After the high-profile San Bernardino shooting in 2015, the FBI threw a fit after being unable to get into the shooter’s phone. They demanded that Apple build them a backdoor so they could access the data on the phone. But then the case seemed to go quiet, that's because the FBI paid a private company a little over a million dollars to get the data off the locked iPhone.
Phone cracking and extracting technologies have proliferated quite a bit since then. Over 2,000 government agencies and police departments across the U.S have purchased tools that allow them to crack supported Android and iPhones. And it's not just the U.S, regimes in Russia, China, Belarus Venezuela, Myanmar, among other places have acquired technologies that allow them to crack phones.
There are a handful of companies that sell these technologies to governments and large corporations around the world. The most notable company is the publicly traded Israeli company, Cellebrite. What is impressive is they consistently crack locked supported phones with iOS and Android operating systems. Cellebrite offers extraction from locked iPhones that Apple currently supports. ( iPhone 4S*, iPhone 5*, iPhone 5S*, iPhone 6, iPhone 6S, iPhone SE, iPhone 7, iPhone 8, iPhone X,). Later iPhones XR, SX, and 11 were added.
This means circumventing security controls and even cracking disk encryption. So the big question is how?
For this technical analysis we will mainly focus on Cellebrite. It is important to note that all of these technologies involve physical access to the phone by connecting via wire or bluetooth. It is also important to note that these companies are very secretive. This is an analysis of a fluid and proliferating technology that is based on the limited information available and we are attempting to fill in some gaps. These companies intentionally keep as much a secret as possible.
Device cracking and data extraction varies widely. It depends on variables such as hardware, OS, device power and boot status, as well as other security controls.
First let's explain the basics of how data extraction works, then then security controls native to phones, then we’ll address how they circumvent these security controls. There are a few types of data extraction; logical, file system, and physical are widely offered. There are also a few more sophisticated and invasive techniques that are a whole different process, which we’ll cover toward the end.
The most straightforward is Logical extraction. It's the quickest, least intrusive, but provides the most limited data. It copies the data that the user could see under normal use. Logical extraction generally won't include recently deleted data, unlike other methods.This is generally done by exploiting system backups to create a copy of the user accessible files such as phonebook, calls, messages, pictures, and other data from an iTunes.Funny Backstory
In 2021, Cellebrite announced they could crack Signal’s encryption of data at rest. Signal responded by somehow acquiring a Cellebrite device (they said it fell off a truck) and connecting it to a phone that they had loaded with malicious code. Then they extracted that malicious code from the phone onto the Cellebrite device. That code was used to analyze the Cellebrite software which runs on Windows OS. Signal found two Cellebrite MSI packages had digital signatures for Apple’s iTunes Windows installer, which we assume to be fraudulent. The Cellebrite software also contains DLLs that iTunes uses to interact with iOS. The Logical Extraction for iOS works similarly to how iTunes or iCloud might take a backup.
Basically data extractors communicate with the OS API through an agent they upload to the device or extraction software communicates directly with the OS API through the USB connection. The extractor software basically sends commands that are received by the devices memory and executed. The result is the data is easily organized and assembled in a human readable format by the extractor device. This is easier than cracking the passcode and manually looking through the phone.
File System Extraction
Logical extraction's closely related cousin is File System Extraction. This basically extracts the containers. This includes the user accessible data that logical extraction takes, but also extracts files and folders that the device uses to populate applications, as well as system configurations, and user configurations. With file system access, you can review all pictures, notes, app data, text messages, and the corresponding logs for each.
This usually relies on rooting or jailbreaking the phones to insert a boot loader to access the device’s memory, instead of using the OS API. Obviously there are security controls that attempt to prevent this. We'll address how they circumvent those later. The File system extraction will also need to be decoded with another tool.
Then there’s physical extraction, which is the most popular method. This extracts raw data at the binary level from the devices storage and memory. It can be done by copying the physical storage and memory bit-by-bit or via a hex-dump. This may require booting the phone into a custom OS and or partial device disassembly for physical access to the memory chip to obtain a raw reading of the underlying flash blocks.
Physical extraction can even contain deleted data that hasn’t been overwritten yet. Remember, deleting a file just deletes the pointer and un reserves the space in storage, that data will still be there until it is overwritten.
iOS Security Controls
NOTE: A Phone's attack surface is much smaller before the first unlock after boot, than after.
Since iOS 8, Apple has enabled device encryption when a user sets a passcode for device lock. Basically meaning the data on the device is encrypted when locked, so any of these extraction methods would yield encrypted data.
Then starting with iPhone 5S and later versions, as well as macs and ipads, Apple rolled out “secure enclave”. Basically all locked apple devices are encrypted with random private root keys, called UID, which are fused to the Secure Enclave Chip which is isolated from the rest of the device.
