Cellebrite can unlock any iPhone (for some values of “any”)
Cellebrite—the Israel-based forensics company that has been a key source for law enforcement in efforts to crack the security of mobile devices to recover evidence—has reportedly found a way to unlock Apple devices using all versions of the iOS operating system up to version 11.2.6, the most recent update pushed out to customers by Apple. The capability is part of Cellebrite's Advanced Unlocking and Extraction Services, a lab-based service the company provides to law enforcement agencies—not a software product.
But security experts are dubious of any claim that Cellebrite can defeat the encryption used by iOS to protect the contents of Apple devices. Rather, they suggest Cellebrite's "Advanced Unlocking Services" may have found a way to bypass the limits on PIN or password entry enforced by interfering with the code that counts the number of failed attempts—allowing the company's lab to launch a brute-force attack to try to discover the passcode without fear of the device erasing its cryptographic key and rendering the phone unreadable. With a sufficiently secure password, it would be nearly impossible for the technique to recover the contents of the device.
Forbes' Thomas Fox-Brewster reports that a Cellebrite spokesperson confirmed the claim, first found in leaked Cellebrite marketing material, stating that "Cellebrite can retrieve (without needing to root or jailbreak the device) the full file system to recover downloaded emails, third-party application data, geolocation data, and system logs. Agencies can either provide the device already unlocked, furnish the known passcode, or use Cellebrite's Advanced Unlocking Services to unlock the device."
Previous methods for disabling the limits on PIN or password attempts have involved manipulation of the iPhone's hardware. In 2016, Cambridge University computer scientist Sergei Skorobogatov demonstrated that, by removing and mirroring the NAND (flash) memory chip of any iPhone up to the iPhone 6 Plus, he could put in place a replacement memory chip that allowed him to reset the counter for passcode tries. However, hardware changes in the iPhone 5s (with the A7 chipset) and later devices made this sort of attack much more difficult, if not impossible, because of the Secure Enclave Processor (SEP), a dedicated security processor that runs its own operating system and manages the PIN verification. The SEP encrypts the PIN using its unique UID.
Cellebrite is not revealing the nature of the Advanced Unlocking Services' approach. However, it is likely software based, according to Dan Guido, CEO of the security firm Trail of Bits. Guido told Ars that he had heard Cellebrite's attack method may be blocked by an upcoming iOS update, 11.3.
"That leads me to believe [Cellebrite] have a power/timing attack that lets them bypass arbitrary delays and avoid device lockouts," Guido wrote in a message to Ars. "That method would rely on specific characteristics of the software, which explains how Apple could patch what appears to be a hardware issue."
Regardless of the approach, Cellebrite's method almost certainly is dependent on a brute-force attack to discover the PIN. And the easiest way to protect against that is to use a longer, alphanumeric password—something Apple has been attempting to encourage with TouchID and FaceID, since the biometric security methods reduce the number of times an iPhone owner has to enter a password.
"The long and short of it is that your passcode is required to unlock your phone." Guido said. "Cellebrite cannot magically discover your passcode. They can bypass all the counters and lockouts, but, at the end of the day, they need to brute force your passcode. It can be easy, if you don't have one set or it is only four digits, or it can be difficult, if you set a complex passcode with letters and numbers. As long as your passcode is a sufficient length, then Cellebrite will spend forever trying to brute force it without success."