Can the FBI really unlock ANY iPhone in existence?

US media giant Forbes is making a bold claim: the FBI can now unlock every iPhone in existence.

Actually, that’s not exactly what Forbes said – the headline used the slang term “Feds”, referring not just the FBI, but to law enforcement in general and, by obvious association, to the world’s various intelligence services, too.

And, to be precise, Forbes put the word “probably” in the headline, too, neatly wrapped in brackets in a way that probably made the Forbes lawyers much happier.

So, according to Forbes, law enforcement agencies may be able to unlock many or most iPhones in use out there.

Is it true?

The company that caused Forbes to make this dramatic claim is one we’ve mentioned before on Naked Security: Cellebrite.

Cellebrite is headquartered in Israel, but owned by Suncorporation, a Japanese company broadly associated with video gaming and the pachinko industry. (A pachinko machine is a type of slot machine popular in Japan.)

You may recall that the FBI famously (or infamously, depending on where you stand in the phone unlocking debate) broke into the iPhone 5C of the dead San Bernadino terrorist and mass murderer Syed Rizwan Farook.

At first, no one quite knew how the FBI did it.

We speculated that there were several approaches the cops might have used:

  • Perhaps the passcode was 0000 or 2580, and the FBI got lucky?
  • Perhaps autowipe after 10 wrong guesses was off, so the FBI had more than 10 goes?
  • Perhaps the iPhone had enough unencrypted data left in RAM to help the investigation?
  • Perhaps the FBI could re-write RAM and flash storage to allow repeated guesses?
  • Perhaps the FBI purchased a zero-day vulnerability in iOS?
  • Perhaps the FBI recovered the code using fingerprint marks on the screen?

In the end, it seems that Cellebrite helped out in the San Bernadino case, in a phone hack that was claimed to have cost close to $1,000,000 in total, and that involved a system that worked only on a “narrow slice of phones,” apparently including the iPhone 5C but not the iPhone 5s or later.

What now?

Now, if Forbes is to be believed, Cellebrite has extended the range of phones it can successfully unlock, according to the company’s own marketing material:

Devices supported for Advanced Unlocking and Extraction Services include:

Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.

Google Android devices, including Samsung Galaxy and Galaxy Note devices; and other popular devices from Alcatel, Google Nexus, HTC, Huawei, LG, Motorola, ZTE, and more.

Of course, Cellebrite isn’t openly promising that it can always get everything off the systems listed above, merely that those devices “are supported”.

And Cellebrite isn’t saying which sorts of device it’s willing to take a go at – newer ones generally have more secure hardware to enforce the security coded into the software.

You have to send the device to a Cellebrite office; it’s sent back unlocked, if possible – obviously, Cellebrite can’t guarantee to unlock any phone out there, not least because a confiscated device could, in fact, already be irreparably damaged.

But would Cellebrite go to the trouble of inviting law enforcement agencies to send “devices of interest” to a Cellebrite lab if it didn’t think it had a fair chance of getting in?

Does Cellebrite have an exploitable vulnerability up its sleeve that neither Apple nor the jailbreaking community has yet discovered?

Despite Forbes’s bullish (or bearish, depending on where you stand in the phone unlocking debate) claims, we simply can’t say.

What to do?

Let’s assume the worst – namely that Cellebrite does have a pair of iPhone and Android zero-day aces in the hole.

In a way, there’s some good news in that scenario: you can bet your boots (and your trendy phone case) that Cellebrite will go many miles out of its way not to let those zero-days become known, because they’re the geese that lay the golden purchase orders.

So, even if Cellebrite is willing to have a go at cracking phones, for a fee, your device still isn’t wide open to just anyone.

In other words, the following simple precautions are well worth taking:

  • Patch early, patch often. This can be tricky in the divided and inconsistent Android ecosystem, but it’s pretty easy in the iPhone world: when there’s an iOS update, install it right away. You’ll be protecting against plenty of new security holes that have recently been reported – and, who knows, if Cellebrite really does have a secret security hole of its own, sooner or later you’ll neutralise that one, too.
  • Use the longest phone lock code you can manage. A 10-digit lock code is a mild irritation for a while, but soon starts to feel like a virtuous and more secure choice than 4 or 6 digits – because it is.
  • Set the shortest lock period you can tolerate. A phone that automatically locks itself after a minute will annoy you from time to time, but it will annoy any prospective “hit and run” crooks (or mischievous friends and colleagues) a whole lot more.