Leaf&Core

Cellebrite Claims They Can Unlock Any iPhone

Reading Time: 4 minutes.

An image from Cellebrite explaining how they can hack into iOS and Android devicesLast week, Cellebrite, a law enforcement and military contractor out of Israel, claimed they were able to unlock any smartphone, including any iPhone. They call it their “Universal Forensic Extraction Device” (UFED). Their UFED Premium service is supposedly able to unlock even the newest iPhones running the latest software. Their claims are unique. No other hacking service is making the same promises. Cellebrite claims they can now get into just about any device. That’s most versions of Android as well as any iOS device. Perhaps worst of all, they won’t reveal their methods or their clients. That means I can’t tell you how to protect yourself, or if you even can.

Cellebrite claims their methods are only available to law enforcement agencies, but the exploit, like all others, will likely leak. While Cellebrite profits off of their “gray hat” hacking, smartphone users around the world could be in danger. This makes users a greater target for theft, hacking, extortion, and could put people in trouble with their governments.

UFED Premium

Obviously, the same methods to unlock an Android device won’t work on an iPhone. They’re different operating systems and even use different hardware. However, Cellebrite claims their hacking techniques lead to the same results on either operating system: a “forensically sound full file-system extraction.” They claim to have cracked “high-running” Android devices, but seem to only have Samsung devices cracked. As this is the largest Android manufacturer, this is still substantial.

Interestingly, for the Samsung/Android device, Cellebrite claims they can do a “physical” file system extraction, whatever that is. It also states that they can “bypass or determine locks,” which makes it sound as though they’ve completely cracked Samsung’s security. Cellebrite also claims they can recover deleted information from the device.

For the iPhone, it seems as though their unlock still comes down to guessing passcodes. However, their method now includes “sophisticated algorithms to minimize unlock attempts.” This doesn’t sound promising (for them). It’s possible that their iPhone unlocking is nothing more than guessing numbers. Of course, with a person’s personal information, such as their date of birth, loved ones’s birthdays, or social security number and a variety of commonly used passcodes like 0000, 1111, 1234, and 5683 (love),it could still be effective. However, they may have other methods at their disposal that make these standard password extraction techniques more reliable.

Why Should We Worry?

There’s a reason our constitution protects us from unwarranted search and seizure. We need those protections to keep us safe and our private lives private. Yes, sometimes this helps criminals. But it protects law abiding citizens far more frequently than criminals, and we outnumber criminals by a wide margin.

However, we’ve already seen that law enforcement oversight is dreadfully inefficient. Police get away with crimes a citizen could never dream of. Those crimes are often abusive, including rape of inmates, stealing private photos from their phones, and more. If police have tools on hand that can unlock devices without the need for a warrant, nothing they do can be trusted.

In some countries, your government will be even less reliable. You could live somewhere where your religion, heritage, sexuality, or gender identity could put you behind bars or worse. The only thing protecting your secret will be your phone. But if a Russian or Saudi Arabian official wants your private information to figure out whether or not you’re gay, you’re going to pray they don’t have Cellebrite’s tools.

For just $100 plus shipping, you can have this “police-only” hacking tool!

And these are just the “legitimate” uses of Cellebrite’s services. What about the illegal ones? You can already buy a number of Cellebrite’s tools online. The market is flooded with their tech, and their UFED Premium tool will be no different. Thieves can unlock phones with all the same tools as law enforcement. That’s why “gray hat” hacking is just as unethical as “black hat” hacking. Both create victims. “Gray hat” hackers like Cellebrite just profit off of the secondhand sales of their products who use them to steal, rather than actual theft. But the distinction is a small one.

What You Can Do

If you’re an iPhone owner, the most important thing you can do is use a longer passcode. I can’t stress this enough. Use at least a 10 digit passcode. Any sequence of numbers you can come up with. Eventually, you’ll remember them. It’s a small price to pay, but it won’t just protect you from law enforcement, but also thieves. If your device is about to be taken away, press the lock button 5 times rapidly. This will set off an alarm and turn off Face ID. You can also hold the lock button and a volume button for 2 seconds. This won’t have an alarm, but it will turn off Face ID.

For Android users, first and foremost, turn off any biometric security. Face scanning, retina scanning, all of it. Just turn it off. Android is not very secure when it comes to these unlocking methods. Samsung’s face unlock, for example, can be fooled by a photo of you. Follow the same advice I gave for the iPhone, or, preferably, come up with a unique swipe pattern. Use one that crosses over the same point more than once, making it trickier for anyone to determine the pattern from your finger grease on the screen. Memorize it, write it down if you must, but destroy any physical copies after you’ve got it memorized. I’m not sure this would be enough for Android devices though. Cellebrite’s claims are far more extreme with Android than iOS.

No matter what OS you’re using, take steps to protect yourself. You never know when someone will try to pry into your device for your secrets, bank accounts, or to extort money from you. You could also be the victim of a fraudulent police or government investigation. Protect yourself with good security practices, and you’ll improve your chances.


Sources:
Exit mobile version