Thanks to reporting by Forbes writer Thomas Fox-Brewster, it now looks like the U.S. government has been able to access the data on every model of iPhone in existence since at least November of 2017.
Fox-Brewster writes about the Israeli-based security firm Cellebrite. In a warrant obtained by Forbes, Fox-Brewster found that November of last year, the U.S. government sent an iPhone X in the possession of a suspected arms dealer to Cellebrite in order for the company to extract information from it.
Cellebrite quietly advertises its own capabilities in this PDF file, writing that it can break the security of all “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.” This would, of course, include the iPhone 8 and the iPhone X.
It should be said that the process isn’t as simple as Cellebrite running some code on your phone. Instead, clients ship phones to the company, where it uses its proprietary methods to unlock the iOS device in question. (If Cellebrite released its exploit as a software solution — assuming it is a software solution — Apple could quickly move to counteract whatever method Cellebrite is using.)
Apple and the U.S. government have a long history of wrangling over the privacy of iPhones. The FBI famously demanded that Apple unlock the iPhone of man who went on a shooting rampage in San Bernardino, California, with Apple successfully fighting off the legal challenge. It was later confirmed that the FBI simply paid $900,000 to have a security firm unlock the phone. Cellebrite, by comparison, is a relative bargain — it charges only $1,500 per phone.
Security expert Bruce Schneier adds a few caveats to Fox-Brewster’s reporting:
The story I hear is that Cellebrite hires ex-Apple engineers and moves them to countries where Apple can’t prosecute them under the DMCA or its equivalents. There’s also a credible rumor that Cellebrite’s mechanisms only defeat the mechanism that limits the number of password attempts. It does not allow engineers to move the encrypted data off the phone and run an offline password cracker. If this is true, then strong passwords are still secure.
To elaborate a bit on Schneier’s comments, Cellebrite’s secret may simply be that it allows for brute-force attempts on iPhones. If I grab your iPhone out in the wild and attempt every possible six-digit PIN — in other words, the exactly 1 million possible combination of numbers you could use — your iPhone will lock itself down after ten failed attempts (and, depending on your security settings, erase itself). If Cellebrite has found a way to bypass that lockdown mechanism, unlocking an iPhone with a six-digit PIN via automated methods is relatively trivial. But your six-digit PIN isn’t the only way to protect your iPhone — you can always choose to set a custom alphanumeric code.
And things get exponentially harder when you start allowing for numbers and letters and special characters to be used: While there are 1 million combinations if you allow for a number-only six-digit PIN, there are over 735 billion possible combinations if you use a six-digit alphanumeric code. And Apple’s alphanumeric codes don’t need to be only six digits. Create an eight-digit alphanumeric password, and you’ve got a 6.63 quadrillion possible passwords. Even simply using a long lowercase phrase with dashes that’s easy to remember, like, say, “water-plants-daily-or-they-die” would be a 30-digit password, with each digit having 27 possible combinations. Doing the math, 27 to the 30th power is about 8.72 tredecillion possible combinations. A tredecillion is a one followed by 42 zeroes. That’s a lot of possible combinations, a number so high, it would be impossible for anyone, man or machine, to crack manually. (Assuming you entered one password by hand every second, you’d start to home in on the answer near the eventual heat death of the universe.)
In other words, if you think your phone might be seized by federal authorities — or you’re just the sort of person who enjoys pretending that you’re in the movie Sneakers — set up an alphanumeric password.