Details on the Unlocking of the San Bernardino Terrorist’s iPhone

The Washington Post has published a long story on the unlocking of the San Bernardino Terrorist’s iPhone 5C in 2016. We all thought it was an Israeli company called Cellebrite. It was actually an Australian company called Azimuth Security.

Azimuth specialized in finding significant vulnerabilities. Dowd, a former IBM X-Force researcher whom one peer called “the Mozart of exploit design,” had found one in open-source code from Mozilla that Apple used to permit accessories to be plugged into an iPhone’s lightning port, according to the person.

[…]

Using the flaw Dowd found, Wang, based in Portland, Ore., created an exploit that enabled initial access to the phone ­ a foot in the door. Then he hitched it to another exploit that permitted greater maneuverability, according to the people. And then he linked that to a final exploit that another Azimuth researcher had already created for iPhones, giving him full control over the phone’s core processor ­ the brains of the device. From there, he wrote software that rapidly tried all combinations of the passcode, bypassing other features, such as the one that erased data after 10 incorrect tries.

Apple is suing various companies over this sort of thing. The article goes into the details.

Tags: , , , , ,

Posted on April 19, 2021 at 6:08 AM29 Comments

Comments

Marc April 19, 2021 8:16 AM

Apple should consider some kind of blacklisting – no products, no support, for these firms, no working with banks who fund them, lifetime bans on ex-employees who take their knowledge to these firms, permanent termination of suppliers who work with them etc. Then publish a shitlist of such anti-privacy, police-state transgressors.

Time to take a side in the surveillance vs security debate and go to war over it.

jones April 19, 2021 8:17 AM

Apple is suing various companies over this sort of thing

The article notes: “In 2019, Apple sued Corellium for copyright violation”

One of the really screwy things about the Digital Millennium Copyright Act is that is makes it illegal to bypass copyright protections even if you aren’t bypassing those protections to do anything illegal.

So using deCSS to play a lawfully acquired DVD on Linux is technically illegal. It’s been letting corporations basically write their own copyright law to target whomever — from video game modders to legitimate security researchers.

Dave's Not Here April 19, 2021 8:29 AM

Good thing that Mozilla uses Rust and none of the processes run as root. Certainly that should limit any nefarious access.

TimH April 19, 2021 9:21 AM

@jones: “DMCA… illegal to bypass copyright protections” but breaking into a phone is to access user data, which is not copyright protected. DVD material is.

TimH April 19, 2021 9:58 AM

@hdhh: Firstly, you don’t ‘author’ metadata. Secondly, Apple don’t have any copyright on the content of your emails, so lack standing.

Me April 19, 2021 10:09 AM

@TimH:
If you put your two points together, you will see that Apple DID author the metadata, and so can at least argue standing.

Andy April 19, 2021 10:15 AM

@Marc Apple is disingenuous (Judge’s words). You can’t both want safety from government compelling you to install backdoors and hackers who are smarter that Apple in finding holes. Not-yet appealed decision is that security firms aren’t competing with Apple so there’s no copyrught infringement. Still pending is whether they violated DCMA. If rotten Apple wins that lawsuit it’ll push even more security research to places which are outside its jurisdiction reach.

Typical Silicon Valley arrogance.

yet another Bruce April 19, 2021 10:16 AM

@TimH

From the US Copyright office FAQ

When is my work protected?

Your work is under copyright protection the moment it is created and fixed in a tangible form that it is perceptible either directly or with the aid of a machine or device.

This suggests to me that user data on your phone, photos, for example, are protected by copyright.

TimH April 19, 2021 10:20 AM

@Me: If you argue that software can author in the copyright sense as an human, then there will be no more music, since a script could generate every chord sequence up to say 8 chords, and upload every one to YT.

Winter April 19, 2021 10:24 AM

@TimH
“This suggests to me that user data on your phone, photos, for example, are protected by copyright.”

“Data” as such has no copyright. The “data” has to be a creation of the mind. The bar is low, and everything you type, say, or record from your own performance most certainly qualifies.

Automatically generated data, like GPS or WiFi access points do not qualify.

Timh April 19, 2021 10:27 AM

@yet another Bruce: Metadata isn’t a work product created by you, it’s a work product about you. It’s factual, so not copyrightable.

JonKnowsNothing April 19, 2021 10:36 AM

@yet another Bruce

re: This suggests to me that user data on your phone, photos, for example, are protected by copyright.

