Written byPatrick Howell O'Neill
The government may never reveal the name of the company that helped the FBI hack into the iPhone 5c that belonged to the man responsible for the San Bernardino shooting, but conventional wisdom along with media reports point to one company capable of that task: Cellebrite.
The multimillion-dollar Israeli company is the worldwide leader in cracking locked phones and extracting all the data. Over the past two years, Cellebrite has run a smooth, lucrative operation. They operate a network of laboratories to research zero-day vulnerabilities and they sell their closely-guarded capabilities to companies and governments ranging from democratic to authoritarian.
Six months ago, Cellebrite’s director of forensic research announced they were creeping up on the latest Apple models and were capable of hacking into the iPhone 6 and 6+.
Now the company is beginning to change their message: Their ability to crack iPhones is diminishing.
In a recent sales presentation, Dan Embury, the technical director of Cellebrite Advanced Investigative Services — CAIS is the company’s lab that only deals with government customers — outlined the increasing headaches his team faces.
“The trend over the last few years is it’s getting much too easy for device manufacturers to implement very secure encryption and lock mechanisms without impacting the device performance,” Embury said in a March 2017 presentation that was uploaded to the company’s Vimeo account and viewed by CyberScoop before the company made it private.
Speaking to both current and potential customers earlier this year, Embury outlined how the iPhone’s technical evolution has proved to be a challenge for Cellebrite.
“In the past the phone would run really slow [or] the battery wouldn’t be as long lasting, but now with modern processors, large amounts of RAM and flash memory as well running a lot quicker, it’s very straightforward for the strongest military-grade encryption to be put into devices used by the general consumer base out there,” Embury said. “It’s as simple as a four-digit password that could thwart investigative efforts trying to gain access to valuable evidence on a device.”
Apple has made the following changes in the phone’s security mechanisms in order to prevent data from being removed from locked devices: encryption by default, inaccessible files if encrypted keys are wiped and emphasis on storing crucial data the devices Secure Enclave, which allows for defense against brute force attacks and makes data exfiltration extremely difficult.
“Throughout the years as Apple has released new versions of the phone and operating system, it has continued to make forensics harder each time,” Andrew Blaich, a security researcher at the mobile security firm Lookout, told CyberScoop.
“In the beginning, there was a lot of data you could access simply by plugging phones into computers. Over the years that’s been locked down and added to encrypted sections of the device,” Blaich said. “Additionally you’ll see things like Apple requiring new devices have a passcode set-up on them with passcode complexity expanding. By doing those sorts of things it takes longer for someone to try to break into the device.”
When compared to old models — where experts say little attention was paid to thwarting hack efforts from companies like Cellebrite — iPhones have become locked boxes.
“It sums up to things not being well protected before and now Apple has actually fixed things,” security analyst Will Strafach said. “In my opinion, they weren’t really protected at all before. It’s not that security was bad and got better. There was no security and now there is. As firmware upgrades came out, more and more data was being encrypted by Apple. For data that got wiped due to key being thrown away, there are no known methods for recovering that data. When the key is gone, the file is gone.”
Cellebrite’s business spans a wide range of use cases from corporations doing internal investigations to countries investigating crimes. In marketing materials, the company regularly publicizes its work on child abuse cases. Cellebrite was used to get into the iPhone of Alexander Boettcher, who grabbed tabloid headlines in the U.K. when he attacked several of his girlfriend’s ex-lovers. More recently, the firm’s tech was used by an NGO to convict a Thai general of human trafficking.
The company also holds regular sales and training events in the United Arab Emirates, known to use spyware to violate human rights; Belarus, whose own dictator-president describes himself as authoritarian; Bahrain where Cellebrite was reportedly used to prosecute a tortured dissident; and the Philippines, where the president commanded the murder of thousands in the name of an extralegal drug war. Nations like the United States, Turkey and Russia are also customers, according to hacked data.
Cellebrite did not respond to requests for comment.
Experts speculated about a future in which companies like Cellebrite would have to shift their offerings and products away from hacking data at rest and toward hacking data in transit. Although many low-end Android phones remain vulnerable, high-end phones and iPhones in particular are increasingly successful in staving off attacks.
“I think that’s why you’re seeing companies like Cellebrite work in the realm of researching or buying vulnerabilities or zero-days to make their product work to get into somebody’s phone,” Blaich explained.
“What the forensics firm have to do now to really get access to the deep, interesting data is they need to compromise the device, to jailbreak to get in and get access that data. If you want to get into the latest and greatest, that requires zero-days to be acquired and weaponized to get into these devices.”
Update: Cellebrite made the video of Embury’s presentation private shortly after publication.