The secure enclave is its own system on a chip with a boot ROM to establish a hardware root of trust, an AES engine for secure cryptographic operations, dedicated protected memory, and a dedicated processor. Similar to Application Processor Boot ROM, the Secure Enclave Boot ROM is immutable code that generates a random ephemeral memory protection key for the Memory Protection Engine.
The Secure Enclave Processor has a memory-protected engine, encrypted memory, secure boot, a dedicated random number generator, and its own AES engine. The secure enclave is shielded from debugging interfaces like JTAG.
Unpatchable iPhone Vulnerability
How it was discovered
According to Cellebrite and other phone extractors both logical and file system extraction on locked devices either require them to jailbreak the device. Physical extraction involves booting to a special OS, which is basically a tethered Jailbreak. There is an unpatchable vulnerability that allows (previously mentioned list of) iPhones to be jailbroken over USB, those phones can be cracked regardless of what OS they are running. The list of phones affected by this unpatchable vulnerability is identical to the list of locked iPhones Cellebrite advertised cracking, before Cellebrite added a few newer phones to the list, more on those newer ones later.
During iOS 12 beta Apple patched a critical use after a free vulnerability in iBoot USB code, but this led to the discovery of a bootrom vulnerability in the exact list of iPhones Cellebrite advertises cracking. iPhone 8 and X are compatible with iOS 15.5, but newer phones running iOS 15.5 are not affected.
TLDR; the Unpatchable Vulnerability Explained
All of this points to a memory corruption vulnerability within the device firmware. The BootROM is very small and can be called a light version of iBoot, as they share most of the system and library code. Unlike iBoot, Bootrom cannot be updated. ROM=Read Only Memory. BootROM is the hardware root of trust of the secure boot chain. BootROM vulnerabilities allow an attacker to control the booting process and execute unsigned code on a device, such as inserting a malicious script or malware during boot. Important to note this vulnerability is in the iPhone's main bootrom, not the secure enclave bootrom.
Entering the iPhone into Device Firmware Update (DFU) Mode
Then running commands.
DFU mode allows one to transfer a signed image to a device via USB that will be booted later. Given the context this makes sense. The exploit developed for this vulnerability can jailbreak devices which allows for:
Circumventing the authenticated bootchain allowing decrypting keybags that store firmware decryption keys,
Decrypting the firmware
Dumping SecureROM on some devices,
Dumping and Flashing NOR on some devices
Demoting devices to older standards.
Researchers have utilized this BootROM vulnerability to crack the passcode by booting a custom Secure Shell ramdisk with a patched kernel, That allowed them to instruct the Advanced Encryption Standard (AES) engine to use the UID key from userspace. The exploit capabilities vary considerably from phone to phone. Either way since its a vulnerability in the boot mechanism, it seems good for physical extraction which requires tethered jailbreak booting the phone into a custom OS with a bootloader, that may or may not decrypt depending on the device. Cellebrite develops decrypting bootloaders that cover entire chipsets. If the data cant be decrypted its still a big step for physical, logical and file extraction.
How iPhone’s Encryption is Cracked
Ok. So we have a way to decrypt the firmware, modify the OS partition to install things and boot into a custom OS, perform a data extraction, and possibly even decrypt data on some devices. But most phone’s data is still encrypted on the data partition that's managed by the secure enclave, which was engineered to protect against this type of scenario.
In 2017, way before the previously mentioned exploit, a group of hackers decrypted the Secure Enclave firmware to explore how secure enclave works. This was likely done through electromagnetic analysis, more on that later. Then Chinese hackers from the Pangu Team likely leveraged this information to uncover the “unpatchable” vulnerability they exploited on A7 through A11 Bionic chips used for Secure Enclave. This vulnerability could be exploited to break the encryption of private security key, and thus decrypt the user data after first unlock. This vulnerability affects iPhone 5S all the way through iPhone X, the exact same phones affected by the other vulnerability, and same phones that cellebrite advertises cracking. Again this is a hardware or firmware vulnerability. While they didn't release many details, this vulnerability and exploit is very likely built on top of the bootrom vulnerability.
There are a few other ways to extract the unencrypted data. The chances are if police are searching a home, they’ll take any computers too. If the iPhone already has a valid pairing record on a computer, then a logical extraction can be obtained from a locked iPhone, either by spoofing the computer, or gaining access to that computer.
