Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Spanish media claims iPhone 6 with Secure Enclave unlocked by Cellebrite in course of investigation

Last updated

Media reports are claiming that an iPhone 6 that was dredged out of the water in Spain has been unlocked by Cellebrite, and if accurate would be the first publicized report of Apple's Secure Enclave having been penetrated by third party hacking tools.

The mother of missing woman Diana Quer made the declaration on TV program Espejo Publico that a phone that Quer possessed had been unlocked. What useful data that could be gleaned in the investigation surrounding the missing woman is unknown at this time.

During the interview on the Spanish show, law enforcement also revealed that it cost 2000 euro to break into the phone, a far cry from the millions allegedly paid by the FBI to break into an iPhone 5c.

Many details about the penetration of the iPhone are still not known, or have not been revealed by law. While the device is an iPhone 6, what version of iOS the device was running is not known, nor is it known if the device was jailbroken by the user which could have made break-in attempts easier.

Law enforcement also claims that there are WhatsApp messages that were sent to Quer, but were not read that "remain available in the cloud." The sender of those messages, or the relevancy to the investigation is not clear.

Given that the iPhone was submerged in fresh water for two months, it was most likely non-operational. In all likelihood, the chips were removed from the device, and some variation of "NAND Mirroring" used to get at the contents.

Using NAND Mirroring, a four-digit passcode would take about 40 hours, and a six-digit code such as that found on Quer's phone, could take hundreds of hours.

Cellebrite is the Israeli company originally thought to be tied to the FBI's unlock of the San Bernardino shooter's iPhone 5c. In that case, another vague group of "grey-hat" hackers. No useful data linking the San Bernardino shooters to other suspects or deeper ties to terrorist organizations was discovered.

The director of Cellebrite claimed in February that it had started doing "lawful unlocking and evidence extraction" for the iPhone 6 and 6 Plus with in-house service only.

Following the assassination of the Russian ambassador to Turkey, an iPhone 4S was found on the shooter's body. Apple's assistance was requested in that case, with the company reportedly turning it down.



14 Comments

78Bandit 7 Years · 238 comments

I didn't think the 5C used secure enclave as was stated in the article. I thought that only started with the 5S models that had Touch ID. I have my serious doubts that iPhone 6 encryption can be cracked for only $2,000. A much more likely scenario is the mother knew the daughter's PIN and that was used to access the data mirrored from the recovered phone.

linkman 11 Years · 1041 comments

78Bandit said:
I didn't think the 5C used secure enclave as was stated in the article. I thought that only started with the 5S models that had Touch ID. I have my serious doubts that iPhone 6 encryption can be cracked for only $2,000. A much more likely scenario is the mother knew the daughter's PIN and that was used to access the data mirrored from the recovered phone.

The PIN alone is not the entire key needed to decrypt the contents. Some parts of that phone would still have to work to enable anything but a brute force decryption (which is almost impossible).

The whole scenario as reported is unlikely.

Mike Wuerthele 8 Years · 6906 comments

78Bandit said:
I didn't think the 5C used secure enclave as was stated in the article. I thought that only started with the 5S models that had Touch ID. I have my serious doubts that iPhone 6 encryption can be cracked for only $2,000. A much more likely scenario is the mother knew the daughter's PIN and that was used to access the data mirrored from the recovered phone.

Yeah, you're right about that. Left over from a previous draft, before I moved some bits around.