FBI Turns to Cellebrite to Unlock Syed Farook’s iPhone

| News

The mysterious third party helping the FBI hack into the San Bernardino shooter's iPhone 5c is apparently Cellebrite, and not the NSA. The FBI said on Monday it had outside help working on breaking into the iPhone, which led to speculation as to exactly who that might be.

FBI looks to Cellebrite to unlock San Bernardino shooter's iPhoneFBI looks to Cellebrite to unlock San Bernardino shooter's iPhone

Source speaking with Ynet News said Cellebrite, which the FBI has worked with before, offered up a potential hack into the iPhone, but didn't offer up any details as to what that might be.

The FBI has been trying to get at the encrypted data as part of its investigation into last December's mass shooting where Syed Farook and Tashfeeen Malik killed 14 of their coworkers and injured 22 others. The iPhone was recovered from Mr. Farook after the two were killed in a shootout with police.

Apple helped the FBI recover as much data as they could from iCloud backups, but doesn't have any way to bypass the passcode encrypting the iPhone's data. The FBI turned to the courts for an order compelling Apple to create a version of iOS that didn't have the safeguards preventing brute force attacks on passcodes, and Apple responded by calling the order a government overreach.

Apple also filed a motion to vacate the order along with a formal complaint objecting. Apple and the FBI had been scheduled to appear in court on Tuesday to defend their arguments, but that's now on hold while the FBI tries out its new hack. The agency will report back to the court on April 5th with a status update.

The FBI's revelation that it's getting help outside of Apple couldn't have come at a more perfect time. The agency has been losing public support for the unlock order, and the arguments it would've presented at the now postponed hearing didn't seem nearly as strong as Apple's.

With the hearing on hold, the big question how is exactly how the FBI plans to hack into Mr. Farook's iPhone. The FBI doesn't want to try data extraction techniques that would destroy the iPhone, so based on what's known about the available options, Cellebrite is most likely using what's known as NAND mirroring, or duplicating the iPhone's encrypted contents so it won't be lost.

Cellebrite will make multiple copies of the iPhone's storage chip so they can be restored when the ten passcode try limit is hit. At that point, they restore the trashed data with a fresh copy and keep trying.

Security researcher Jonathan Zdziarski thinks that's what Cellebrite has planned, and that the FBI wanted a couple weeks to sort out the details. He said,

The leading theory at present, based on all of this, is that an external forensics company, with hardware capabilities, is likely copying the NAND storage off the chip and frequently re-copying all or part of the chip's contents back to the device in order to brute force the pin – and may or may not also be using older gear from iOS 8 techniques to do it. The two weeks the FBI has asked for are not to develop this technique (it's most likely already been developed, if FBI is willing to vacate a hearing over it), but rather to demonstrate, and possibly sell, the technique to FBI by means of a field test on some demo units.

If the technique doesn't work, the FBI will have to decide if it wants to continue pursuing the court order forcing Apple to create a less secure version of the iPhone operating system. If it does work, however, that'll bring an end to the FBI's fight—but it won't end the government's push to get access to our private and encrypted data. We're still facing potential laws requiring tech companies to give law enforcement access to encrypted data, and there will be more court cases pushing for ways into our smartphones, too.

Popular TMO Stories


Lee Dronick

  Cellebrite will make multiple copies of the iPhone’s storage chip so they can be restored when the ten passcode try limit is hit. At that point, they restore the trashed data with a fresh copy and keep trying.

And how many copies of the chip may be necessary? It could be as much as a 1,000, I think.


A thought (and I don’t know if it would work):
Copy the entire encrypted contents of the iPhone and put it on a virtual iPhone on a test box. Then they could start trying codes. When one copy locks out, they just restore with a fresh copy and keep going. This would also let them try multiple passsword groups on multiple virtual iPhones making the unlocking process that much quicker. Then when they find the right key, they either access the data on the virtual iPhone or go back to the original, assuming they didn’t have to destroy it to extract the encrypted data, and unlock it.
Would this be feasible?


As far as the NSA is concerned, it’s important to remember that it is part of the military. CIA is civilian but NSA is military and there are certain things that the military can’t do within the U.S.

Many laws have changed since 9/11 and it may be that involvement in this case would be legal, since it is classified as “terrorism”. But I don’t know. And it may be that those who do can’t say.


I wonder if they have a finger-robot to try the combinations?


I got a finger robot for them.
Only needs one actuator


Ha, ha, ha! :D

Scott B in DC

@Lee Dronick: “And how many copies of the chip may be necessary? It could be as much as a 1,000, I think.”

No… they need two: one to preserve and one to play with. Everything else can be copied!

As for this story, do you really know the truth? Is this really the reason? Do you know what the FBi knows or has done in order to resolve their issue? There is a lot of rumor and hearsay. Don’t believe everything you read on the Internet!


@geoduck My guess is that you can’t do the unlock attempts in a virtual machine / simulator because the passcode is not used as the encryption key but just to allow access to the full encryption key stored on the device. So they would have to be able to copy that out of the device and put it in the simulator. I don’t know enough about how this works to know if you can insert that into Apple’s iOS simulator. But I assume they must be able to copy whatever has that full encryption key, yet for some reason cannot directly read it, since the easiest way to wipe a phone would be to just delete the encryption key. But if you could just copy out that key and run it through a simulator to crack it we wouldn’t have this big argument over how hard it is to unlock an iPhone so there has to be some other piece to the security that makes it harder. Therefore I assume you can’t just copy it into an iOS simulator to crack but need to make a backup and then try cracking it on the actual device itself and restore from the backup periodically.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account