FBI Turns to Cellebrite to Unlock Syed Farook's iPhone

The mysterious third party helping the FBI hack into the San Bernardino shooter's iPhone 5c is apparently Cellebrite, and not the NSA. The FBI said on Monday it had outside help working on breaking into the iPhone, which led to speculation as to exactly who that might be.

FBI looks to Cellebrite to unlock San Bernardino shooter's iPhoneFBI looks to Cellebrite to unlock San Bernardino shooter's iPhone

Source speaking with Ynet News said Cellebrite, which the FBI has worked with before, offered up a potential hack into the iPhone, but didn't offer up any details as to what that might be.

The FBI has been trying to get at the encrypted data as part of its investigation into last December's mass shooting where Syed Farook and Tashfeeen Malik killed 14 of their coworkers and injured 22 others. The iPhone was recovered from Mr. Farook after the two were killed in a shootout with police.

Apple helped the FBI recover as much data as they could from iCloud backups, but doesn't have any way to bypass the passcode encrypting the iPhone's data. The FBI turned to the courts for an order compelling Apple to create a version of iOS that didn't have the safeguards preventing brute force attacks on passcodes, and Apple responded by calling the order a government overreach.

Apple also filed a motion to vacate the order along with a formal complaint objecting. Apple and the FBI had been scheduled to appear in court on Tuesday to defend their arguments, but that's now on hold while the FBI tries out its new hack. The agency will report back to the court on April 5th with a status update.

The FBI's revelation that it's getting help outside of Apple couldn't have come at a more perfect time. The agency has been losing public support for the unlock order, and the arguments it would've presented at the now postponed hearing didn't seem nearly as strong as Apple's.

With the hearing on hold, the big question how is exactly how the FBI plans to hack into Mr. Farook's iPhone. The FBI doesn't want to try data extraction techniques that would destroy the iPhone, so based on what's known about the available options, Cellebrite is most likely using what's known as NAND mirroring, or duplicating the iPhone's encrypted contents so it won't be lost.

Cellebrite will make multiple copies of the iPhone's storage chip so they can be restored when the ten passcode try limit is hit. At that point, they restore the trashed data with a fresh copy and keep trying.

Security researcher Jonathan Zdziarski thinks that's what Cellebrite has planned, and that the FBI wanted a couple weeks to sort out the details. He said,

The leading theory at present, based on all of this, is that an external forensics company, with hardware capabilities, is likely copying the NAND storage off the chip and frequently re-copying all or part of the chip's contents back to the device in order to brute force the pin – and may or may not also be using older gear from iOS 8 techniques to do it. The two weeks the FBI has asked for are not to develop this technique (it's most likely already been developed, if FBI is willing to vacate a hearing over it), but rather to demonstrate, and possibly sell, the technique to FBI by means of a field test on some demo units.

If the technique doesn't work, the FBI will have to decide if it wants to continue pursuing the court order forcing Apple to create a less secure version of the iPhone operating system. If it does work, however, that'll bring an end to the FBI's fight—but it won't end the government's push to get access to our private and encrypted data. We're still facing potential laws requiring tech companies to give law enforcement access to encrypted data, and there will be more court cases pushing for ways into our smartphones, too.