Owners of Apple iPhones are wondering how safe their password-locked handsets are from attack with news that an Israeli-based forensics company called Cellebrite is telling customers it has the ability to unlock most devices running the iOS operating system.
The report from Forbes was quickly spotted and curated by a number of other news organizations Monday and rapidly spread around the world. The original story also notes that in a recent court document a U.S. Homeland Security agent said a technician who has been trained to use Cellebrite’s solution had accessed an iPhone X (although the affidavit doesn’t say the technician actually used that solution.)
The company, Cellebrite, isn’t saying anything publicly. But one security expert says the report may not be as much as it appears.
In a blog this morning Bruce Schneier says there are “credible rumours” that Cellebrite’s technology only defeats the mechanism that limits the number of attempts to break a password. It does not allow engineers to move encrypted data off the phone and then run an offline password cracker. “If this is true,” he concludes, “then strong passwords are still secure.”
Not only that, the data on the phone may be encrypted with a separate system that has to be cracked. As Schneier points out, we don’t know if the Cellebrite technology allows access to data or even metadata on a device.
Encryption is a two-edged sword for law enforcement and government intelligence agencies. On the one hand it protects their secrets, but it also allows criminals to protect theirs.
The problem came to a head in 2015 when the FBI couldn’t get into an iPhone 5C owned by one of the terrorists who killed 14 people in San Bernardino, Calif. After five wrong guesses on that device the phone refuses to allow another attempt for one minute. Eventually — and that could take months or longer — the code can be broken, but in a running investigation time is important. Apple said it helped the FBI in some ways, but refused a request to build software to get around the problem.
Ultimately the FBI reportedly was able to get into that phone. But since then a number of law enforcement agencies around the world, including the RCMP, have urged their governments and tech companies to find a way police can lawfully access an encrypted device and still allow reasonable privacy. However, experts like Schneier say any solution could also be exploited by sophisticated criminals or nation-states with access to huge computing resources.
The problem was most recently debated by a U.S. committee of experts who admitted there is no easy answer. Police may want some way to force devices to give them so-called exceptional access to protected data, the report says in part, but “the only way to guarantee that every form of encryption is subject to exceptional access is to certify the software that is allowed to run on every storage and communication device, which would be extremely expensive, intrusive, and bad for innovation.”
In looking into the difficulty facing investigators in the San Bernadino case, the Washington Post noted the kind of password on a device describes its ability to be cracked. A four-digit passcode can be jiggled in 10,000 ways. The newspaper said it would only take 13 minutes for the FBI to try out all the different combinations under ideal conditions. However, a mixed six-letter passcode with capital and lower-case letters and numbers would have 56.8 billion possibilities.
Cellebrite says it “empowers law enforcement, military and intelligence, and corporate customers with relevant and defensible digital evidence to build stronger cases and more effective operations.”
“Advanced capabilities help you bypass passwords, overcome locks and encryption challenges to extract and decode complete data from the most devices, operating systems and applications. You can also extract and preserve public and private data from social media and other cloud-based sources, providing an unparalleled amount of forensically sound digital evidence.”
