An Israeli tech firm is reportedly helping the FBI open encrypted iPhone

Igor Bonifacic

March 24, 2016 10:03am

On Monday, just hours after Apple’s iPhone SE reveal, the U.S. Department of Justice moved to postpone its looming trial with the tech giant. In a surprising turn of events, court documents filed by the DoJ revealed an unnamed third party had potentially provided the Federal Bureau of Investigation with a way to access data stored on the iPhone 5c used by Syed Rizwan Farook, one of the perpetrators of the San Bernardino shooting, without the help of Apple.

A new report published by Israel’s Yedioth Ahronoth claims CelleBrite, a tech firm that specializes in providing software for extracting data from mobile devices to governments, militaries and intelligence agencies, is the unnamed third party mentioned in the DoJ’s court filling. Citing unnamed sources with the encryption industry, the publication says the FBI won’t need Apple’s help to access the iPhone in question should CelleBrite prove successful in extracting the data found on the smartphone’s solid-state drive.

Both CelleBrite and the FBI have yet to confirm they’re working together to break open the phone. However, should Cellebrite prove successful, it likely means this particular battle between the FBI and Apple will come to quick close — at least for the time being.

That said, the question remains — why did the FBI not approach a firm like CelleBrite, or another federal agency like the National Security Agency, as soon it acquired the iPhone 5c used by the shooter in the San Bernardino attack? One strong possibility is that the U.S. government wanted to create a precedent where it could force other tech companies, not just Apple, to create backdoors to their products and services. However, both changing public opinion a recent court loss may have forced the FBI to reconsider its options.

In a similar case to the one California, a New York judge ruled the FBI could not use the All Writs Act to legally force Apple to help the agency break into an iPhone. This is the same law the FBI had called upon in its case against Apple in San Bernardino.

  • Mo Dabbas

    The same company is used by the Israeli military and intelligence….. Which tells a lot how good Cellebrite people are.

    What sucks is that they’ll keep it a secret (how they accessed the phone) which means there is a backdoor already in iOS that needs to be patched. But if they didn’t tell apple, that backdoor can remain there for some time. Hope (if it’s true) this method doesn’t get in the wrong hands.

    • Unorthodox

      I think you’re confusing “backdoor” for “security hole”. You’re using one term, but mean another.

    • Mo Dabbas

      True. Early morning typing.

    • El Capitan Morgan

      Could it be possible that it is simply a security hole that Apple have already patched in iOS 9.3?

    • Mo Dabbas

      Everything is possible

    • It’s Me

      I wouldn’t call it a backdoor. What it apparently is is a way to prevent the phone from bricking after x attempts at the passcode. And far from trivial.

      The process described by UCLA technology fellow Daniel Kahn Gillmor uses a technique called NAND mirroring to copy the portion of the phone’s memory that counts the number of passcode attempts entered. By continually restoring the copy, the FBI could thereby circumvent the limit on the number of passcode guesses that can be made before the device is rendered permanently inaccessible.

      Another, more risky – not to mention laborious – method is an invasive microchip attack known as “de-capping”. This involves removing and de-capsulating the phone’s memory chip, carefully drilling down into it using a focused ion beam to expose the portion of the chip containing the target data (in this case, the iPhone’s unique ID and passkey algorithm) and then probing it, micron by micron, to extract the information.

      The latter could then be used in an off-device “brute-force” attack on the passcode that would be able to try all possible combinations without running up against the iPhone’s guess limit.

      Far easier than some previous holes on other platforms that requires just a freezer.

    • If this is true, I have one question… why is the error count accessible in memory, why is this count not stored in the secure enclave where it cannot be altered only queried? If done right the secure enclave could be queried for the count for display on a screen, change that number all you want for display but the count will still remain correct in the chip. If a wrong guess is made that would be determined inside the secure enclave. it would internally increment the count by one leaving no way for someone to circumvent it. Except for melting the protective coating off the chip which is designed to melt at a temperature that would destroy the chip.

      I am guessing if this is not how it is currently done that Apple will move this inside the chip so that you cannot hijack it via this method.

