The FBI is pressing Apple Inc. to help it break into a terrorist’s iPhones, but the government can hack into the devices without the technology giant, according to experts in cybersecurity and digital forensics.
Investigators can exploit a range of security vulnerabilities — available directly or through providers such as Cellebrite and Grayshift — to break into the phones, the security experts said.
Mohammed Saeed Alshamrani, the perpetrator of a Dec. 6 terrorist attack at a Navy base in Florida, had an iPhone 5 and iPhone 7, models that were first released in 2012 and 2016, respectively. Alshamrani died and the handsets were locked, leaving the FBI looking for ways to hack into the devices.
“A 5 and a 7? You can absolutely get into that,” said Will Strafach, a well-known iPhone hacker who now runs the security company Guardian Firewall. “I wouldn’t call it child’s play, but it’s not super difficult.”
That counters the U.S. government’s stance. Attorney General William Barr slammed Apple on Monday, saying the company hasn’t done enough to help the FBI break into the iPhones.
“We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements,” President Donald Trump wrote on Twitter Tuesday.
The comments add to pressure on Apple to create special ways for the authorities to access iPhones. Apple has refused to build such backdoors, saying they would be used by bad actors, too.
Indeed, Strafach and other security experts said Apple wouldn’t need to create a backdoor for the FBI to access the iPhones that belonged to Alshamrani.
Neil Broom, who works with law enforcement agencies to unlock devices, warned that the software version running on the iPhone 5 and iPhone 7 could make it more difficult to break into the handsets. But it would still be possible.
“If the particular phones were at a particular iOS version, it might be as easy as an hour and boom, they are in. But they could be at an iOS version that doesn’t have a vulnerability,” he said.
On Tuesday, a Department of Justice spokesman said he didn’t have any update on the government’s efforts to unlock the device. Apple referred to comments it made on Monday.
Still, new vulnerabilities and exploits are uncovered all the time. Apple and security firms such as Cellebrite play a cat-and-mouse game nowadays. The iPhone maker releases a new device or a new version of its iOS operating system that locks everything down. Then security firms and researchers start probing, and often find ways to hack into the handsets after several months. Those exploits sometimes turn into tools that the FBI and police can use to access data on iPhones.
Broom said U.S. agencies work with security firms, including Cellebrite, that would “bend over backwards” to help the government in hopes of winning big contracts.
“Our technology is used by thousands of organizations globally to lawfully access and analyze very specific digital data as part of ongoing investigations,” Cellebrite, owned by Japan-based Sun Corp., said in a statement. “As a matter of company policy we do not comment on any ongoing investigations.” In 2016, Bloomberg News reported that Cellebrite helped the FBI break into an iPhone belonging to a shooter behind an attack in San Bernardino, California. The company has declined to confirm its participation.
GrayKey is offered by Grayshift, a firm based in Atlanta that counts former Apple software security engineer Braden Thomas among its staff. Grayshift didn’t respond to a request for comment on Tuesday.
A new security flaw known as “Checkm8” affects chips in iPhones released between 2011 and 2017, according to Strafach and other researchers. That includes the iPhone 5 and iPhone 7.
“With the Checkm8 vulnerability, you should be able to get a forensically sound image of the file system, unless they had a crazy long passphrase,” Strafach said.
The iPhone 7 includes the Secure Enclave, a dedicated chip for storing fingerprint data and other sensitive information on the device, but even that could be breakable, he said.
“It’s simply a question of whether the government will pay a contractor to get into these phones,” Strafach added. “If it can’t be done with the Checkm8 vulnerability, they can pay a contractor to do it.”
The Checkm8 flaw may support updated hacking tools from Cellebrite. The Israel-based company offers a “UFED Physical Analyzer,” a special “Touch2” tablet and software for PCs called “4PC” to law enforcement agencies and other customers. That all costs about $15,000, according to Broom. There’s often an annual maintenance fee of more than $4,000, too, Broom said.
The FBI would likely also need other tools to unlock the iPhones, such as Grayshift’s GrayKey or Cellebrite Premium, a special on-premise service for law enforcement agencies. Those could cost $100,000 to $150,000, according to Broom.
“They already have these tools around the country. So they wouldn’t be paying anything more to break into these phones, they could just be waiting for a certain exploit like Checkm8 to become available,” Broom said.
On Monday, Apple said it has provided “all of the information” it has related to the device, via internet-based services such as iCloud.
However, some data of potential interest to the FBI would only be available on the iPhones. For instance, iMessage texts are encrypted when stored in the cloud, but they are often readable on the devices.
This won’t end the standoff between the FBI and Apple, though.
It is becoming more difficult for firms like Cellebrite to hack into iPhones as the devices get more sophisticated, said Yotam Gutman, marketing director at cybersecurity company SentinelOne.
Breaking into an iPhone 11, the latest Apple smartphone, would be a lot harder, if not impossible, Strafach said.
With assistance from Gwen Ackerman and Amy Thomson.