Cellebrite advertises its ability to unlock devices running iOS 11, including the iPhone X, to government agencies

By Malcolm Owen

Cellebrite, the Israeli security firm believed to have helped the FBI unlock an iPhone during the San Bernardino investigation, is claiming it is capable of bypassing the security of devices running iOS 11 and older versions, including recently launched hardware including the iPhone 8 and iPhone X.

Cellebrite's Universal Forensic Extraction Device (UFED)

The company is said to be advising to its customers it has the ability to access devices running iOS 11, reports Forbes. A marketing document advertising the firm's Advanced Unlocking and Advanced Extraction services to law enforcement agencies advises iOS devices running iOS 5 through to iOS 11 can be accessed, including all iPhone, iPad, iPad Pro, and iPod touch models.

A report source claims the Department of Homeland Security successfully raided an iPhone X in a search for data in November 2017, most likely by using Celebrite's technology. A separate source involved in the police forensics community claims he was informed by Cellebrite it could unlock an iPhone 8, and believed it would also be true of the iPhone X.

Cellebrite's Advanced Unlocking service is marketed as the "industry's only solution" for defeating complex locks on market leading devices, including both iOS and Android smartphones and tablets. The paid service, available only to law enforcement, unlocks the device for the government agencies, allowing them to extract the data themselves.

The Advanced Extraction option is billed as the option to access the device's data if it is not accessible by conventional means, such as by full disk encryption. Under the service, the full file system is retrieved for the customer, providing access to emails, application data, geolocation data, and other items without jailbreaking or rooting the device.

If Cellebrite's claims are true, this effectively means it is possible for agencies like the FBI to pay to unlock any iOS device. In contrast to the alleged $900,000 supposedly paid to Cellebrite, the report suggests that the unlocking process can be relatively inexpensive, priced as low as $1,500 per device.

The apparent hack of the iPhone X using Cellebrite's tech was discovered in a warrant discovered by Forbes, with the phone owned by a suspect in an arms trafficking case. The iPhone X was taken from the suspect as he was about to leave the U.S. on November 20, was sent to a Cellebrite specialist at the DHS Homeland Security Investigations Grand Rapid labs, and the data extracted on December 5.

The warrant does not mention what data was discovered nor how it was accessed. The iPhone X owner is apparently now awaiting a trial on July 31, but it is unknown if the accessed data will be used in their prosecution.

Cellebrite's ability to access the contents of an iOS 11 device is surprising, considering the operating system's release also introduced new security features that made it harder to break. This includes the SOS mode disabling Touch ID, a move that effectively prevents police from forcing a suspect to unlock their iPhone using a fingerprint.

It is unknown exactly how Cellebrite is able to defeat iOS 11's security, and it is unlikely such information will be released, as Apple would almost certainly attempt to patch the security flaw as quickly as possible. Report sources claim the firm has developed new techniques to get in, but considering Apple's quick reactions to plug security holes, it is probably not one that has been publicly discovered.

A release of data from a hack of Cellebrite's servers last year revealed some of the workings behind its Universal Forensic Extraction Device, a unit that could pull a variety of data from a connected smartphone. Along with brand-specific exploits, the iOS-related code allegedly used scripts originally used to jailbreak iPhones, as well as firmware altered to break security on older devices.