    • It’s Me

      A counter, by its nature, changes, so it cannot be a read-only store. Your idea might work but it would require that the SE to do calculations instead of just acting as a store. I am not familiar enough with their SE to know whether it can do calculations (even something minor like a counter) or if it just a store. And if the SE could do the calculations and it was responsible for keeping the counter of errors, it would also have to be told when a successful login was made so it could reset it’s counter, which would be yet another avenue for cellebrite to explore, how to force it to reset it counter after every failed attempt.

      To me, it is more likely that Apple will look for a way to validate the integrity of the counter, perhaps using the SE.

    • I not as familiar enough either to be honest… But when you type in you pass phrase really all it is doing is using it as salt with the SE and then validating that against a spot on the drive trying to decrypt it, So I believe the SE is the one that does the verification yes no for the pass phrase working and send the result to the OS pass/fail.

      This is the only way really to guarantee that there is no way it could be altered like you said (Chain of trust) or else how can you verify it is legit. Unless you take the count pass it through the SE and store that on the drive but all you have to do is access that part of the drive and then just keep writing it back just like they are doing for the memory..

      It will be interesting to see what they do!

    • RagnarokNCC

      My understanding was that the counter in the older iPhones reset when the phone did. More recent models moved the counter inside the security enclave and backed the counter with a battery, so it persists through resets. I don’t remember which precise model was responsible for the update.

    • Mo Dabbas

      The methods that Cellbrite would use (that’s if the FBI is working with them) is not announced. Putting a random guy’s opinion how to do it doesn’t mean it’s the way.

    • It’s Me

      It’s pretty much confirmed. $15K

    • gommer strike

      Cellebrite is using a method to copy the NAND storage of the iPhone and then doing multiple PIN tries against that copy. When all the tries are used up – they just recopy it over, so on and so forth.

      It involves very specialized software/machinery and it’s not just anything the average joe can cook up. Which in the end proves the time-tested theory:

      Want to compromise a device? First, physically get the device…

    • Mo Dabbas

      Cellebrite declined to comment that they are working with the FBI. Do you really think they would give the way to access that iPhone?
      That NAND storage thing is what tech individuals are suggesting. I read if the FBI did that it’ll take long time and the time the court gave them to make a decision would not be enough.

      My point is, if Cellebrite is really working with apple, and if the FBI managed to access the phone, we will never know how they did it which isn’t good as apple won’t be able to identify it and patch it.

    • gommer strike

      That’s not my understanding. It’s all but confirmed that Cellebrite is working closely with the FBI on this. Now the method I mentioned will not unlock the phone all that quickly – it’ll still take a matter of weeks to do(another great reason for the court hearing to be delayed, in the amount of time that it is).

      As for using whatever unknown exploit – they won’t tell Apple, because this is their livelihood – they need to keep these secrets under wraps because that’s how they make their money(this stuff’s worth millions of dollars). It’s bad in general for all of us, but at least the damage is contained, because Cellebrite won’t tell anyone(besides the FBI anyways) on how they’re doing it.

      If it’s using specialized tools – which is what I expect it would be – then once again, it isn’t something anyone off the street can do with a circuit board and soldering iron. But as a I said – to compromise the phone…first…you need the phone in front of you.

      Now if this was remote compromise then holy crap that’s serious.

    • Mo Dabbas

      The first time I read about the NAND thing was from Snowden about 2-3 weeks ago. It’s not something that suddenly wowed people. The idea has been out there and there is a reason why it has not been done (takes long time).

    • It’s Me

      Of course it takes a long time. And what they were asking apple to do would take just as long if Apple started helping. The part that takes a long time is brute forcing the passcode. What they needed help with was preventing the counter from bricking the phone between their millions of attempts.

    • gommer strike

      It takes a while yeah. But with today’s fast computing, what would have taken months once upon a time, is shaved down to weeks. A few weeks isn’t too bad, and had they started this from the beginning – they would cracked open the phone by now.

    • Ali F.

      I don’t think so. The best security technique is “cost”. If it costs “years” and “millions” then it is secure. Most of security solution, focuses not on making cracking impossible, since this is impossible, but to make it very very costly in terms of time and effort.

