Australian security firm Azimuth has been identified as the experts who managed to crack a mass shooter's iPhone that was at the center of an encryption standoff between the FBI and Apple.
Until this week it had largely been assumed that Israeli outfit Cellebrite was hired to forcibly unlock an encrypted iPhone 5C used by Syed Farook – who in 2015 shot and killed colleagues at a work event in San Bernardino, California, claiming inspiration from ISIS.
Efforts by law enforcement to unlock and pore over Farook’s phone were unsuccessful, leading to the FBI taking Apple to court to force it to crack its own software to reveal the device's contents. The Feds got an order from a judge instructing Apple to effectively break its own security to give agents access to the locked and encrypted handset.
But Apple heavily and publicly resisted, leading to a legal showdown that resulted in increasing alarm in the technology industry. Before the courts were forced to resolve the issue of access to encrypted data, however, the FBI announced it had found a way into the phone and dropped the case.
It later emerged the Feds had paid $900,000 to get into the phone... which had nothing of value on it. That isn't too surprising since it was Farook’s work phone, after all.
According to the Washington Post today, Apple has been working desperately hard since then to find out who exactly managed to crack its operating system's defenses, including suing companies it thinks were involved in order to pull out information.
That effort, it's claimed, was behind Apple's copyright infringement war against Corellium, which was started by the man who reportedly cracked the iPhone while working at Azimuth, David Wang. The case was eventually thrown out though it gave Apple an opportunity to depose Wang and ask him pointed questions about his work in an effort to figure out if it was him who defeated iOS's protections.
If at first you don't succeed, pry, pry again: Feds once again demand Apple unlock encrypted iPhones in yet another terrorism caseREAD MORE
Apple reportedly tried to hire Wang, and when he said no, it tried to buy Corellium; an approach that was also turned down. Apple sued the company soon after.
Despite its happy hipster public image, Apple is just as aggressive and ruthless as any other Fortune 500 corporation, and can be extraordinarily petty when it feels its interests are being threatened.
Apple also wants any vulnerabilities discovered in its software to be given to it, rather than sold to law enforcement and governments, so the super-corp can patch them. However, when it comes to something like mobile operating systems, used by billions of people to store their most personal details (and potentially evidence of crimes), unpatched holes can be hugely valuable to government organizations – which, like others, are willing to pay substantial figures for working exploits, leading to the scenario described here.
Apple's highly secretive and restrictive corporate culture is also a bit off-putting for those who find flaws in product security. And, as bug-bounty pioneer Katie Moussouris raised on Twitter, zero-day vulnerability sales to the Feds is perhaps a better than having all devices backdoored by law.
So how was it done?
The WaPo article contains details that could seemingly only have come from Azimuth/Corellium, raising questions over why the information has come out now, six years later. Clearly, there is a lot going on behind the scenes.
The entry point into the phone, which due to a feature in iOS may have deleted its contents if the wrong unlock code was entered multiple times, was apparently via some vulnerable code written by Mozilla that Apple used to handle accessories plugged into its Lightning port. From the article:
Wang created an exploit that enabled initial access to the phone - a foot in the door. Then he hitched it to another exploit that permitted greater maneuverability, according to the people. And then he linked that to a final exploit that another Azimuth researcher had already created for iPhones, giving him full control over the phone’s core processor - the brains of the device. From there, he wrote software that rapidly tried all combinations of the passcode, bypassing other features, such as the one that erased data after 10 incorrect tries. Wang and Dowd tested the solution on about a dozen iPhone 5Cs, including some bought on eBay, the people said. It worked. Wang dubbed the exploit chain “Condor.”
The FBI ran various tests on other phones before running it on the killer's handset, and discovered, well, nothing ultimately. And within just a few months of the exploit's use by the FBI, Mozilla discovered the flaw itself and patched it.
A spokesperson for Mozilla told us: "Without being provided more specific information by the Post we cannot verify that the underlying basis for Mozilla's inclusion in this story is true.
"As an open-source organization our code is universally available and can be used by any individual or company without our direct knowledge. Presently, we are not aware of a bug in our code that was connected to this exploit, and cannot isolate any specific fix as being related among the thousands of bugs a year that we patch." ®