37

Quote from The New York Times:

The Justice Department said Monday that it had found a way to unlock an iPhone without help from Apple, allowing the agency to withdraw its legal effort to compel the company to assist in a mass-shooting investigation.

How was it done? Is this some undisclosed 0-day, or bruteforce, or was done through a direct hardware access?

Moshe Katz
  • 1,331
  • 1
  • 11
  • 17
Evgeniy Chekan
  • 798
  • 6
  • 12
  • 18
    There are plenty of articles on different ways they could do it. It was very obvious that they could unlock the device from the beginning and that this was very politically motivated for potential mass surveillance: https://www.aclu.org/blog/free-future/one-fbis-major-claims-iphone-case-fraudulent – d0nut Mar 28 '16 at 23:11
  • 5
    @iismathwizard: That's speculation, bordering on conspiracy theory. Hardly "very obvious". – Lightness Races in Orbit Mar 29 '16 at 12:57

1 Answers1

28

[Update #2]

According to the Washington Post, sources familiar with the matter, have stated that the initially suspected collaboration with Cellebrite is not how the data from the encrypted iPhone was recovered. Instead an unknown security vulnerability was used (purchased) from "professional hackers" to prevent the phone from erasing its data and slowing down the passcode check. This would mean that the FBI probably brute-forced the passcode once those iPhone security measures had been deactivated.

https://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html

@Gandalf brought to our attention that the DOJ has now confirmed they successfully accessed the iPhone 5C and can indeed access any iPhone 5C running iOS 9 this way: http://money.cnn.com/2016/03/28/news/companies/fbi-apple-iphone-case-cracked/index.html

There is a good article about the current known facts here: http://www.bloomberg.com/news/articles/2016-03-28/u-s-drops-apple-case-after-successfully-accessing-iphone-data-imcj88xu

The official declined to provide any details, such as what was on the phone, the identity of the third party or how the method worked. The official also declined to say whether the U.S. will give Apple details about the hacking method.

According to other news reports the FBI decided to go with a company that stated it could unlock the phone for them. Something that had been suggested to be possible for a while. They did not specify which company / third party is going to do this, but several articles suggest it's an Israeli Company, named "Cellebrite":

Original Report: http://www.ynetnews.com/articles/0,7340,L-4782246,00.html

http://www.theverge.com/2016/3/23/11290374/apple-iphone-fbi-encryption-crack-cellebrite http://www.reuters.com/article/us-apple-encryption-cellebrite-idUSKCN0WP17J

The speculation is suggesting NAND mirroring to be used to gain access to the device memory and copy everything to another device, but at this point the exact how-to is not publicly known.

This article also found a recent contract reference between that company and the FBI: http://www.macrumors.com/2016/03/23/fbi-israeli-firm-cellebrite-to-unlock-iphone/

They also speculate about a microchip attack and brute-forcing the passcode once the data has been extracted from the device, but the company is likely going to remain very quiet about the exact "how-to" and so will the FBI for obvious reasons.

[Update #1] The EFF has published a statement that suggests any used security vulnerability might be reported to Apple, if the FBI was to follow the guidelines that the EFF had previously acquired through a freedom-of-information lawsuit: https://www.eff.org/deeplinks/2016/03/fbi-breaks-iphone-and-we-have-some-questions

Chris
  • 735
  • 7
  • 15
  • 1
    CNN is reporting ""The FBI has now successfully retrieved the data stored on the San Bernardino terrorist's iPhone..." -DOJ spokesperson – Cascabel_StandWithUkraine_ Mar 29 '16 at 00:37
  • I updated the answer according to your suggestion, but they still didn't specify how they actually did it. – Chris Mar 29 '16 at 01:06
  • *"probably reading out the passcode from there"* This would seem to suggest the device stores the passcode itself, versus a hash or something, which seems unlikely. Is there anything to backup this speculation? Unless poorly designed, I would think it would still need brute-forcing. – Alexander O'Mara Mar 29 '16 at 04:50
  • @AlexanderO'Mara yes, poor wording on my part - I was thinking about what John McAfee was saying when writing that: http://www.theinquirer.net/inquirer/news/2449330/john-mcafee-unlocks-an-iphone-and-does-not-eat-a-shoe – Chris Mar 29 '16 at 04:56
  • How hard would it be to brute-force, e.g., cracking a 4-digit passcode? or is there more to it? – C. Kelly Mar 29 '16 at 12:34
  • @C.Kelly there is more to it than that at the base level, because the phone would wipe itself after a certain number of tries. You would have to prevent this behavior, without affecting the data on the phone - which is harder that it sounds, apparently, given the FBI's request for Apple's help. If they pulled of the NAND mirroring as Chris has speculated, they would most likely then be able to guess at the password without using the original phone itself, eliminating the risk of losing all the data suddenly. – Jake Mar 29 '16 at 12:54
  • 3
    @Jake The phone actually doesn't wipe all its data, it wipes the section holding the decryption key. If you can copy that section, you could put it back every 10 (incorrect) PIN attempts. Ofcourse, it'd be "easier" for the FBI if they could copy the necessary memory info to other devices and test PIN codes on those devices – BlueCacti Mar 29 '16 at 13:27
  • @GroundZero very interesting, thank you! I do wonder how easy it is to write to the section of memory where the decryption key is stored using outside tools, although I'm sure someone at the FBI thought of that question before me... – Jake Mar 29 '16 at 13:35
  • 2
    Given that it was a third party that unlocked the iPhone, and not the FBI themselves, I wonder if the FBI is actually capable of disclosing the vulnerability that was used... – Ajedi32 Mar 29 '16 at 14:14
  • @Ajedi32 they probably made a contract that specifically prevents the FBI from sharing this information – Chris Mar 30 '16 at 15:10
  • A one time thing indeed as they start cracking other phones immediately! For the sake of the FBI, but perhaps not citizens, let's hope they're smart enough to disable auto-updates on those phones! – Dave Mar 31 '16 at 18:11