Depending on what apps you have loaded on the phone, device, nearly all of “user data” has been assigned to “others”. It’s in the TOS/EULA. Since many devices shovel data up to the (5eye)Cloud, anything up there has been given to the cloud owner. All that “sharing and caring” gives Google/Apple etc full ownership of all items in the cloud.

From other aspects like banking, you have assign ownership/access to those entities, used primarily for target marketing, but they can also be used by LEOs to target you. Even if you don’t load a banking app, they still have access to the accounts and information.

In USA email that is @18months old, no longer needs a warrant to access them. You might own the copyright but LEOs own your letters.

In many places Third Party Doctrine for Business Records will suffice.

===

ht tps://en.wikipedia.org/wiki/Third-party_doctrine

  • The third-party doctrine is a United States legal doctrine that holds that people who voluntarily give information to third parties—such as banks, phone companies, internet service providers (ISPs), and e-mail servers—have “no reasonable expectation of privacy.” A lack of privacy protection allows the United States government to obtain information from third parties without a legal warrant and without otherwise complying with the Fourth Amendment prohibition against search and seizure without probable cause and a judicial search warrant.

(url fractured to prevent autorun)

Agammamon April 19, 2021 10:44 AM

Marc • April 19, 2021 8:16 AM

Apple should consider some kind of blacklisting – no products, no support, for these firms, no working with banks who fund them, lifetime bans on ex-employees who take their knowledge to these firms, permanent termination of suppliers who work with them etc. Then publish a shitlist of such anti-privacy, police-state transgressors.

Time to take a side in the surveillance vs security debate and go to war over it.

If these companies did not exist then all this stuff would be done in total secrecy by nation-state organizations.

We know about these exploits now. Future products can be built more secure because of this real-world testing.

Apple shouldn’t be suing these people. They shouldn’t be trying to cut them off. They should be supporting them – because the sooner they find a flaw they can use the sooner Apple knows about it and the sooner Apple can close it down.

Security-through-obscurity only works for as long as you’re obscure. Apple isn’t.

Etienne April 19, 2021 11:20 AM

I was interested until you said “Washington Post” – and then I went back to the Chef Jean-Pierre cooking channel.

Clive Robinson April 19, 2021 11:30 AM

@ TimH,

you don’t ‘author’ metadata

Actually you do.

It only exists because of your actions, thus it has the minimum required “creative input”.

Look on it like opening and closing a door to a shop to make the bell tinkle in time or some such it qualifies as a “performance” (there is some case law on this somewhere). Or even the “rata-tat-tat” on a door knocker known for some strange reason as “A shave and a haircut”.

Who? April 19, 2021 11:41 AM

@ Marc

Remember these police-state transgressor [governments] have the ability to destroy, or at least seriously damage, Apple.

Consider too Apple was (is yet?) a member of NSA’s PRISM program. A voluntary cooperation program targeting the privacy of customers of participant corporations, a program that allows complete surveillance of customer activities without even a court order. So I would not consider Apple/Microsoft/Google/Skype (Microsoft too)/Paltalk/Yahoo/YouTube (Google too)/AOL victims either.

name.withheld.for.obvious.reasons April 19, 2021 1:06 PM

Ah, the old double-edged sword rears its ugly sharp (but rusty) blade contours.

If in purporting to value the privacy of its customers, Apple has decided to act in the customer’s best interest, does suing this organizations serve that purpose? Or, is it in service to some other agenda, namely “marketing” and “ecosystem” maintenance, irrespective of how that might serve customers currently or in the future?

jones April 19, 2021 1:26 PM

@TimH

The copyright lawsuit isn’t about who owns customer data. The article specifically discusses a copyright claim Apple brought against Corellium in 2019. Coverage of the DMCA suit can be found here:

https://www.theverge.com/2020/12/29/22205130/apple-corellium-dismissed-copyright-dmca-fair-use

The DMCA is notoriously abused and makes it illegal to circumvent many types of digital locks, including ones Apple designs to protect the trade secrets in its phones.

Even if you bypass a digital lock to access something in the public domain — even if you infringe on no copyright, or seek access to your own data — that can still bring a lawsuit under the DMCA.

