📱 2022-04-29 16:02:00 – Paris/France.
Cellebrite's iPhone cracking kit allows the company's customers to access virtually any private data stored on a phone – in some cases, even if the phone is locked.
But the exact capabilities depend on both the iPhone model and the version of iOS it's running. We managed to get access to the user documentation of a recent version of the kit to see what it can do…
Background
Cellebrite manufactures a range of hardware and software kits designed to unlock iPhones and Android smartphones, and extract most of the data they contain.
Some versions are sold to commercial companies, while Cellebrite Premium is – in theory – only sold to law enforcement. However, the exact position is unclear. For example, the company recently revealed that it has more than 2 US government customers, many of whom would not fall under what would normally be considered "law enforcement."
US Fish and Wildlife Service investigators frequently work to thwart a variety of environmental infractions, from illegal logging to hunting without a license. Although these are real crimes, they are usually not associated with invasive phone hacking tools. But fish and wildlife officers are part of the growing group of government workers who can now break into encrypted phones and siphon off mounds of data using technology bought from surveillance company Cellebrite. […]
The list includes many that would seem far removed from intelligence gathering or law enforcement, such as the Departments of Agriculture, Education, Veterans Affairs, and Housing and Urban Development; social security administration; the US Agency for International Development; and the Centers for Disease Control and Prevention.
Other Cellebrite clients include blue chip companies wishing to conduct internal investigations and cybersecurity companies.
Cellebrite Premium Kit
The flagship phone cracking kit offered by the company is known as Cellebrite Premium. This is a hardware and software package comprising:
- Cellebrite Premium Laptop, with pre-installed software
- Android adapter
- iOS adapter
- iOS adapter (AFU version, to be used after the phone has been turned off)
- A complete set of cables and carrying bag
- A hardware license dongle, without which the software will not work
The software allows users to extract either specific target data (for example, messages or photos) or the complete file system, which contains almost all user data, including keychain passwords, which then gives the user the ability to access most of the services you use. Here's what the company has to say:
By performing full file system and physical extractions, you can obtain much more data than is possible through logical extraction and gain access to highly protected areas such as the iOS Keychain or Secure Folder.
Access to third-party app data, stored passwords and tokens, chat conversations, location data, email attachments, system logs, as well as deleted content, increases your chances to find incriminating evidence.
Cellebrite iPhone Cracking Capabilities
In February the company kept its more advanced capabilities in-house, but the webpage relating to this has since disappeared, and it appears from the documentation we've reviewed that Cellebrite Premium can now do everything that CAS used to do .
It's worth noting that the documentation we got predates the launch of the iPhone 13, and at that time the company apparently didn't have the ability to access the iPhone 12 either.
Full access even locked, with any supported iOS version
Cellebrite Premium can unlock and access the full file system of the following phone models, even when password protected, with unlocking time depending on the complexity of the password. It doesn't matter what version of iOS the phone supports – the company can unlock the device and access everything.
- iphone 4s*
- iPhone 5 *
- iphone 5s*
- iphone 6
- iPhone 6S
- iPhone SE
- iPhone 7
- iPhone 8
- iPhone X
*Interestingly, internal unlocking is required for these three models if they are running iOS 5 or iOS 6, while Cellebrite Premium allows customers to unlock devices directly if they are running iOS 7 or later.
The reason why these templates can be hacked regardless of iOS version is because of the unpatched vulnerabilities in these templates. One was revealed with the checkm8 exploit, and another flaw discovered in Secure Enclave later the same year. This too cannot be patched.
Full access even locked, with older versions of iOS
There are three iPhone models that the kit can unlock if they are running any version of iOS up to iOS 13.7.
- iPhone XR
- iPhone XS
- iPhone 11
Full access only with password
The same three models running iOS 14 or iOS 15 cannot be company unlocked, either with Cellebrite Premium or internal company resources. However, if clients have the phone password, full file system access is available.
- iPhone XR (iOS 14 or 15)
- iPhone XS (iOS 14 or 15)
- iPhone 11 (iOS 14 or 15)
Law enforcement may or may not have the power to force a suspect to reveal their passcode – it depends on the country and jurisdiction.
Brute force unlocking takes a long time
Unlocking devices requires the passcode brute force kit. This relies on the ability to disable locks that Apple applies to repeated password attempts, but it's still a slow process due to the delays imposed before the lock is complete.
The company warns that the process can take a long time, with an example in the user guide referring to a rate of just over 100 attempts per day.
However, the kit allows users to enter all the personal data they have for the owner of the phone, such as date of birth and other important dates, such as the birthday of a loved one. These will be used to generate initial attempts, before resorting to brute force. This information serves to underline the importance of the protection of personal data, even relatively insignificant ones.
Autonomous mode
Cellebrite's brute force unlocking required the phone to remain connected to the kit until it was successful. Cellebrite Premium, however, provides a standalone mode, where the phone can be disconnected once the attack is underway. Indeed, the kit manages to install the software running the attack directly on the iPhone itself, even if the phone is locked.
Cellebrite's standalone bruteforce capability runs an automated dictionary attack directly on the device itself. Once the process is initiated, the target device can be disconnected from Cellebrite Premium, allowing the standalone brute force process to run simultaneously on multiple devices.
It's worth pointing out that all Cellebrite attacks require physical access to the phone, unlike the NSO Pegasus spyware, which can be deployed remotely, including no-click options.
FTC: We use revenue-generating automatic affiliate links. Suite.
Check out 9to5Mac on YouTube for more Apple news:
SOURCE: Reviews News
Do not hesitate to share our article on social networks to give us a solid boost. 👓