  • This whole case seems like some sort of whacky publicity stunt. First Apple is the white knight and refuses to unlock any of its phones anymore, even for older OS versions. Now the FBI knows a “secret” way in and might be required to help Apple patch the hole without any of it being made public.

    What next? Will Google step in and stop IS with Fiber and Google maps?

    • Mo Dabbas

      From what I read apple was loosing the case either way. Maybe they reached an agreement with the FBI so that their reputation won’t be damaged. You never know at this point.

    • That’s what I think as well. Because the other phones Apple is protesting run on a version of iOS that they used to and can breach no problem.

      I think this was just blown up to be something it didn’t need to be and will end the way it always does. The government wins

    • ciderrules

      You’re dreaming. Apple already won the New York All Writs Case. And this was on an iPhone running iOS 7, which is much easier (and therefore, less of a burden to Apple) to crack.

      Virtually everyone outside of a few whacko politicians and the liars at the FBI were on Apple’s side. This includes Apple competitors like Google or Microsoft. Mainly because they aren’t children and hope Apple loses just because they don’t like Apple (which is where the few remaining supporters of the FBI come from).

    • Mo Dabbas

      a terrorist attack with numerous victims is on a massively whole different level than a drug dealing case where the dealer is alive and confessed he did it.

    • Mr Dog

      I don’t think there was any real indication of who was winning at all. The FBI was just making a number of threats.

      If the FBI was in fact winning, they wouldn’t have gone this route. If they won the suite they would have set a huge precedent that would have resulted in all future request a lot easier.

    • Mo Dabbas

      you are right about that. I had that impression from Cook’s words on Monday. But you are right. there was no real indication who was winning.

  • LOL I wonder if Apple will turn around and take the FBI to court to tell Apple how they unencrypted the phone citing national security reasons LOL

    • It’s Me

      Apparently, if the FBI pursues both the Cellebrite option and pushing Apple, Apple has requested exactly that. Which is likely why the FBI is asking to pause their case with Apple.

  • Andrew English

    They will likely hand over the encryption keys to the FBI and NSA. 🙂

    • It’s Me

      We’re not talking about MS and Google. 😉

    • To be fair, they don’t just hand it over. They send it by special delivery via FedEx

  • ciderrules

    Guys, they aren’t cracking the encryption on the phone.

    What this company does is to physically desolder the NAND flash memory from the iPhone and make an exact copy. Then they try their PIN unlocks on the iPhone. If the iPhone erases the data after 10 tries, they use the copied NAND flash to re-write the one on the iPhone (essentially a mirror copy) and repeat. This way they can keep trying over and over without fear of erasing the contents.

    They could also try to decrypt the contents they copy off the NAND, but it would be quicker to just keep trying the PIN over and over as decryption could take years.

    • Mo Dabbas

      1) Cellebrite didn’t even admit they are working with FBI…. what makes you think they’d tell how they are doing it.
      2) It’ll take a very long time that the FBI doesn’t have. The court gave them a specific time frame to confirm if they wanna proceed with the hearings or not. This method will take longer than that.

    • It’s Me

      No but the US government website shows that the FBI just signed a contract with Cellebrite. Not sure why you keep repeating that chestnut.

      And for how long? Of course it takes along time. That’s a given. Another sad chestnut. These is no reason to think this will take any longer than what they were looking for from Apple. Both the Apple solution they were seeking and what Cellebrite can provide gives them the same thing, which is access to brute force the passcode. duh.

      You seem focused on things that really aren’t based in fact and/or don’t demonstrate what you think they do.

  • Jason

    Its going to be funny in a month when they announce that they spent all this time trying to crack this phone and it has nothing of value on it. Also working in the tech industry you learn quickly that nothing is hack proof, only hack delaying.

  • heynow00

    They found the side door.

    • Mo Dabbas

      Be aware, that’s what I said in the comment and look at the massive defensive team that came running to protect apple.

    • It’s Me

      Nobody came running to protect anyone. They correct or adde context to your kneejerk comment.