Some examples from the EFF:

Gitorious users sued for hacking Sony’s PlayStation 3 videogame console for noncommercial, open-source works

Texas Instruments sued a hobbyist who reverse engineered a graphing calculator in order to help others run their own “home brew” operating systems

Dmitry Sklyarov was sued by Adobe under the DMCA and jailed after he designed an ebook reader that converted files from PDF. He was never accused of infringing any copyright, nor of assisting anyone else to infringe copyrights. His alleged crime was working on a software tool with many legitimate uses, simply because other people might use the tool to copy an e-book without the publisher’s permission.

In 2009, Apple threatened the free wiki hosting site BluWiki for hosting a discussion by hobbyists about reverse engineering iPods to interoperate with software other than Apple’s own iTunes

Hewlett-Packard resorted to DMCA threats when researchers published a security flaw in HP’s Tru64 UNIX operating system

In April 2003, educational software company Blackboard Inc. used a DMCA threat to stop the presentation of research on security vulnerabilities in its products at the InterzOne II conference in Atlanta

In 2003, U.S. publisher John Wiley & Sons dropped plans to publish a book by security researcher Andrew “bunnie” Huang, citing DMCA liability concerns. Wiley had commissioned Huang to write a book that described the security flaws in the Microsoft Xbox game console, flaws Huang had discov­ered as part of his doctoral research at M.I.T.

https://www.eff.org/pages/unintended-consequences-fifteen-years-under-dmca

The list goes on, and very little has to do with copyright infringement — just bypassing a digital lock is enough.

Steve April 19, 2021 6:59 PM

What’s missed in all this talk of lawsuits is that Apple probably didn’t think it would win anything but it was, as reported, using the legal “discovery” process to ferret out information about the breakin technique.

If you get enough redacted documents, sometimes you can figure out what the redacted sections are by inference.

Marc April 19, 2021 7:13 PM

@Agamemnon

If these companies did not exist then all this stuff would be done in total secrecy by nation-state organizations.

We know about these exploits now. Future products can be built more secure because of this real-world testing.

Apple shouldn’t be suing these people. They shouldn’t be trying to cut them off. They should be supporting them – because the sooner they find a flaw they can use the sooner Apple knows about it and the sooner Apple can close it down.

Security-through-obscurity only works for as long as you’re obscure. Apple isn’t.

You misunderstood.

This IS the total secrecy by nation/state organisations. We know of these exploits because we get lucky. They work for governments and we find only find out about these companies through leaks, accident and the huge effort of investigative journalists. When these guys get discovered they slink back into the shadows only to set up some other NSO/Hacking Team/FinFisher/Azimuth secretive firm to make some more cash at our expense. For us that’s a losing game, hiding is cheaper than seeking.

I’m suggesting changing the economics to make becoming a scummy, unaccountable, black hat tool of oppression more damaging for your career than becoming a white hat who responsibly discloses etc. They should also lobby for multilateral regulation on the industry. The flip side is for Apple to make being a white hat more lucrative by increase bug bounties etc. But this is about the sticks not carrots.

Careers will still be there in Intelligence/Policing but that’s under tighter control than this monstrosity of a spyware industry. I’m not against targeted hacking if the alternative is mass surveillance, but doing so still needs to be enormously expensive. Killing the spyware industry’s competitiveness is about keeping it so.

They should also consider PR explaining why no one can control who walks through a backdoor and spend up on Wyden’s and others’ campaigns to make it more affordable for politicians to say and vote for the right thing and counter the ‘think of the children’/FBI messaging. If that’s Apple’s position on the security vs. surveillance debate then they need to get serious or they will feed the ‘another big tech puts money before society’ image everyone is happy to lazily repeat.

Smaller companies spend bigger amounts to lobby for lax environmental regulation or kill unions. Whether Apple is angelic, or a victim or just a nasty corporate giant is irrelevant – it’s incentives align with the public interest so it should start using its power seriously on privacy or it’ll have no choice but to keep caving. If they don’t fight harder we all lose.

James April 20, 2021 7:41 AM

I’m missing something – does the iphone not have a SSD that can be pulled out and cloned before brute-forcing the pass?

Etienne April 20, 2021 1:44 PM

@James

It’s always better to use the software, because you don’t know how the data is stored.

Each fragment may have its own encryption seed. It might not be 1,2,3,4…

Clive Robinson April 20, 2021 3:10 PM

@ Anonymous,

For some reason the FBI refused to try it.

