Earlier this week, Forbes learned that Israel-based U.S. government contractor Cellebrite was touting the ability to unlock the majority of iOS models on the market. That included devices running the latest Apple operating system iOS 11.2.6, and the newest models, the iPhone 8 and X. It hasn't been forthcoming with any details on just how it's doing that and in an interview chief marketing officer, Jeremy Nazarian wouldn't be drawn on providing many specifics.
That Nazarian is speaking with the press at all is perhaps surprising, given the company's typically taciturn approach. There's a very good reason for the company's reticence, especially on the details of the iPhone vulnerabilities it finds. Each one is like gold dust, allowing possible penetration into one of the most secure phones on the market. Cellebrite doesn't want to give up the secrets that are at the very core of its value to law enforcement and forensics specialists, who want consistent access to iPhones, or any smartphone that potentially holds vital evidence. Give up any details, ones that Apple's security technicians can latch onto to develop fixes, and the company risks kissing goodbye to its unique unlocking capabilities.
But it's that very business model that requires vulnerabilities to be kept away from Apple, which would patch the security holes for all customers if it was informed, that criticism has been leveled at the company. As Electronic Frontier Foundation's senior staff attorney Adam Schwartz warned: "All of us who're walking around with this vulnerability are in danger."
From Cellebrite's perspective, though, this approach is profitable, the company this week also revealing revenues for 2017's fourth quarter grew 28 percent over the same period in 2016. Nazarian says the model works for law enforcement and, in turn, public safety too.
"There's a public safety imperative here. These capabilities are germane again to homicide, crimes against children, drug gangs, major public safety threats in any community," Nazarian told Forbes. "We feel an obligation to those serving the public safety mission to ensure those capabilities are preserved, to the extent that they can be." Nazarian noted that law enforcement had to demonstrate authority to access someone's iPhone, Android or whatever device they wanted to explore.
The CMO also sought to calm fears over any malicious, illegal use of Cellebrite's tools. "It's not like this is over the wire listening technology... It requires physical access. It's not like anyone is listening to your iPhone or my iPhone. It needs to be obtained as evidence as part of an investigation or a case," Nazarian added. "There's nothing inherent in the technology that means it's open to misuse."
Hypothetical hacks
Whilst Cellebrite won't reveal how it exploits iPhones, plenty of security experts have been coming up with educated guesses. Director of cyber solutions at Point3 Security, Ryan Duff, said he thought Cellebrite would've had to have found a flaw in Apple's Secure Enclave. The Secure Enclave is a chip on every iPhone since the 5S that essentially manages many of the security aspects on an iPhone, in particular, encryption keys. For an additional layer of security, it's isolated from the main processor in case the latter chip is somehow compromised by a hacker.
The Secure Enclave also makes it prohibitively long for anyone to guess passcodes. The more guesses, the longer the wait for the next try. For instance, anyone who's made it to a ninth attempt will have to wait another hour to try again. Where passcodes are strong, this should make it prohibitively long for anyone, including Cellebrite, to brute force a device open by just typing in every possible combination. And, if the user has chosen to turn on the feature, the iPhone can be wiped on the 10th attempt anyway.
Duff, a former cyber operations tactician at the U.S. Cyber Command, said any exploit would likely have to disable those Secure Enclave features to allow for quicker brute forcing. But even then, if the iPhone user has chosen a strong passcode with both letters and numbers, it'd take an extraordinarily long time to guess. That's because, separate from the Secure Enclave, each guess of a passcode has to take 80 milliseconds, noted Duff.
"While this would allow them to guess any six-digit numerical passcode in less than 23 hours, it would take more than five and a half years to try all combinations of a six-character alphanumeric passcode with just lowercase letters and numbers," he added. "A more complicated password than that would be completely uncrackable." For the average user, this is a good time to remember that if they want really secure iPhones, they should start with a long and complex passcode.
It may be Duff's hypothesis is wrong and that Cellebrite has something even more advanced up its sleeve. Right now, only the folks in the Israeli company's labs know. And it might stay that way for good, regardless of how much it might behoove Apple and its customers to know.
