will annoy any prospective “hit and run” crooks (or mischievous friends and colleagues) a whole lot more.
Mahhn
Anyone want to place bets on when (nongovernment) crooks have this hack?
I want to say Monday, but hmm, Aug 11th 2018 at Defcon. I wager one normal snickers bar.
David M
If you have very sensitive data (such as a government whistleblower would, or a journalist working with one) you have to assume no electronic device is impenetrable. Whether that is true or not, you have to assume it.
For most of us, long passwords, regular updates, etc., etc. are just fine. I just don’t want crooks getting my personal information. If the FBI or similar takes the time to break into and dig through my personal electronic data, they only have themselves to blame for wasting that bit of their life.
Brian T. Nakamoto
Which versions of iOS 11 are vulnerable? How is Cellebrite “determining” or “disabling” passcodes? They probably aren’t tinkering with chips if it only costs $1,500 to unlock an iPhone.
Paul Ducklin
There’s no firm evidence that there’s an iOS 11 vulnerability here, zero-day or otherwise. Could be down to a range of different tricks depending on the iOS version – and exactly how much gets “unlocked” or “extracted” could depend on many factors, too. Also, that $1500 fee seems to be a “starting from $1500/your mileage may vary” figure.
We don’t know how Cellebrite charges for its services… if there’s some sort of “no win, no fee” option going on, then the company could fail more regularly than it succeeds and still run a business that’s profitable as well as satisfactory for the cops.
jimmy
Why not ask Apple why they are using Cellebrite technology in their stores to suck out and transfer data from older iPhones when a client is upgrading to a new one? I just happened to notice the name on the device, and asked the Jeaniest, “Hey isn’t that the same Israeli tech company that hacked the San Bernardino shooter’s phone?” And he said, “Huh? Oh yeah, I guess so.”
Anybody see a conflict of privacy-based influence here?
David C.
Long passcodes are really important. The nice thing is that you don’t have to mess with the alphanumeric keyboard if you don’t want to. If you create a passphrase that is only digits, you will be presented with the (much easier to use) numeric keypad, but with an “ok” button so you can enter as many digits as you want.
Don’t think you can remember a really long code? Pick 4 digits and repeat them a few times to make a 12- or 16-digit passphrase (e.g. 1234123412341234) or maybe reverse some (1234432112344321) or double them up in some other easy-to-remember pattern (1111222233334444). These will be easy to remember and will take a very long time for a brute-force attack to discover.
If your mind is more spatially-oriented, drawing patterns with the PIN is also a good way to make a long code that’s easy to remember. For example, an X overstruck with an O (159357123698741) is 15 digits, but trivially easy to key-in as long as you remember the shape. Draw the letters of your first name to get something truly huge but easy to remember.
The only downside to this approach is that it may take too long to type in a 50-60 digit passphrase. But that’s where Touch ID helps – now you only need to type it in once every few days.
Paul Ducklin
FWIW, Apple won’t let you choose oft-repeating passcodes even if they are enormously long. I just tried to set mine to 12341234…1234 (about 10 repetitions for a 40-digit length) and iOS said, “No. Too easy to guess.”