By Eric Beasley
While I am sure most of my readers have not been patiently yet eagerly waiting for more news about that controversial iPhone 5C that the FBI desperately wanted decrypted, it looks like some answers have finally made it into the public eye.
I’ll be the first to say that my assumption about Cellebrite, the Israeli IT security company being behind it was completely wrong. I was right about the FBI not having the ability to do a machine-code level analysis of the device and pull the password directly from the internal phone chips.
As reported by the Washington Post:
The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.
The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said.
Tech Talk: We call these software flaws 0-day vulnerabilities. They are an attack vector unknown to the vendor that can be used to penetrate a computer device or system. To be blunt, I have absolutely no idea what the 0-day vulnerability could be and anything that I say would be an absolute guess and postulation. If I had to bet a dollar, I'd say that the professional hackers identified some function input that a locked iPhone 5C will accept regardless of the device state (locked, unlocked, etc.). From there, they probably identified a buffer overflow, meaning that the length of input is not parsed and extra code can be injected into device RAM. That injected code changed the operating system of the phone at it exists in RAM, thus disabling the lock screen and bypassing Apple's security features. I would also be comfortable making a further postulation. Usually, iPhones do not accept computer input when they are behind a lock screen. Try it, plug your iPhone into your computer while the screen is locked. You should not be able to access the files on your phone. Based on the report, I would say that the hackers found a way around the lock screen. For my last safe postulation, I expect whatever vulnerability they found to be discussed at the upcoming Black Hat and DEFCON conference. Why? These conferences are a hacker's playground. For many years now, Juice Jacking has been a common prank played on each other. This is setting up a fake "phone charging station" that actually steals your phone's files. If there is a way to bypass the iPhone lock screen and take the files off your phone, I bet we will see this happen at the conference. Which should give us a lot more insight about how this phone was unlocked.
What does this mean for my personal privacy?
The article was very specific about the scope of this workaround. It only applies to the iPhone 5C. If you own an iPhone 5C and Apple is unable to figure out how this attack was done and how to fix it in the future, then your encrypted device is NOT secure. I would imagine the Apple engineers are all over this, considering they made such a public spectacle about it.
Considering that the workaround involved the creation of a “new piece of hardware,” this also means the exploit can be reproduced as many times as the FBI wants. Likely, that piece of hardware has a big “CLASSIFIED” sticker slapped on the top of it.
If privacy is your thing, get a different iPhone.