Israeli Firm Can Now Hack Into Virtually Any Cellphone, Tablet

An Israeli firm claims it can now unlock virtually any phone or tablet on the market - including iPhones and Google Android devices, reports Forbes.

Digital forensics firm Cellebrite - which helped the FBI crack iPhone used by the terrorist in the 2015 San Bernardino shooting, offers "Unlocking & Extraction Services" for several devices, including iPhones, iPads and iPods running iOS 5 through 11 - and Android devices including the Samsung Galaxy, Galaxy Note, and other devices running the Google OS such as Alcatel, Nexus, HTC, Huawei, LG, Motorola, ZTE and more. The service costs as low as $1,500 per device. 

Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11 (right up to 11.2.6). That includes the iPhone X, a model that Forbes has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology. -Forbes

Founded in 1999 with a headcount of around 500 employees, Cellebrite offers "Advanced Unlocking Services," and "Advanced Extraction Services" to law enforcement agencies through a network of "secure Cellebrite Forensic Labs (CBFLs) located around the world." In 2007 the firm was bought for $17.5 million by Japanese manufacturing giant Sun Corp. 

“Cellebrite Advanced Unlocking Services is the industry’s only solution for overcoming many types of complex locks on market-leading devices. This can determine or disable the PIN, pattern, password screen locks or passcodes on the latest Apple iOS and Google Android devices,” reads a document published by the firm. 

Their Advanced Extraction claims to be "the world's first and only decrypted physical extraction capability possible for leading Apple iOS and Google Android Services." 

These new capabilities enable forensic practitioners to retrieve the full file system to recover downloaded emails, third-party application data, geolocation data and system logs, without needing to jailbreak or root the device. This eliminates any risk in compromising data integrity and the forensic soundness of the process. This enables access to more and richer digital data for the investigative team. -Cellebrite

Once a "pre-qualified" phone or tablet is selected for unlocking, "the locked and/or encrypted device is sent by trusted courier or hand carried to one of our secure global Cellebrite Forensic Labs where trained specialists perform the unlocking and/or extraction service using carefully controlled  techniques that ensure the forensic integrity of the data," writes the company. 

From there, it takes around 10 business days to process a device and deliver it back to the "originating agency," while all electronics are handled using "court-tested chain-of-custody procedures." 

After Apple refused a 2015 FBI request to unlock an iPhone 5C belonging to San Bernardino shooter Rizwan Farook, who murdered 14 people in San Bernardino and injured 22, Cellebrite stepped in to crack the phone. Since then, the company has been engaged by several law enforcement agencies around the world - such as Australia's Immigration Department and the Great Barrier Reer Marine Park Authority. 

And according to a Michigan warrant unearthed by Forbes, Cellebrite cracked an iPhone X owned by Abdulmajid Saidi - an arms trafficking suspect. Saidi's phone was nabbed as he was about to leave America for Beirut, Lebanon on November 20, sent to a Cellebrite specialist at the DHS Security Investigations Lab in Grand Rapids, after which data was extracted on December 5. Saidi's trial is set for July 31.

From the warrant, it wasn't clear just how the police got into the iPhone X in the first place, nor does it reveal much about what data was inside. Back when the iPhone X was launched, some fears were raised about the possibility for investigators to simply lift the device to a suspect's face to unlock it via Apple's Face ID facial recognition. Researchers also claimed to have found ways to dupe the Face ID tech into unlocking with a mask. The DoJ prosecutor on the case declined to comment, whilst the DHS didn't respond to requests for comment. -Forbes

I’d be zero-percent surprised if Cellebrite had a zero-day [exploit] that allowed them to unlock iPhones with physical access,” Patrick Wardle, chief research officer at Digita Security, told cybersecurity news site Threatpost. “These guys clearly have the skills, and there is also a huge financial motivation to find such bugs.”

In response to Cellebrite's claims, Apple has urged customers to upgrade to the latest version of iOS 11 - which contains several patches for several of the exploits potentially used by the Israeli firm. 

Apple has said publicly a recent version of iOS 11.2 does address several serious vulnerabilities found by Google Project Zero. In December, Project Zero researcher Ian Beer published details of an “async_wake” exploit and proof-of-concept local kernel debugging tool for iOS 11.1.2. The vulnerability exploited two patched flaws in iOS 11.1.2 that made it possible to jailbreak iPhones running earlier versions of the OS.

“Cellebrite’s techniques clearly pose privacy concerns for Apple customers, but there are also underlying issues around the private forensics contractors doing business with them,” said David Pearson, Principal Threat Researcher at Awake Security. “We’ve already seen what happens when governments weaponize undisclosed exploits and fail to protect them, such as Eternal Blue, Doublepulsar and other tools and exploits alleged to belong to the NSA. This iOS technique may bring more of the same, not to mention the added scrutiny of many security researchers and criminals alike being on the lookout for such information.”