A year ago the FBI was pushing to force Apple into making a hackable version of iOS for a terrorist investigation while claiming the code would stay secure. Now Cellebrite—the company the FBI reportedly hired to break through the iPhone’s encryption—has been hacked, validating Apple’s concerns the tools would eventually leak.
Cellebrite announced on Tuesday its servers had been hacked saying,
Cellebrite recently experienced unauthorized access to an external web server. The company is conducting an investigation to determine the extent of the breach.
The Israeli company has a solid reputation with law enforcement agencies for its ability to hack into encrypted devices including some iPhone models, and reportedly used its tools to bypass the security on an iPhone 5c linked to a terrorist shooter.
In that case, the FBI was trying to bypass the passcode on an iPhone linked to Syed Farook who was identified as a suspect in the December 2015 mass shooting at a San Bernardino County holiday party. Mr. Farook and his wife, Tashfeen Malik, opened fire on their coworkers, killing 14 and injuring 22 others.
The two were killed later that day in a shootout with police. They destroyed their personal smartphones before the attack on their coworkers, but the county-issued iPhone 5c Mr. Farook used was recovered intact. Without the passcode, however, police couldn’t examine its contents to look for potential leads in the case.
Cellebrite, the FBI, and iPhone
Apple assisted the FBI and recovered what data it could from the phone’s linked iCloud account, but didn’t have any way to bypass built-in security measures. The FBI turned to the Federal Court system for an order compelling Apple to make a special version of iOS without the security measures that destroy a device’s data after too many failed login attempts. Apple refused, saying the order was unprecedented and the code would eventually fall into the wrong hands and expose iPhone owners to serious security and privacy risks.
The FBI said that wouldn’t happen because the security-weak iOS version would be used only on Mr. Farook’s iPhone, and could remain in Apple’s possession. Apple countered saying Once the code was written other law enforcement agencies and governments would demand it for their own investigations and surveillance. Apple was almost immediately proven right when the Manhattan District Attorney said he had over 200 iPhones where he wanted to use the code for his own investigations.
Hours before Apple and the FBI were scheduled to appear in court, the FBI backed down saying a third party had unlocked the iPhone for them. That third party was Cellebrite.
In the end, Mr. Farook’s iPhone didn’t hold any useful information, just as San Bernardino police expected. Had Apple capitulated and created the code the FBI wanted, all iPhone owners would’ve been faced with the prospect of worthless encryption all for a phone without any useful information.
The FBI insisted during its fight with Apple that the government needs backdoors into our encrypted personal data. Apple and security experts argued encryption with a back door is the same as no encryption because anyone with the technical skills can use the built-in security weakness, putting our personal data, bank and credit card transactions, and passwords at risk.
Cellebrite is currently investigating its data breach with plans to shore up its own security. That should help with future attacks, but that doesn’t change the fact that a company with tools to hack into smartphones and bypass encryption was hacked itself—and that underscores Apple’s stance that any tool designed to weaken encryption and privacy will eventually fall into the wrong hands.