But the exact capabilities depend on both the model of the iPhone and the version of iOS it is running. We managed to get access to the user documentation for a recent version of the kit to see what it can do …
Cellebrite makes a range of hardware and software kits designed to unlock both iPhones and Android smartphones, and extract most of the data on them.
Some versions are sold to commercial companies, while Cellebrite Premium is – in theory – sold only to law enforcement agencies. However, the exact position is unclear. For example, the company recently revealed that it has over 2,800 US government customers, many of which would not fall within what one would normally think of as ‘law enforcement.’
Investigators with the US Fish and Wildlife Service frequently work to thwart a variety of environmental offenses, from illegal deforestation to hunting without a license. While these are real crimes, they’re not typically associated with invasive phone hacking tools. But Fish and Wildlife agents are among the increasingly broad set of government employees who can now break into encrypted phones and siphon off mounds of data with technology purchased from the surveillance company Cellebrite […]
The list includes many that would seem far removed from intelligence collection or law enforcement, like the departments of Agriculture, Education, Veterans Affairs, and Housing and Urban Development; the Social Security Administration; the U.S. Agency for International Development; and the Centers for Disease Control and Prevention.
Other Cellebrite clients include bluechip companies wanting to conduct internal investigations, and cybersecurity companies.
Cellebrite Premium kit
The flagship phone cracking kit offered by the company is known as Cellebrite Premium. This is a hardware and software package comprising:
- Cellebrite Premium laptop, with pre-installed software
- Android Adapter
- iOS Adapter
- iOS Adapter (AFU version, for use after the phone has been powered off)
- A complete set of cables and carrying bag
- A hardware license dongle, without which the software won’t run
The software allows users to extract either specific target data (for example, Messages or photos) or the complete filesystem, which contains almost all user data – including Keychain passwords, which then gives the user the ability to access most services you use. Here’s what the company says about it:
By performing full-file system and physical extractions, you can get much more data than what is possible through a logical extraction, and access highly protected areas such as the iOS Keychain or the Secure Folder.
Accessing 3rd party application data, stored passwords and tokens, chat conversations, location data, email attachments, system logs, as well as deleted content, increases your chances of finding the incriminating evidence.
Cellebrite iPhone cracking capabilities
Back in February, the company kept its most advanced capabilities in-house, but the webpage relating to this has since disappeared, and it seems from the documentation we’ve reviewed that Cellebrite Premium can now do everything that CAS used to do.
We should note that the documentation we have obtained pre-dates the launch of the iPhone 13, and at that time the company apparently had no ability to access the iPhone 12 either.
Cellebrite Premium can unlock and gain access to the full filesystem of the following models of phone even when protected by a passcode, with the unlocking time dependent on the complexity of the passcode. It doesn’t matter which supported iOS version the phone is running – the company can unlock the device and access everything.
- iPhone 4S*
- iPhone 5*
- iPhone 5S*
- iPhone 6
- iPhone 6S
- iPhone SE
- iPhone 7
- iPhone 8
- iPhone X
*Interestingly, in-house unlocking is required for these three models if they are running iOS 5 or iOS 6, while Cellebrite Premium allows clients to unlock devices directly if running iOS 7 or later.
The reason these models can be cracked regardless of iOS version is because of unpatchable vulnerabilities in these models. One of these was revealed with the checkm8 exploit, and another flaw discovered in the Secure Enclave later the same year. This too cannot be patched.
There are three models of iPhone the kit can unlock if they are running any version of iOS up to iOS 13.7.
- iPhone XR
- iPhone XS
- iPhone 11
The same three models running iOS 14 or iOS 15 cannot be unlocked by the company, either with Cellebrite Premium or the company’s in-house resources. However, if clients have the passcode of the phone, then full filesystem access is available.
- iPhone XR (iOS 14 or 15)
- iPhone XS (iOS 14 or 15)
- iPhone 11 (iOS 14 or 15)
Law enforcement may or may not have the power needed to force a suspect to reveal their passcode – this depends on the country and the jurisdiction.
Brute-force unlocking is very time-consuming
Unlocking devices requires the kit to brute-force passcodes. This relies on being able to disable the lockouts Apple applies to repeated passcode attempts, but even so is a slow process due to delays imposed prior to complete lockout.
The company warns that the process can be very time-consuming, with one example in the user guide referencing a rate of a little over 100 attempts per day.
However, the kit does allow users to enter any personal data they have for the phone’s owner, such as date of birth, and other important dates, such as a significant other’s birthday. These will be used to generate initial attempts, before resorting to brute-force. This information serves to underline the importance of protecting even relatively trivial personal data.
Cellebrite brute-force unlocking used to require the phone to be left connected to the kit until it succeeded. Cellebrite Premium, however, provides an autonomous mode, where the phone can be disconnected once the attack is underway. This is because the kit manages to install the software running the attack directly on the iPhone itself, even though the phone is locked.
Cellebrite’s autonomous bruteforce capability runs an automated dictionary attack directly on the device itself. After the process is initiated, the target device can be disconnected from Cellebrite Premium, therefore allowing the autonomous bruteforce process to run on multiple devices simultaneously.
It’s worth stressing that all Cellebrite attacks require physical access to the phone, unlike NSO Pegasus spyware, which can be deployed remotely, including zero-click options.
Author: Ben Lovejoy