How Bruteforce Protections are Circumvented
Instructions show how the Graykey phone extractor includes brute force capabilities that can push an agent on the locked phone to automate brute force passcode attempts. Cellebrite has a similar tool. We suspect this agent has something to do with the stolen/spoofed iTunes windows DLLs and digital signatures Cellebrite stole to enable its software to interact with iOS. For some iOS versions such as 11 the password entry rates are slower before first unlock after booting, than after first unlock. This tool includes functionality that allows for any personal data such as date of birth, and other information to be taken into account during the brute force attempts. It also includes functionality to detect alpha numeric codes and uses dictionary attacks.
So depending on the phone, OS, boot status, and passcode it can take minutes to days to crack.
While iPhones have protection mechanisms for manual based brute force attacks, agents can seemingly circumvent them, again likely with the stolen iTunes DLLs and digital signatures. But any software vulnerabilities would quickly be patched. Starting just before iOS 12, Apple added USB restricted mode which disables USB 1 hour after lock. Vendors like gray key among others have reportedly been able to circumvent USB Restricted mode. On iPhones X R, S X, and 11 that are running up to iOS 13 point 7 It's unclear how, but this is likely done with some combination of hardware, firmware, and or software vulnerabilities. It's unclear how newer iPhones and versions of iOS address this, but the brute force agent doesn’t seem consistently effective with newer iPhones.
It's also unclear how these agents consistently circumvent passcode lockouts. Software vulnerabilities would likely get patched. Given the specifications of iOS versions and iPhones, we have a few different theories that are not necessarily mutually exclusive. First, since Apple has responded to news of these extractors by basically saying they balance security and ease of use. So it's possible some of the iOS versions have functions that are inherently vulnerable, that they are willing to accept to preserve functionality. It's also possible that the agent exploits hardware and/or firmware vulnerabilities. Some iPhone models were built before these iOS protections were released, so it's possible it's a compatibility issue. Firmware in the ROM provides necessary instructions for different hardware components to communicate with one another. So its possible they exploit hardware and firmware to circumvent iOS and its built in protections. They’d access or communicate with the processor and other hardware involving passwords and keys. It's likely some combination varying by device.
Here’s another brute force option. Since it is possible to electromagnetically copy data on the chips, extractor companies could bypass USB restricted mode or passcode lockouts by cloning the chips and then restoring a previous state. This has been successfully demonstrated on an older iPhone by dumping data from one of the previously mentioned exploits. Although it's worth noting that this is much more time consuming, expensive, and requires more expertise, so it is probably only used in high profile investigations.
A New Brute Force Attack on the Horizon
A new enhanced brute force method may be on the horizon. Researchers have shown that monitoring and analyzing power patterns in the processor's electrical magnetic behavior during a brute force attack can speed up cracking the passcode. Researchers have established a proof of concept when they exploited the bootrom vulnerability to extract the GID key and decouple it from the passcode.
Hardware Man in the Middle(ish) Attacks
The device could also be disassembled, to possibly intercept the data as it travels from one microcontroller to another processor. This requires a very skilled forensic expert. This is probably the in-house service that Cellebrite and other companies advertise.
The extractors seem to have very limited Capabilities for newer phones and operating systems; Apple added USB restricted mode with iOS 11.4.1 and later, which disables USB 1 hour after lock. Although not all users have it enabled. It disables USB communications after one hour of the last unlock. Although phone extractors seem to have a way to circumvent this on iPhones XR, SX, and 11 that run up to iOS 13.7. This is likely with some combination of hardware, firmware, and or software vulnerabilities. With iOS 16 users have the optional lockdown mode, which automatically disables USB communication upon locking the device.
It’s possible the companies are exploiting, unknown, negative day vulnerabilities in the operating system. They would likely do it in house to keep it a secret, so that Apple doesn’t patch the vulnerability. The Australian phone cracking company, Azimuth, cracked the San Bernardino Shooter's phone using a bug in open-source code from Mozilla that Apple relied on to allow accessories to be plugged into the iPhone’s Lightning port, although this was not an N-day. They then found another vulnerability, and gained control over the processor and circumvented the brute force controls on the iPhone 5. Companies may be coming up with new secret exploits like this, that would quickly be patched if discovered on supported versions.
The Bottom Line
The trend here seems clear. The longer the devices have been released to the public, the more likely extraction companies will find a vulnerability to exploit. Software vulnerabilities are valuable to spyware companies that can quickly and scalably exploit the vulnerability on a virtually unlimited number of targets before the vendor patches it. Extraction companies don’t have that luxury, so they must keep software vulnerabilities a secret, and cannot build products to exploit software vulnerabilities. On the other hand hardware vulnerabilities offer a virtually unlimited amount of time to exploit as long as you have physical access. As new phones are released by Apple they seem to be getting physically hardened. If physical security is a concern, newer phones offer the best protection.