The FBI’s sudden, unexpected request to delay their court hearing against Apple on Monday — they’ve supposedly found a new potential method of unlocking the phone — has raised a slew of additional questions. Chief among them are: What is the method and who is the third-party helping the FBI?
While that former question is still unanswered, the latter is reportedly the Israeli cybersecurity firm Cellebrite, characterized by Recode as “a leader in extracting information from mobile devices.” (The original report, from Israeli site Ynetnews, can be read here. Ynetnews is a subsidiary of the Israeli newspaper Yedioth Ahronoth, which, according to cybersecurity reporter Joshua Kopstein, has been “known to give free publicity to Israeli [companies].”)
Founded in 1999, Cellebrite serves “customers in the intelligence, public safety, military and enterprise industries with industry-leading, award winning mobile forensics solution components.”
Cellebrite has not commented on whether they are working with the FBI on cracking Syed Farook’s phone, but they do market a line of products called UFEDs (Universal Forensics Extraction Devices), which can supposedly unlock phones running iOS 8 or earlier. Farook’s phone is running iOS 9, so while their current public tools can’t unlock the phone, they likely are, or were, working on a method.
Cellebrite is not new to working with the FBI. According to public records reviewed by Motherboard, the FBI has ordered more than $2 million worth of equipment from them since 2012.
There has been some speculation on the method being used to access the phone, the most prevalent being mirroring the NAND chips in the phone (NAND is a type of logic gate that computers use). As cybersecurity expert Jonathan Zdziarski explains:
Most of the tech experts I’ve heard from believe the same as I do – that NAND mirroring is likely being used to some degree to brute force the pin on the device. This is where the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a CD burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip. This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they’re trying different pin combinations. It’s possible they’ve also made hardware modifications to their test devices to add a socket, allowing them to quickly switch chips out, or that they’re using hardware to simulate this chip so that they don’t have to.
In other words, NAND mirroring is like a very complicated undo button that prevents the phone from logging incorrect passcode attempts, which would otherwise eventually wipe the phone completely. But of course, don’t expect the FBI to confirm any of these details anytime soon.