    • Mo Dabbas

      Corrected me with what? With methods that’s been mentioned by Snowden 3 weeks ago? And you’re love to apple is so blind that you confirmed its the way there doing and closed that chapter even if the information is so scarce about this and nobody even confirmed anything. neither the method nor the oarties involved are confirmed. Get over with this already

    • It’s Me

      Umm, are you drunk or high? What does pointing out the most likely route have to do with loving Apple? That’s gotta be one of your stupidest comments so far. Know why Snowden suggested it? Because he worked in the field and felt that was the most likely method. That doesn’t mean it easy nor fast nor that the FBI had the know how in house. Duh.

      Educated people, people that know about this type of technology feel this is the mostly likely route. The concept of it being Cellebrite is even more supported by the fact that the FBI just signed a contract with them the same week the announced they found a poissible alternate method that wouldn’t require Apple.

      You may not like what educated people are theorizing as the most likely method. You may not like that the evidence points to Cellebrite doing it for them. But pointing that out and breaking your uneducated fantasy of their being a mythical backdoor might burst your bubble, but that’s too damn for you, suck it up.

    • Mo Dabbas

      Haha. You’re arguments always ends up the same. Once you’re facing reality you jump with insults. Just ask apple for marriage and get it over with.

    • It’s Me

      Seriously? Instead of trying a rational, intelligent discussion, you jump straight to “you disagree with me because you love Apple”. That’s just stupid. It is, very simply, an argument from ignorance and one you always go to when you know you have no point (frequent). If you make a stupid comment as a response to a polite correction, I see it as you throwing a tantrum and yeah, I will call out your stupidity on the matter.

      Facing reality? That’s what I tried to do for you…show you the ignorance of you position. Because it is clearly ignorant. Your reponse reverts to “but, but, but, you just love Apple so I must be right”.

    • Mo Dabbas

      No. I didn’t bother coz at this point there no reason to argue with you. Your blind love will be defending apple till forever. I don’t have the time, nor care that much to keep on going, what’s FBI is doing with that phone.

    • It’s Me

      Thanks for proving my point about you. Facts and common sense don’t matter to people like you. And anyone that disagrees with you or shows how poor your reasoning is or how unjustified your position is, well it must be because they love Apple.

      Must be nice to have such a simplistic mind set.

    • Mo Dabbas

      No, I read blogs in my free time. People like me have jobs that matter. The methods they unlocking some iphone and what the FBI is doing with a phone doesn’t matter for my everyday life. I don’t live in the states to care about privacy laws there. And I don’t love or hate a company to spend my 9-5 defending it.
      I’m done from this. It’s getting boring and I don’t want to waste more time with it. Bye for now.

    • It’s Me

      And yet you have time to make uneducated comments and defend them with weak accusations when corrected..all. day. long.

    • Mo Dabbas

      seems you have a problem viewing your opinions as facts. your opinion is an opinion and you clearly can’t tolerate others opinions. You see, that’s not the fault of the other person.

      and “politely corrected your ignorance”? lol, really??

    • It’s Me

      Nope. I post facts as facts. And I posted educated opinion from educated experts. Your “theory” was as well founded and well thought out as if you’d it was a magic wand.

      And yeah, all responses to you were polite. Until you got pissy and started imaging some conspiracy of people defending Apple. Although it wasn’t clear what in your posted needed defending from. No one need defending from stupidity.

    • Mo Dabbas

      haha. no it was actually when I announced your love to apple. That seems to piss you off for some reason. lol

      Whatever makes you happy buddy.

    • It’s Me

      Only because it showed that you quickly decided you had no point. Fairy wands buddy.

    • ciderrules

      Funny when the troll/child starts to play the victim. It’s pretty clear you don’t have an actual argument to make, except to state Apple is wrong and anyone who says anything in support of Apple has to be an Apple fan.

    • Mo Dabbas

      Nice job it’s me. Another account to support your argument with more insults.

      I never said who’s wrong and who’s right. Now you’re making things up. Go read my comments again since you clearly didn’t.

    • It’s Me

      That’s not me. I find anyone that makes extra accounts simply time to open a vein type of pathetic. So, uh, yeah, no, that’s not me. Just someone else that sees how weak your response if.