Actually it was the DoJ with the assistance of the FBI as “domain experts”.

And for those who have not worked it out it never ever was about getting data off of a dead terrorists phone, they allready knew there was absolutly nothing of probative value on it (they just lied through innuendo of might and maybes).

The sole purpose was to force Apple (the industries biggest and most identifiable phone company) to cave and put backdoors in their phones.

If you do not believe this apply a little logic. They already knew before they went to court that not just the method you mentioned but others were available, it’s believed to the point of being knoen that there is recorded information to this effect that people have been trying to FOI request without success (and this might just help push this along), and that’s the reason they have kept it hiden as they lied to the magistrate, who obviously started to realise exactly what was going on.

Faced with the almost certain knowledge that the case was going to go against them and set a president neither the FBI or DoJ psychos wanted, the pulled the rip cord and bailed out killing the case. Even if they had not got a certain method in the wings, they would have lied about it and said what they did that the phone contained no relevant information or evidence.

So cort case closed, even though it wasted millions of taxpayer dollars. The FBI and DoJ are just going to wait for the next opportunity and do it again.

It’s why the law should be changed, so that if any state or federal agencies loose in court they must pay not just the winners costs but double or tripple them as damages automatically and immediately.

It realy is the only way you will get them to behave in an accountable way, and stop their little game of “creep the goal posts inch by inch” to where they want them as the legislators won’t give it to them.

You only have to look at the psucho babble Barr troted out and his excuses via religious fundementalism and his basic belief that a President should have just like a King absolute power and absolutly no accountability.

That is the “Personal Rights -v- Social Responsability” should be forever nailed at the absolute rights for the President to do what ever they want in the way of “rape pillage, plunder and murder” and absolutly no social responsability, not even the smallest part…

Ask your self are these the sort of nutbars you want running the US, especially when they are of an age where they care not how much carnage they create –Bolton did just about everything he could to start a war with either Iran or china). They don’t care because they are either going to be too senile or dead to care about the results all they care about is their personal vainglory and belief in might is right even when it kills millions (which US foreign policy does).

Winter April 21, 2021 4:57 AM

@Clive
“Ask your self are these the sort of nutbars you want running the US, especially when they are of an age where they care not how much carnage they create –Bolton did just about everything he could to start a war with either Iran or china).”

This is just straight out of “The Decline and Fall of the Roman Empire”. Every “empire” will decline and fall when one section of the population is able to capture the lion’s share of power and wealth to the detriment of the empire. Whether it is the Roman empire, East and West, any of the Chinese dinasties, 9th century Iraq, the Mongol and Turkish empires, or the USA in the 21st.

At some point, a cleptocracy takes hold of the power (1980 in USA) and will drain the empire of the resources needed to keep itself in existence. What you see in the USA ongoing.

vas pup April 22, 2021 3:12 PM

Tag – Apple

Google and Apple attacked on app store ‘monopoly’
https://www.bbc.com/news/technology-56840379

“Senators have grilled Apple and Google in Washington over “anti-competitive” behavior related to their app stores.

Representatives from Tile, Spotify and Match also gave evidence, accusing the two tech firms of charging exorbitant fees and copying their ideas.

Both Apple and Google’s app stores charge fees of up to 30% for in-app purchases.

The two companies said the fees were justified to provide security for users.

!!!!The Senate Judiciary Committee’s antitrust panel focused on claims that Apple’s App Store and Google’s Google Play are anti-competitive. [agree 100% -vp]

Senator Amy Klobuchar said that Apple’s App Store was a “literal monopoly”.

She said both stores “exclude or suppress apps that compete with their own products” and “charge excessive fees that affect competition in the app store economy”.

“It is iron-fisted monopoly control,” said Match General Counsel Jared Sine.

==>”When an industry player has the power to dictate how apps operate, how much they will be forced to pay, and in many cases, if they will even survive, it is a monopoly.”

Both Apple and Google rejected the idea that their app stores were monopolies – and said the charges were fair.”

On 3 May, Apple and Epic Games, maker of the popular game Fortnite, will begin a court case in their dispute over the App Store charges.

Ted April 30, 2021 11:44 AM

@Marc

Here we go with the cancel culture mentality.

So instead of Apple making better software we should just punish people that find holes in their lousy software?

Time to stop pandering to the apples of the world and expose security flaws where they are.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.